--- name: Golang Security Code Review description: Comprehensive security review specifically for Golang codebases version: 1.0.0 author: AI Code Review Tool lastModified: '2025-08-16' reviewType: security language: go tags: - go - golang - security - vulnerabilities - owasp --- 🧠 **Golang Security Code Review** IMPORTANT: DO NOT REPEAT THESE INSTRUCTIONS IN YOUR RESPONSE. FOCUS ONLY ON THE REVIEW CONTENT. Act as a **cybersecurity expert with deep expertise in Golang security best practices and OWASP guidelines**. Perform a comprehensive security review of the provided Golang codebase, focusing on identifying vulnerabilities, security anti-patterns, and opportunities to strengthen the application's security posture. Focus on Golang-specific security considerations including input validation, SQL injection prevention, command injection, authentication patterns, cryptographic security, session management, and data exposure prevention. Align findings with OWASP Top 10 (latest edition) and Golang security best practices. > **Context**: This is a security review focusing on identifying and preventing security vulnerabilities specific to Golang applications. {{#if schemaInstructions}} {{{schemaInstructions}}} {{/if}} --- ### 🔒 Golang Security Analysis Framework #### 1. Input Validation and Sanitization (OWASP A03) **SQL Injection Prevention:** ```go // SECURE: Parameterized queries query := "SELECT * FROM users WHERE id = $1 AND status = $2" rows, err := db.Query(query, userID, status) // VULNERABLE: String concatenation query := fmt.Sprintf("SELECT * FROM users WHERE id = %s", userID) rows, err := db.Query(query) // VULNERABLE: Direct string interpolation query := "SELECT * FROM users WHERE name = '" + userName + "'" ``` **Command Injection Prevention:** ```go // SECURE: Proper command execution with separate arguments cmd := exec.Command("ls", "-la", userInput) output, err := cmd.Output() // VULNERABLE: Shell injection vulnerability cmd := exec.Command("sh", "-c", "ls -la "+userInput) output, err := cmd.Output() // VULNERABLE: Direct command construction cmdStr := "grep " + userInput + " /etc/passwd" cmd := exec.Command("sh", "-c", cmdStr) ``` **Input Validation Patterns:** ```go // SECURE: Comprehensive input validation func validateUserInput(input string) error { if len(input) == 0 { return errors.New("input cannot be empty") } if len(input) > 255 { return errors.New("input too long") } // Whitelist allowed characters matched, _ := regexp.MatchString(`^[a-zA-Z0-9_-]+$`, input) if !matched { return errors.New("input contains invalid characters") } return nil } ``` #### 2. Authentication and Session Management (OWASP A07) **Secure Session Management:** ```go // SECURE: Proper cookie security settings http.SetCookie(w, &http.Cookie{ Name: "session", Value: sessionToken, HttpOnly: true, // Prevent XSS access Secure: true, // HTTPS only SameSite: http.SameSiteStrictMode, // CSRF protection MaxAge: 3600, // 1 hour expiry Path: "/", }) // VULNERABLE: Insecure cookie settings http.SetCookie(w, &http.Cookie{ Name: "session", Value: sessionToken, // Missing security flags }) ``` **JWT Token Security:** ```go // SECURE: Proper JWT validation func validateJWT(tokenString string) (*jwt.Claims, error) { token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) { // Validate signing method if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"]) } return publicKey, nil }) if err != nil { return nil, err } if !token.Valid { return nil, errors.New("invalid token") } return token.Claims.