Profiling Endpoint Exposed

ID

go.profiling_endpoint_exposed

Severity

high

Resource

Entry Points

Language

Go

Tags

CWE:489, NIST.SP.800-53, PCI-DSS:6.5.8

Description

A common development practice is to add "back door" code specifically for debugging or testing purposes, not intended for deployment. When accidentally left in the application, this debug code opens the application to unintended interactions. Profiling endpoints, such as those provided by the pprof package in Go, are particularly at risk. This rule checks for package pprof, which serves runtime profiling data via HTTP at paths starting with /debug/pprof/.

Rationale

The pprof package is useful during development to profile and debug applications. However, it registers handlers that expose potentially sensitive runtime data. These endpoints, if left exposed in production, create security risks as they fall outside expected operating conditions and were not considered during design or testing.

Example of incorrect exposure:

package main

import (
	"net/http"
	_ "net/http/pprof" // FLAW: Imported for side effects, exposing profiling endpoints
)

func main() {
	http.ListenAndServe(":8080", nil)
}

In this example, the pprof package is imported for its side effects, which registers endpoints like /debug/pprof/heap. These should not be exposed in a production environment as they provide detailed application metrics.

Remediation

  1. Remove Profiling in Production: Ensure that imports of pprof are removed in production builds. Use build tags to conditionally compile profiling code only in non-production environments.

  2. Restrict Access: If profiling is necessary in production, restrict access to authorized users via authentication and network segmentation.

  3. Use Build Tags: Conditional compilation using build tags can separate profiling code. Example using a build tag:

// +build debug

package main

import (
	"net/http"
	_ "net/http/pprof" // Only included in non-production builds
)

+ 4. Regular Code Review: Implement regular code reviews to ensure that no debugging or profiling code remains in the production codebase accidentally.

By following these strategies, you can mitigate the risks associated with exposing profiling endpoints in production environments.

References