Use of a Broken or Risky Cryptographic Algorithm
- Rule ID: go_gosec_blocklist_cgi
- Languages: go
- Source: cgi.yml
net/http/cgi package in Go, especially with versions prior to 1.6.3, exposes the application to the Httpoxy attack, a vulnerability identified as CVE-2016-5386. This vulnerability arises from the way CGI and FastCGI protocols handle certain environment variables, which can be manipulated to intercept and redirect outgoing HTTP requests made by the web application.
✅ Update Go Version
Ensure you are using a version of Go that is 1.6.3 or later, where this vulnerability is patched.
# Check Go version and update if necessary
# Follow Go's update instructions if your version is < 1.6.3
✅ Use Alternative Packages
Refrain from using CGI where possible. Utilize alternative packages and methods to handle HTTP requests which do not rely on the CGI protocol.
// Use the standard net/http package instead
❌ Don't Use
net/http/cgi in Older Versions
Do not use the
net/http/cgi package if you are operating on Go versions older than 1.6.3 as they are susceptible to the Httpoxy vulnerability.
// This import is vulnerable to Httpoxy in Go < 1.6.3
❌ Avoid Exposing Environment Variables
Ensure that the environment variables such as
HTTP_PROXY are not being exposed unintentionally, as this can be leveraged for Httpoxy attacks.
OWASP Top 10
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_gosec_blocklist_cgi
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_gosec_blocklist_cgi
Ready to take the next step? Learn more about Bearer Cloud.