go.lang.security.audit.crypto.bad_imports.insecure-module-used

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
157,350
Download Count*
LGPL Commons Clause
License

The package net/http/cgi is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use net/http or a web framework to build a web application instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insecure-module-used
    message: The package `net/http/cgi` is on the import blocklist.  The package is
      vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use
      `net/http` or a web framework to build a web application instead.
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      source-rule-url: https://github.com/securego/gosec
      references:
        - https://godoc.org/golang.org/x/crypto/sha3
      category: security
      technology:
        - go
      confidence: MEDIUM
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - go
    severity: WARNING
    pattern-either:
      - patterns:
          - pattern-inside: |
              import "net/http/cgi"
              ...
          - pattern: |
              cgi.$FUNC(...)

Examples

bad_imports.go

package main

import (
	"crypto/cipher"
	"crypto/des"
	"crypto/md5"
	"crypto/rand"
	"crypto/rc4"
	"crypto/sha1"
	"encoding/hex"
	"fmt"
	"io"
	"net/http"
	"net/http/cgi"
	"os"
)

func main1() {
	// ruleid: insecure-module-used
	cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
}

func main2() {
	// ok: insecure-module-used
	block, err := des.NewCipher([]byte("sekritz"))
	if err != nil {
		panic(err)
	}
	plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
	ciphertext := make([]byte, des.BlockSize+len(plaintext))
	iv := ciphertext[:des.BlockSize]
	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
		panic(err)
	}
	stream := cipher.NewCFBEncrypter(block, iv)
	stream.XORKeyStream(ciphertext[des.BlockSize:], plaintext)
	fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}

func main3() {
	for _, arg := range os.Args {
		// ok: insecure-module-used
		fmt.Printf("%x - %s\n", md5.Sum([]byte(arg)), arg)
	}
}

func main4() {
	// ok: insecure-module-used
	cipher, err := rc4.NewCipher([]byte("sekritz"))
	if err != nil {
		panic(err)
	}
	plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
	ciphertext := make([]byte, len(plaintext))
	cipher.XORKeyStream(ciphertext, plaintext)
	fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}

func main5() {
	for _, arg := range os.Args {
		// ok: insecure-module-used
		fmt.Printf("%x - %s\n", sha1.Sum([]byte(arg)), arg)
	}
}