Use of a Broken or Risky Cryptographic Algorithm
- Rule ID: go_gosec_blocklist_cgi
- Languages: go
- Source: cgi.yml
Description
Using the net/http/cgi
package in Go, especially with versions prior to 1.6.3, exposes the application to the Httpoxy attack, a vulnerability identified as CVE-2016-5386. This vulnerability arises from the way CGI and FastCGI protocols handle certain environment variables, which can be manipulated to intercept and redirect outgoing HTTP requests made by the web application.
Remediations
✅ Update Go Version
Ensure you are using a version of Go that is 1.6.3 or later, where this vulnerability is patched.
# Check Go version and update if necessary
go version
# Follow Go's update instructions if your version is < 1.6.3
✅ Use Alternative Packages
Refrain from using CGI where possible. Utilize alternative packages and methods to handle HTTP requests which do not rely on the CGI protocol.
// Use the standard net/http package instead
import "net/http"
❌ Don't Use net/http/cgi
in Older Versions
Do not use the net/http/cgi
package if you are operating on Go versions older than 1.6.3 as they are susceptible to the Httpoxy vulnerability.
// This import is vulnerable to Httpoxy in Go < 1.6.3
import "net/http/cgi"
❌ Avoid Exposing Environment Variables
Ensure that the environment variables such as HTTP_PROXY
are not being exposed unintentionally, as this can be leveraged for Httpoxy attacks.
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_gosec_blocklist_cgi
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_gosec_blocklist_cgi
Ready to take the next step? Learn more about Bearer Cloud.