Broken Object Property Level Authorization in Go (Gin) [GHSA-r2pg-r6h7-crf3]

Name: ApiPosture
Author: ApiPosture

[Updated Apr 2026] Updated April 13, 2026 GHSA-r2pg-r6h7-crf3

Overview

Broken Object Property Level Authorization vulnerabilities occur when an API authenticates a user but does not enforce that the user may access or modify the specific resource identified by an object ID passed in the request. In Go applications using Gin, handlers often read an ID from the path or body and fetch the corresponding resource without verifying ownership. Attackers can enumerate IDs and access or modify resources that belong to other users. In real-world Go (Gin) services, this leads to data leakage, privacy violations, and the ability to perform actions on peer resources, such as reading sensitive records, updating records, or deleting data. Even if authentication is strong, insufficient authorization checks per object enable attackers to pivot across resources within the same tenant or user base. This vulnerability is common when code relies on high-level access by user role alone (RBAC) without enforcing per-object ownership at the data layer or in the API layer. Fixing requires explicit ownership checks, scoped queries, and consistent error handling to avoid leaking the existence of resources the caller is not authorized to view. In Gin-based Go services, implement object-level authorization early in the request path: validate the authenticated user's identity, verify resource ownership in the database or in-memory store, and return a generic 404 or 403 when unauthorized. Also consider middleware that injects the current user and helper functions that centralize authorization logic.

Code Fix Example

Go (Gin) API Security Remediation

package main

import (
  "net/http"
  "strconv"
  "github.com/gin-gonic/gin"
)

type Resource struct {
  ID int
  OwnerID string
  Data string
}

type User struct {
  ID string
}

var resources = map[int]Resource{
  1: {ID:1, OwnerID: "alice", Data: "Alice's secret"},
  2: {ID:2, OwnerID: "bob", Data: "Bob's secret"},
}

func authMiddleware() gin.HandlerFunc {
  return func(c *gin.Context) {
    user := c.GetHeader("X-User")
    if user == "" {
      c.AbortWithStatus(http.StatusUnauthorized)
      return
    }
    c.Set("user", User{ID: user})
    c.Next()
  }
}

func getResourceVulnerable(c *gin.Context) {
  idParam := c.Param("id")
  id, err := strconv.Atoi(idParam)
  if err != nil {
    c.Status(http.StatusBadRequest)
    return
  }
  if res, ok := resources[id]; ok {
    c.JSON(http.StatusOK, gin.H{"id": res.ID, "owner": res.OwnerID, "data": res.Data})
  } else {
    c.Status(http.StatusNotFound)
  }
}

func getResourceFixed(c *gin.Context) {
  idParam := c.Param("id")
  id, err := strconv.Atoi(idParam)
  if err != nil {
    c.Status(http.StatusBadRequest)
    return
  }
  if res, ok := resources[id]; ok {
    user := c.MustGet("user").(User)
    if res.OwnerID != user.ID {
      c.Status(http.StatusForbidden)
      return
    }
    c.JSON(http.StatusOK, gin.H{"id": res.ID, "owner": res.OwnerID, "data": res.Data})
  } else {
    c.Status(http.StatusNotFound)
  }
}

func main() {
  r := gin.Default()
  r.Use(authMiddleware())
  r.GET("/vuln/resource/:id", getResourceVulnerable)
  r.GET("/fix/resource/:id", getResourceFixed)
  r.Run(":8080")
}