Broken Object Property Level Authorization

Broken Object Property Level Authorization in Go (Gin) [GHSA-9gjv-jvm7-vv2v]

[Updated Apr 2026] Updated GHSA-9gjv-jvm7-vv2v

Overview

Broken Object Property Level Authorization (BOPLA) vulnerabilities occur when an API trusts client-supplied identifiers to access resources without validating that the current user is allowed to view or modify them. In Go applications using Gin, handlers often extract an ID from the URL or body and fetch the resource directly. If the ownership check is missing or insufficient, a user can read, update, or delete others' resources simply by altering the id value, leading to data leakage, privilege escalation, or operational impact. In Go with Gin, this class of vulnerability manifests when a handler composes a database query with a resource key (e.g., id or ownerId) without constraining it by the authenticated user. Typical patterns include querying by id alone, performing updates or deletions based on user-provided identifiers, or returning object fields that reveal sensitive owners or relationships. The risk multiplies in multi-tenant apps or services with shared data stores. Remediation involves enforcing object-level authorization in every endpoint: ensure the resource exists and belongs to the current user before returning or mutating it; scope DB queries to owner_id or resource owner; propagate user identity via context from authentication middleware; add tests and edge-case coverage; and consider database-level protections or RBAC where feasible. After fixes, verify with unit/integration tests and security scans.

Code Fix Example

Go (Gin) API Security Remediation 
package main
import (
  "net/http"
  "strconv"
  "github.com/gin-gonic/gin"
)

type Order struct {
  ID uint
  OwnerID uint
  Item string
}

var orders = map[uint]Order{
  1: {ID: 1, OwnerID: 10, Item: "Widget"},
  2: {ID: 2, OwnerID: 20, Item: "Gadget"},
}

func main() {
  r := gin.Default()

  // Vulnerable endpoint: reads resource by ID without ownership check
  r.GET("/v/orders/:orderId", func(c *gin.Context) {
    id64, _ := strconv.ParseUint(c.Param("orderId"), 10, 64)
    order, ok := orders[uint(id64)]
    if !ok { c.Status(http.StatusNotFound); return }
    // Vulnerable: returns data regardless of ownership
    c.JSON(http.StatusOK, order)
  })

  // Mock middleware to set user identity for demonstration
  r.Use(func(c *gin.Context) {
    c.Set("userID", uint(10)) // authenticated user with ID 10
    c.Next()
  })

  // Fixed endpoint: enforces ownership in query via explicit check
  r.GET("/secure/orders/:orderId", func(c *gin.Context) {
    id64, _ := strconv.ParseUint(c.Param("orderId"), 10, 64)
    order, ok := orders[uint(id64)]
    if !ok { c.Status(http.StatusNotFound); return }

    userIDVal, exists := c.Get("userID")
    if !exists {
      c.Status(http.StatusUnauthorized)
      return
    }
    userID := userIDVal.(uint)
    if order.OwnerID != userID {
      c.Status(http.StatusNotFound)
      return
    }
    c.JSON(http.StatusOK, order)
  })

  r.Run()
}

CVE References

More Go (Gin) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.