gaby
commented
1 year ago I will update the 2nd example this weekend. Thanks for pointing this out. The first one is a little more complicated.
Closed aosti closed 1 year ago
gaby
commented
1 year ago I will update the 2nd example this weekend. Thanks for pointing this out. The first one is a little more complicated.
gaby
commented
1 year ago @aosti I have implemented all your suggestions in #99
Hello, first of all nice work with the gofiber library and all of the middlewares. My issue is only a suggestions to better guide developers which may not be familiar with security issues. My suggestion is to update the examples to follow the best practices regarding security, because many developers may copy/paste the examples and not adjust the security sensitive aspects of it.
Unsafe Example of URL Filtering Creates a map with the paths that should be verified and uses c.OriginalURL() to get the path from the request. However, this is not safe. By simple changing the case of the path or adding additional bars at the end of the uri, it can be bypassed. I'm not sure how to solve this one in Go.
Unsafe URL passing Keys should not be passed through the URL as that may cause the token to be saved in the server logs. Simply use an authentication header.
All examples vulnerable to timing attacks It may not be viable to perform in all scenarios, however there may be timing differences during the comparison of the submitted client token and the backend response, which may allow an attacker to recover the token from the backend. This can be solved by first hashing with at least SHA256 the user entry and the apikey itself, and then comparing both of them using the subtle.ConstantTimeCompare function.