Go / gorilla Cache Deception

cache_deception.go

package main

import (
    "fmt"
    "net/http"
    "log"

    "github.com/julienschmidt/httprouter"
)

func Index(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
    fmt.Fprint(w, "Welcome!\n")
}

func Hello(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
    fmt.Fprintf(w, "hello, %s!\n", ps.ByName("name"))
}

func main() {
    router := httprouter.New()
    router.GET("/test/*filepath", Index)
    router.GET("/*filepath", Index)
    router.POST("/*filepath", Index)
    router.GET("/hello/:name", Hello)

    log.Fatal(http.ListenAndServe(":8080", router))
}

cache_deception_rule.yaml

rules:
  - id: detect-regex-path-star-httprouter
    patterns:
      - pattern-either:
          - pattern: $Y.GET(..., $X, ...)
          - pattern: $Y.POST(..., $X, ...)
          - pattern: $Y.PUT(..., $X, ...)
          - pattern: $Y.DELETE(..., $X, ...)
          - pattern: $Y.PATCH(..., $X, ...)
      - pattern-inside: |
          import "github.com/julienschmidt/httprouter"
          ...
      - metavariable-pattern:
          metavariable: $X
          patterns:
            - pattern-regex: /\*[\w\s]*
    message: Avoid using '/path*' regex pattern in HTTPRouter.
    languages:
      - go
    severity: WARNING
metadata:
    category: security
    cwe: "CWE-525: Use of Web Browser Cache Containing Sensitive Information"
    subcategory: [audit]
    confidence: HIGH
    impact: HIGH
    technology: [golang, httprouter]
    description: "`Golang HTTPRouter` Possible Web Cache Deception"