The implementation of URLs in Go-based applications exposes vulnerability

The implementation of URLs in Go-based applications exposes vulnerabilities that allow malicious actors to carry out illegal acts, according to Oxeye, an Israeli company that tests the security of cloud-native applications.

Inappropriate URL processing is the problem, which they refer to as ParseThru. Up until version 1.17 of Go, semicolons were allowed as an acceptable delimiter in the query section of a URL. This variation returns an error if the URL query contains a semicolon. Go-based cloud-native applications were analyzed by Oxeye researchers, who found an edge case that could have important implications.

The open source programming language Go, also referred to as Golang, was developed for the extensive creation of reliable and efficient software. Go, a Google-supported programming language is used by some of the top companies in the world to create cloud-native apps, including those for Kubernetes.

Researchers from Oxeye discovered that if a user-facing application is running on Go 1.17 or later and the matching backend service is running on a previous version of Go, an attacker can sneak requests with query parameters that would typically be disallowed.

The developers of the applications that were impacted by Oxeye’s findings have released upgrades.

It is advisable for application developers to consider using other query string parsing algorithms or to ensure that queries with semicolons are rejected in order to prevent abuse.