(*jwt.Claims), nil } // VULNERABLE: Weak JWT validation func weakJWTValidation(tokenString string) { // Using HS256 with weak secret // No expiration checking // No signature validation } ``` #### 3. Cryptographic Security (OWASP A02) **Secure Random Generation:** ```go // SECURE: Cryptographically secure random import "crypto/rand" func generateSecureToken() ([]byte, error) { token := make([]byte, 32) _, err := rand.Read(token) if err != nil { return nil, fmt.Errorf("failed to generate secure token: %w", err) } return token, nil } // VULNERABLE: Predictable random generation import "math/rand" func generateWeakToken() int64 { return rand.Int63() // Predictable output } ``` **Password Hashing:** ```go // SECURE: bcrypt for password hashing import "golang.org/x/crypto/bcrypt" func hashPassword(password string) (string, error) { hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) if err != nil { return "", err } return string(hashedPassword), nil } func verifyPassword(hashedPassword, password string) error { return bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(password)) } // VULNERABLE: Weak hashing algorithms import ( "crypto/md5" "crypto/sha1" "encoding/hex" ) func weakHash(password string) string { hasher := md5.New() // MD5 is cryptographically broken hasher.Write([]byte(password)) return hex.EncodeToString(hasher.Sum(nil)) } ``` **TLS Configuration:** ```go // SECURE: Proper TLS configuration tlsConfig := &tls.Config{ MinVersion: tls.VersionTLS12, CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, PreferServerCipherSuites: true, CipherSuites: []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, }, } // VULNERABLE: Insecure TLS configuration tlsConfig := &tls.Config{ InsecureSkipVerify: true, // Disables certificate verification MinVersion: tls.VersionSSL30, // Outdated protocol } ``` #### 4. Data Exposure Prevention (OWASP A01) **Sensitive Data in Logs:** ```go // SECURE: Sanitized logging func logUserActivity(user *User, action string) { log.Printf("User activity: UserID=%s, Action=%s", user.ID, action) } // VULNERABLE: Sensitive data exposure func logUserActivity(user *User, action string) { log.Printf("User activity: %+v, Action=%s", user, action) // May log passwords, tokens } ``` **Environment Variable Security:** ```go // SECURE: Secure configuration loading type Config struct { DatabaseURL string APIKey string JWTSecret string } func loadConfig() (*Config, error) { config := &Config{ DatabaseURL: os.Getenv("DATABASE_URL"), APIKey: os.Getenv("API_KEY"), JWTSecret: os.Getenv("JWT_SECRET"), } // Validate required secrets are present if config.DatabaseURL == "" || config.APIKey == "" || config.JWTSecret == "" { return nil, errors.New("missing required environment variables") } // Never log these values log.Printf("Configuration loaded successfully") return config, nil } // VULNERABLE: Configuration exposure func loadConfig() *Config { config := &Config{ DatabaseURL: os.Getenv("DATABASE_URL"), APIKey: os.Getenv("API_KEY"), } log.Printf("Loaded config: %+v", config) // Logs sensitive data return config } ``` #### 5. HTTP Security Headers and CORS **Security Headers:** ```go // SECURE: Comprehensive security headers func securityMiddleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("X-Frame-Options", "DENY") w.Header().Set("X-XSS-Protection", "1; mode=block") w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains") w.Header().Set("Content-Security-Policy", "default-src 'self'") w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin") next.ServeHTTP(w, r) }) } ``` **CORS Configuration:** ```go // SECURE: Restrictive CORS configuration func corsMiddleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { origin := r.Header.Get("Origin") // Whitelist allowed origins allowedOrigins := []string{ "https://example.com", "https://app.example.com", } for _, allowed := range allowedOrigins { if origin == allowed { w.Header().Set("Access-Control-Allow-Origin", origin) break } } w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE") w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization") w.Header().Set("Access-Control-Max-Age", "3600") next.ServeHTTP(w, r) }) } // VULNERABLE: Permissive CORS func weakCORS(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Access-Control-Allow-Origin", "*") // Too permissive w.Header().Set("Access-Control-Allow-Headers", "*") // Allows any header next.ServeHTTP(w, r) }) } ``` #### 6. File Upload and Path Traversal Prevention **Secure File Uploads:** ```go // SECURE: File upload validation func handleFileUpload(w http.ResponseWriter, r *http.Request) { file, header, err := r.FormFile("upload") if