Broken Object Property Level Authorization

Broken Object Property Level Authorization in Go (Gin) [GHSA-wp76-gg32-8258]

[Updated month year] Updated GHSA-wp76-gg32-8258

Overview

Broken Object Property Level Authorization (BOPLA) vulnerabilities in API backends allow a user to access, modify, or delete resources that do not belong to them by manipulating object identifiers in requests. In Go with Gin, these flaws often appear when handlers load resources by ID from the request path and return them without validating ownership against the authenticated user. Attackers can enumerate IDs, iterate resources, or craft requests to reveal private data or perform unauthorized mutations, leading to data leakage and integrity risks. In a secure Gin application, every route that uses an object ID must enforce ownership by comparing the resource's owner with the authenticated user. This requires explicit authorization checks in the service layer or repository, or database queries that filter by owner_id. We also recommend centralized policy enforcement, robust error handling, and tests that exercise both authorized and unauthorized access. Without proper checks, regulated data exposure, regulatory penalties, and reputational damage can follow. This guide provides a concrete code example and remediation steps to address Broken Object Property Level Authorization in Go (Gin).

Code Fix Example

Go (Gin) API Security Remediation 
package main

import (
  "net/http"
  "strconv"
  "github.com/gin-gonic/gin"
)

type User struct { ID int64; OwnerID int64; Name string }
var users = []User{{ID: 1, OwnerID: 10, Name: "Alice"}, {ID: 2, OwnerID: 20, Name: "Bob"}}

func main() {
  r := gin.Default()
  r.Use(fakeAuthMiddleware())

  // Vulnerable endpoint (for demonstration)
  r.GET("/vuln/users/:id", vulnerableGetUser)
  // Fixed endpoint with proper authorization check
  r.GET("/fix/users/:id", fixedGetUser)

  r.Run()
}

func fakeAuthMiddleware() gin.HandlerFunc {
  return func(c *gin.Context) {
    // Simulate authenticated user with ID 10
    c.Set("userID", int64(10))
    c.Next()
  }
}

func vulnerableGetUser(c *gin.Context) {
  idParam := c.Param("id")
  id, err := strconv.Atoi(idParam)
  if err != nil {
    c.JSON(http.StatusBadRequest, gin.H{"error": "invalid id"})
    return
  }
  // Vulnerable: no ownership check
  for _, u := range users {
    if u.ID == int64(id) {
      c.JSON(http.StatusOK, u)
      return
    }
  }
  c.JSON(http.StatusNotFound, gin.H{"error": "not found"})
}

func fixedGetUser(c *gin.Context) {
  idParam := c.Param("id")
  id, err := strconv.Atoi(idParam)
  if err != nil {
    c.JSON(http.StatusBadRequest, gin.H{"error": "invalid id"})
    return
  }
  // Retrieve the current user from context
  uidVal, exists := c.Get("userID")
  var currentUserID int64
  if exists {
    switch v := uidVal.(type) {
    case int64:
      currentUserID = v
    case int:
      currentUserID = int64(v)
    }
  }

  for _, u := range users {
    if u.ID == int64(id) {
      if currentUserID != 0 && u.OwnerID == currentUserID {
        c.JSON(http.StatusOK, u)
        return
      }
      c.JSON(http.StatusForbidden, gin.H{"error": "forbidden"})
      return
    }
  }
  c.JSON(http.StatusNotFound, gin.H{"error": "not found"})
}

CVE References

More Go (Gin) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.