Skip to content

Latest commit

 

History

History
87 lines (69 loc) · 7.87 KB

threat-modeling.md

File metadata and controls

87 lines (69 loc) · 7.87 KB

Threat Model Analysis for zeromicro/go-zero

Threat: goctl Template Injection

  • Threat: goctl Template Injection

    • Description: An attacker gains access to the goctl template files (either locally on a developer's machine or in a shared repository) and modifies them to inject malicious code. This code will then be included in all subsequently generated services, giving the attacker control over the application's core logic. The attacker might achieve this through compromised developer credentials, a supply chain attack on the template repository, or exploiting a vulnerability in a CI/CD system.
    • Impact: Complete compromise of the application. The attacker can steal data, modify data, disrupt service, or use the application as a launchpad for further attacks.
    • Affected Component: goctl code generation tool and its template files.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Store goctl templates in a secure, version-controlled repository with strict access controls and audit logging.
      • Implement cryptographic checksums (e.g., SHA-256) for templates and verify them before each use of goctl.
      • Use a dedicated, hardened build server for code generation, separate from developer workstations.
      • Regularly audit template repositories for unauthorized changes.
      • Implement multi-factor authentication for access to template repositories.

Threat: Unauthenticated zRPC Calls

  • Threat: Unauthenticated zRPC Calls

    • Description: An attacker directly calls zRPC methods exposed by a service without providing valid authentication credentials. This bypasses any authentication checks implemented at the API gateway level. The attacker might discover the zRPC endpoints through network scanning or by analyzing the application's code. Because zRPC is a core component of go-zero's inter-service communication, this is a direct threat.
    • Impact: Unauthorized access to internal service functionality. This can lead to data breaches, unauthorized data modification, or denial of service.
    • Affected Component: zRPC server implementation (specifically, the lack of authentication middleware on zRPC endpoints). This is a direct go-zero component.
    • Risk Severity: High
    • Mitigation Strategies:
      • Implement authentication middleware (provided by go-zero) on all zRPC endpoints.
      • Use strong authentication mechanisms, such as JWT (JSON Web Tokens) with appropriate claims and expiry.
      • Enforce the principle of least privilege: only grant the necessary permissions to each zRPC client.
      • Regularly review and update authentication configurations.

Threat: zRPC Data Exposure in Transit

  • Threat: zRPC Data Exposure in Transit

    • Description: An attacker intercepts zRPC communication between services because the communication is not encrypted using TLS. The attacker uses network sniffing tools to capture the data exchanged between services. Since zRPC is the core RPC mechanism of go-zero, this is a direct threat.
    • Impact: Loss of confidentiality. Sensitive data transmitted between services is exposed to the attacker.
    • Affected Component: zRPC client and server communication (lack of TLS configuration). This directly involves go-zero's zRPC implementation.
    • Risk Severity: High
    • Mitigation Strategies:
      • Enforce the use of TLS for all zRPC communication. go-zero provides built-in support for TLS.
      • Use strong TLS cipher suites and configurations (e.g., TLS 1.3 with modern ciphers).
      • Regularly update TLS certificates and ensure they are properly validated.
      • Use a trusted Certificate Authority (CA).

Threat: zRPC Denial of Service (DoS)

  • Threat: zRPC Denial of Service (DoS)

    • Description: An attacker floods a zRPC service with a large number of requests, overwhelming the service and making it unavailable to legitimate users. The attacker might exploit a lack of rate limiting or resource constraints on the zRPC server, which is a core part of go-zero.
    • Impact: Service unavailability. Legitimate users cannot access the service.
    • Affected Component: zRPC server implementation (lack of rate limiting and resource management). This is a direct go-zero component.
    • Risk Severity: High
    • Mitigation Strategies:
      • Implement rate limiting middleware (provided by go-zero) on zRPC endpoints.
      • Configure appropriate timeouts for zRPC calls to prevent long-running requests from consuming resources.
      • Implement circuit breaking to prevent cascading failures.
      • Monitor zRPC service performance and resource usage to detect and respond to DoS attacks.
      • Use resource quotas to limit the resources consumed by each zRPC client.

Threat: Misconfigured API Gateway Middleware

  • Threat: Misconfigured API Gateway Middleware

    • Description: An attacker exploits a misconfiguration in the API gateway's middleware (e.g., authentication, authorization, CORS). For example, the authentication middleware might be disabled, the authorization middleware might have incorrect rules, or the CORS configuration might be too permissive. The attacker might send crafted requests that bypass security checks. The API gateway and its middleware are core go-zero components.
    • Impact: Varies depending on the misconfiguration. Can range from unauthorized access to data breaches to denial of service.
    • Affected Component: API gateway (rest package) middleware configuration. This is a direct go-zero component.
    • Risk Severity: High
    • Mitigation Strategies:
      • Thoroughly review and test all middleware configurations. Use a "deny by default" approach.
      • Ensure middleware is applied in the correct order (e.g., authentication before authorization).
      • Use a consistent and well-documented approach to middleware configuration.
      • Regularly audit middleware configurations for errors and vulnerabilities.
      • Use automated tools to validate middleware configurations.

Threat: Bypassing the API Gateway

  • Threat: Bypassing the API Gateway
    • Description: Although mitigation involves network configuration, the threat arises because go-zero structures applications with an API gateway. An attacker directly accesses backend services without going through the go-zero API gateway, bypassing all security controls implemented at the gateway. The attacker might discover the backend service addresses through network scanning or by analyzing the application's configuration.
    • Impact: Unauthorized access to backend services, potentially leading to data breaches, data modification, or denial of service.
    • Affected Component: Go-zero's architectural pattern of using an API gateway (rest package) in front of backend services. While the vulnerability might be in network configuration, the threat model is shaped by go-zero's design.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Use network segmentation (e.g., firewalls, VPCs) to prevent direct access to backend services from outside the trusted network.
      • Configure backend services to only accept requests from the API gateway (e.g., using mutual TLS authentication or IP whitelisting).
      • Implement authentication and authorization checks within the backend services themselves, even if they are accessed through the gateway (defense in depth).