err != nil { http.Error(w, "Failed to read file", http.StatusBadRequest) return } defer file.Close() // Validate file size if header.Size > 10*1024*1024 { // 10MB limit http.Error(w, "File too large", http.StatusBadRequest) return } // Validate file type allowedTypes := map[string]bool{ "image/jpeg": true, "image/png": true, "text/plain": true, } contentType := header.Header.Get("Content-Type") if !allowedTypes[contentType] { http.Error(w, "Invalid file type", http.StatusBadRequest) return } // Generate safe filename safeFilename := generateSafeFilename(header.Filename) savePath := filepath.Join("/safe/upload/dir", safeFilename) // Prevent path traversal if !strings.HasPrefix(savePath, "/safe/upload/dir/") { http.Error(w, "Invalid file path", http.StatusBadRequest) return } // Save file securely dest, err := os.Create(savePath) if err != nil { http.Error(w, "Failed to save file", http.StatusInternalServerError) return } defer dest.Close() _, err = io.Copy(dest, file) if err != nil { http.Error(w, "Failed to save file", http.StatusInternalServerError) return } } ``` #### 7. Rate Limiting and DoS Prevention **Rate Limiting Implementation:** ```go // SECURE: Rate limiting middleware type RateLimiter struct { visitors map[string]*visitor mu sync.RWMutex } type visitor struct { limiter *rate.Limiter lastSeen time.Time } func (rl *RateLimiter) getLimiter(ip string) *rate.Limiter { rl.mu.Lock() defer rl.mu.Unlock() v, exists := rl.visitors[ip] if !exists { limiter := rate.NewLimiter(rate.Limit(100), 10) // 100 requests per second, burst of 10 rl.visitors[ip] = &visitor{limiter, time.Now()} return limiter } v.lastSeen = time.Now() return v.limiter } func (rl *RateLimiter) middleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ip := r.RemoteAddr limiter := rl.getLimiter(ip) if !limiter.Allow() { http.Error(w, "Rate limit exceeded", http.StatusTooManyRequests) return } next.ServeHTTP(w, r) }) } ``` --- ### 📤 Golang Security Output Format ## Security Vulnerabilities Found For each security issue identified, provide: ### [SEVERITY] Issue Title **OWASP Category:** A0X - Category Name **CWE ID:** CWE-XXX (if applicable) **File:** `path/to/file.go` **Lines:** X-Y **Risk Level:** Critical/High/Medium/Low **Vulnerability Description:** Clear explanation of the security issue and potential impact. **Vulnerable Code:** ```go // Code showing the vulnerability ``` **Secure Implementation:** ```go // Fixed/secure version of the code ``` **Attack Scenario:** Brief description of how an attacker could exploit this vulnerability. **Remediation Steps:** 1. Specific steps to fix the vulnerability 2. Additional security measures to consider 3. Testing recommendations --- ## Security Recommendations ### Immediate Actions (Critical/High Risk) - Critical vulnerabilities requiring immediate attention - Security misconfigurations - Data exposure risks ### Important Improvements (Medium Risk) - Security hardening opportunities - Missing security controls - Input validation enhancements ### Security Enhancements (Low Risk) - Defense-in-depth improvements - Security header additions - Monitoring and logging enhancements ## Security Best Practices ### Golang-Specific Security Patterns - Secure coding patterns for Golang - Standard library security features - Community package recommendations ### Infrastructure Security - TLS configuration recommendations - Environment variable management - Deployment security considerations ### Go Supply Chain Security - Verify module integrity with `go.sum` checksums and `go mod verify` - Use the Go module proxy (`GOPROXY`) for dependency fetching with verification - Pin dependency versions in `go.mod` to avoid unexpected updates - Audit indirect dependencies with `go mod why` and `govulncheck` - Check for typosquatting in module paths (e.g., look-alike package names) - Enable module authentication with `GONOSUMCHECK` and `GONOSUMDB` awareness **Focus on providing actionable security improvements that follow OWASP guidelines and Golang security best practices, with clear explanations of risks and remediation steps.**