Use of a Broken or Risky Cryptographic Algorithm

• Rule ID: go_gosec_blocklist_cgi
• Languages: go
• Source: cgi.yml

Description

Using the net/http/cgi package in Go, especially with versions prior to 1.6.3, exposes the application to the Httpoxy attack, a vulnerability identified as CVE-2016-5386. This vulnerability arises from the way CGI and FastCGI protocols handle certain environment variables, which can be manipulated to intercept and redirect outgoing HTTP requests made by the web application.

Remediations

✅ Update Go Version

Ensure you are using a version of Go that is 1.6.3 or later, where this vulnerability is patched.

# Check Go version and update if necessary
go version
# Follow Go's update instructions if your version is < 1.6.3

✅ Use Alternative Packages

Refrain from using CGI where possible. Utilize alternative packages and methods to handle HTTP requests which do not rely on the CGI protocol.

// Use the standard net/http package instead
import "net/http"

❌ Don't Use net/http/cgi in Older Versions

Do not use the net/http/cgi package if you are operating on Go versions older than 1.6.3 as they are susceptible to the Httpoxy vulnerability.

// This import is vulnerable to Httpoxy in Go < 1.6.3
import "net/http/cgi"

❌ Avoid Exposing Environment Variables

Ensure that the environment variables such as HTTP_PROXY are not being exposed unintentionally, as this can be leveraged for Httpoxy attacks.

Resources

• CVE-2016-5386 Detail
• Httpoxy.org

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_blocklist_cgi

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_blocklist_cgi