Go / go-chi Cache Deception

cache_deception.go

package main

import (
	"net/http"

	"github.com/go-chi/chi/v5"
	"github.com/go-chi/chi/v5/middleware"
)

func main() {
	r := chi.NewRouter()
	r.Use(middleware.Logger)
	r.Get("/*", func(w http.ResponseWriter, r *http.Request) {
		w.Write([]byte("welcome"))
	})
	http.ListenAndServe(":3000", r)
}

cache_deception_rule.yaml

rules:
  - id: detect-regex-path-star-gochi
    patterns:
      - pattern-either:
          - pattern: $Y.Get(..., $X, ...)
          - pattern: $Y.Post(..., $X, ...)
          - pattern: $Y.Put(..., $X, ...)
          - pattern: $Y.Delete(..., $X, ...)
          - pattern: $Y.Patch(..., $X, ...)
      - pattern-inside: |
          import "github.com/go-chi/chi/v5"
          ...
      - metavariable-pattern:
          metavariable: $X
          patterns:
            - pattern-regex: /\*[\w\s]*
    message: Avoid using '/path*' regex pattern in Go-Chi.
    languages:
      - go
    severity: WARNING
metadata:
    category: security
    cwe: "CWE-525: Use of Web Browser Cache Containing Sensitive Information"
    subcategory: [audit]
    confidence: HIGH
    impact: HIGH
    technology: [golang, go-chi]
    description: "`Golang Go-Chi` Possible Web Cache Deception"