Go / gomux Cache Deception

cache_deception.go

import(
    "log"
    "net/http"
)

func main() {
    mux := http.NewServeMux()
    mux.HandleFunc("/test*", index)

    err := http.ListenAndServe(":3000", mux)
    log.Fatal(err)
}

func index(w http.ResponseWriter, r *http.Request) {
    if r.URL.Path != "/" {
        http.NotFound(w, r)
        return
    }

    // Common code for all requests can go here...

    switch r.Method {
    case http.MethodGet:
        // Handle the GET request...

    case http.MethodPost:
        // Handle the POST request...

    case http.MethodOptions:
        w.Header().Set("Allow", "GET, POST, OPTIONS")
        w.WriteHeader(http.StatusNoContent)

    default:
        w.Header().Set("Allow", "GET, POST, OPTIONS")
        http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
    }
}

cache_deception_rule.yaml

rules:
- id: detect-generic-path-star-mux
  patterns:
    - pattern-either: 
      - pattern: $Y.HandleFunc($X, ...)
    - pattern-inside: |
          import "net/http"
          ...
    - metavariable-pattern:
        metavariable: $X
        patterns:
          - pattern-regex: /[\w]*\*
  message: Avoid using regex patterns with asterisk (*) in route handlers.
  languages: [go]
  severity: WARNING
metadata:
    category: security
    cwe: "CWE-525: Use of Web Browser Cache Containing Sensitive Information"
    subcategory: [audit]
    confidence: HIGH
    impact: HIGH
    technology: [golang, httprouter]
    description: "`Golang Mux` Possible Web Cache Deception"