go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per "gorilla/websocket" documentation: "A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery."

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: websocket-missing-origin-check
    patterns:
      - pattern-inside: |
          import ("github.com/gorilla/websocket")
          ...
      - patterns:
          - pattern-not-inside: |
              $UPGRADER = websocket.Upgrader{..., CheckOrigin: $FN ,...}
              ...
          - pattern-not-inside: |
              $UPGRADER.CheckOrigin = $FN2
              ...
          - pattern: |
              $UPGRADER.Upgrade(...)
    message: 'The Origin header in the HTTP WebSocket handshake is used to guarantee
      that the connection accepted by the WebSocket is from a trusted origin
      domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF).
      As per "gorilla/websocket" documentation: "A CheckOrigin function should
      carefully validate the request origin to prevent cross-site request
      forgery."'
    languages:
      - go
    severity: WARNING
    metadata:
      category: security
      cwe:
        - "CWE-352: Cross-Site Request Forgery (CSRF)"
      owasp:
        - A01:2021 - Broken Access Control
      references:
        - https://pkg.go.dev/github.com/gorilla/websocket#Upgrader
      technology:
        - gorilla
      confidence: MEDIUM
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site Request Forgery (CSRF)

Examples

websocket-missing-origin-check.go

package main

import (
	"log"
	"net/http"

	"github.com/gorilla/websocket"
)

var upgrader = websocket.Upgrader{
	CheckOrigin: func(r *http.Request) bool {
		return true
	},
	ReadBufferSize:  1024,
	WriteBufferSize: 1024,
}

var upgrader2 = websocket.Upgrader{
	ReadBufferSize:  1024,
	WriteBufferSize: 1024,
}

func handler_check_origin(w http.ResponseWriter, r *http.Request) {
	// ok: websocket-missing-origin-check
	conn, err := upgrader.Upgrade(w, r, nil)
	if err != nil {
		log.Println(err)
		return
	}
}

func handler_check_origin2(w http.ResponseWriter, r *http.Request) {
	upgrader2.CheckOrigin = func(r *http.Request) bool { return true }
	// ok: websocket-missing-origin-check
	conn, err := upgrader2.Upgrade(w, r, nil)
	if err != nil {
		log.Println(err)
		return
	}
}

func handler_doesnt_check_origin(w http.ResponseWriter, r *http.Request) {
	// ruleid: websocket-missing-origin-check
	conn, err := upgrader2.Upgrade(w, r, nil)
	if err != nil {
		log.Println(err)
		return
	}
}