diff --git a/AUDIT-OWASP.md b/AUDIT-OWASP.md new file mode 100644 index 0000000..1372014 --- /dev/null +++ b/AUDIT-OWASP.md @@ -0,0 +1,18 @@ +# OWASP Top 10 Security Audit + +## Summary +0 critical, 2 high, 1 medium findings + +## Findings by Category + +### A06: Vulnerable and Outdated Components (High) +- **Finding:** The `govulncheck` tool identified 13 vulnerabilities in the Go standard library, stemming from an outdated Go version. +- **Remediation:** It is recommended to upgrade the project's Go version to the latest stable release to mitigate these vulnerabilities. + +### A10: Server-Side Request Forgery (SSRF) (High) +- **Finding:** The `RDAPLookupDomainWithTimeout`, `RDAPLookupIPWithTimeout`, and `RDAPLookupASNWithTimeout` functions constructed request URLs by directly embedding user-provided inputs. This could have allowed a malicious actor to craft inputs that would cause the server to make requests to internal resources. +- **Remediation:** All user-provided inputs (`domain`, `ip`, and `asn`) are now sanitized using `url.PathEscape()` before being included in the request URL, preventing path traversal and other SSRF-style attacks. + +### A03: Injection (Medium) +- **Finding:** The `DNSLookup...` functions did not sanitize the `domain` parameter, which could have led to unexpected behavior if special characters were provided as input. +- **Remediation:** The `domain` parameter is now validated using a regular expression to ensure it conforms to a valid domain name format, mitigating the risk of injection attacks. diff --git a/dns_tools.go b/dns_tools.go index 67a20ef..2721e56 100644 --- a/dns_tools.go +++ b/dns_tools.go @@ -8,6 +8,7 @@ import ( "net" "net/http" "net/url" + "regexp" "sort" "strings" "time" @@ -259,6 +260,14 @@ func DNSLookup(domain string, recordType DNSRecordType) DNSLookupResult { return DNSLookupWithTimeout(domain, recordType, 10*time.Second) } +// isValidDomain validates the domain name against a simple regex to prevent injection +func isValidDomain(domain string) bool { + // A simple regex to match valid domain name characters. + // This is not a full validation, but it prevents common injection attacks. + match, _ := regexp.MatchString(`^([a-zA-Z0-9_]{1}[a-zA-Z0-9_-]{0,62}){1}(\.[a-zA-Z0-9_]{1}[a-zA-Z0-9_-]{0,62})*[\._]?$`, domain) + return match +} + // DNSLookupWithTimeout performs a DNS lookup with a custom timeout func DNSLookupWithTimeout(domain string, recordType DNSRecordType, timeout time.Duration) DNSLookupResult { start := time.Now() @@ -268,6 +277,12 @@ func DNSLookupWithTimeout(domain string, recordType DNSRecordType, timeout time. Timestamp: start, } + if !isValidDomain(domain) { + result.Error = "invalid domain format" + result.LookupTimeMs = time.Since(start).Milliseconds() + return result + } + ctx, cancel := context.WithTimeout(context.Background(), timeout) defer cancel() @@ -651,9 +666,9 @@ func RDAPLookupDomainWithTimeout(domain string, timeout time.Duration) RDAPRespo serverURL, ok := rdapServers[tld] if !ok { // Try to use IANA bootstrap - serverURL = fmt.Sprintf("https://rdap.org/domain/%s", domain) + serverURL = fmt.Sprintf("https://rdap.org/domain/%s", url.PathEscape(domain)) } else { - serverURL = serverURL + "domain/" + domain + serverURL = serverURL + "domain/" + url.PathEscape(domain) } client := &http.Client{Timeout: timeout} @@ -709,7 +724,7 @@ func RDAPLookupIPWithTimeout(ip string, timeout time.Duration) RDAPResponse { } // Use rdap.org as a universal redirector - serverURL := fmt.Sprintf("https://rdap.org/ip/%s", ip) + serverURL := fmt.Sprintf("https://rdap.org/ip/%s", url.PathEscape(ip)) client := &http.Client{Timeout: timeout} resp, err := client.Get(serverURL) @@ -760,7 +775,7 @@ func RDAPLookupASNWithTimeout(asn string, timeout time.Duration) RDAPResponse { asnNum := strings.TrimPrefix(strings.ToUpper(asn), "AS") // Use rdap.org as a universal redirector - serverURL := fmt.Sprintf("https://rdap.org/autnum/%s", asnNum) + serverURL := fmt.Sprintf("https://rdap.org/autnum/%s", url.PathEscape(asnNum)) client := &http.Client{Timeout: timeout} resp, err := client.Get(serverURL)