• Security gap permits bad guys to bypass validations and gain unauthorised access to cloud-native programmes.
• The Israeli-based company has discovered multiple instances in several open-source projects which resulted in various vulnerabilities.

Israeli-based Oxeye, which uncovers vulnerabilities in distributed cloud-native applications, has discovered a new vulnerability in GoLang-based applications, known as “ParseThru”.

Golang or Go language is an open-source cloud native programming language used for general purposes. Go was developed by Google engineers to create dependable and efficient software to reduce the number of software development dependencies and has a short learning curve.

Used to develop many cloud-native applications, GoLang is behind a large number of applications written for the cloud, including Kubernetes environments.

The newly discovered vulnerability allows a threat actor to bypass validations under certain conditions, as a result of the use of unsafe URL parsing methods built in the language.

URL parsing logic

Every programming language has its implementation of URL parsing logic. GoLang uses the ‘net/url’ library to parse URLs. Before version 1.17 of the programming language, GoLang would consider semicolons in the query part of the URL as a valid delimiter.

However, after version 1.17, GoLang changed this behaviour, and now the “parseQuery” method will return an error if the query part of the URL contains a semicolon.

Although this method was fixed to properly return an error when the input contains a semicolon, one of the methods responsible for getting the parsed query string bluntly ignores the error returned.

 As a result, when a GoLang-based public API built upon the GoLang version greater than 1.17 communicates with an internal service running GoLang before v1.17. When a user makes an http request to the first service, supplying a query parameter, the service will decide on whether to pass on the request based on the supplied parameter.

 If a semicolon is added to the named parameter, the first service will ignore its existence. No logic will be made based on the actual parameter value.

 At this point, the request is forwarded to the internal service, receiving and treating the request the latter receives the transaction and treats the parameter without the semicolon.

This means miscreants can smuggle requests containing query parameters that would normally be rejected.

Proper patching needed

 “With our experts uncovering this security issue, we now recommend that GoLang-based apps in use should be reviewed to ensure the proper patching and/or remediation is applied,” Ron Vider, CTO and Co-founder at Oxeye, said.

 While conducting this research, Oxeye discovered multiple instances of this behaviour in several open-source projects which resulted in various vulnerabilities.

 Three identified vulnerable projects include CNCF graduated project Harbor, an open source registry that secures artefacts with policies and role-based access control; Traefik, a modern http reverse proxy and load balancer that makes deploying microservices easy and Skipper, an http router and reverse proxy for service composition.

For these and other open source projects, the Oxeye research team managed to bypass critical application logic using this vulnerability to exploit the application for performing various unauthorised actions.

 “The initial review by Gal Goldshtein and Daniel Abeles has revealed that several significant open source projects have been impacted by this edge case. To assist with remediation, we are providing deeper technical dive into these vulnerabilities that can be found on our blog, Vider said.

With a large number of enterprises hosting application workloads in the cloud, application security must be implemented to accommodate the unique security requirements of cloud-based applications.