Go / gofiber Cache Deception

cache_deception.go

package main

import (
    "fmt"
    "log"

    "github.com/gofiber/fiber/v2"
)

func main() {
    app := fiber.New()

    // GET /api/register
    app.Get("/api/*", func(c *fiber.Ctx) error {
        msg := fmt.Sprintf("✋")
        return c.SendString(msg) // => ✋ register
    })

    // GET /flights/LAX-SFO
    app.Get("/flights/:from-:to", func(c *fiber.Ctx) error {
        msg := fmt.Sprintf("💸 From: %s, To: %s", c.Params("from"), c.Params("to"))
        return c.SendString(msg) // => 💸 From: LAX, To: SFO
    })

    // GET /dictionary.txt
    app.Get("/:file.:ext", func(c *fiber.Ctx) error {
        msg := fmt.Sprintf("📃 %s.%s", c.Params("file"), c.Params("ext"))
        return c.SendString(msg) // => 📃 dictionary.txt
    })

    log.Fatal(app.Listen(":3000"))
}

cache_deception_rule.yaml

rules:
  - id: detect-regex-path-star-gofiber
    patterns:
      - pattern-either:
          - pattern: $Y.Get(..., $X, ...)
          - pattern: $Y.Post(..., $X, ...)
          - pattern: $Y.Put(..., $X, ...)
          - pattern: $Y.Delete(..., $X, ...)
          - pattern: $Y.Patch(..., $X, ...)
      - pattern-inside: |
          import "github.com/gofiber/fiber"
          ...
      - metavariable-pattern:
          metavariable: $X
          patterns:
            - pattern-regex: /\*[\w\s]*
    message: Avoid using '/path*' regex pattern in GoFiber.
    languages:
      - go
    severity: WARNING
metadata:
    category: security
    cwe: "CWE-525: Use of Web Browser Cache Containing Sensitive Information"
    subcategory: [audit]
    confidence: HIGH
    impact: HIGH
    technology: [golang, gofiber]
    description: "`Golang GoFiber` Possible Web Cache Deception"