Command Injection in Gorilla Mux with Basic Auth

Command Injection occurs when untrusted input is passed to a system command without proper validation or escaping. In a Gorilla Mux router, routes are typically defined with path or query parameters that can be dynamically used in backend logic. When Basic Auth is used, developers sometimes extract the username or password from the request context and inadvertently pass these values into shell commands or external executables. This combination is risky because authentication data, which is often assumed to be safe, becomes an attack vector.

Consider a handler that uses the os/exec package to run a system command incorporating values from the request, such as a username extracted via Basic Auth. If input is not sanitized, an attacker can supply crafted credentials containing shell metacharacters (e.g., ;, &, |, `) to execute arbitrary commands on the host. For example, a username like admin;id could cause the command to run additional processes. The router itself does not introduce the flaw, but the way handlers are written in combination with Basic Auth credential extraction enables the injection.

Gorilla Mux provides route variables and headers, which can be used to construct command arguments. If a handler uses mux.Vars(request) to obtain an identifier and merges it with credentials from Basic Auth parsing to build a command line, the lack of input validation can lead to Command Injection. This is especially dangerous when the handler is also responsible for authentication, as the credentials are processed in the same request lifecycle. Attackers may probe endpoints using crafted Authorization headers to test for injection behavior, and findings may map to the OWASP API Top 10 category of Broken Object Level Authorization (BOLA) when access control logic is intertwined with command execution.

Real-world patterns include using credentials to call external binaries for logging or provisioning tasks. For instance, a handler might invoke an external utility to validate a token, embedding the Basic Auth password as an argument. Without proper escaping, this becomes exploitable. The scanner’s checks for Input Validation and Unsafe Consumption can detect signs of dangerous command construction, and findings may reference known attack patterns such as shell injection as described in CVE examples involving improper use of exec functions.

Because middleBrick scans the unauthenticated attack surface, it can identify endpoints that accept Basic Auth headers and inspect how those values are used in downstream logic. The tool does not execute exploits but highlights risky code paths where credentials flow into system-level operations. Developers should review handler implementations that combine authentication parsing with external command invocation to ensure inputs are validated and commands are constructed safely.

Remediation focuses on ensuring that credentials and any values derived from them are never directly interpolated into shell commands. Use standard library functions for command construction, avoid shell interpretation, and validate all input. Below are concrete examples of insecure and secure patterns in a Gorilla Mux handler using Basic Auth.

Insecure example where a Basic Auth password is passed directly to a shell command:

// DO NOT DO THIS
func handler(w http.ResponseWriter, r *http.Request) {
    user, pass, ok := r.BasicAuth()
    if !ok {
        http.Error(w, "Unauthorized", http.StatusUnauthorized)
        return
    }
    cmd := exec.Command("sh", "-c", "echo "+pass)
    cmd.Stdout = os.Stdout
    cmd.Run()
}

In this example, the password is concatenated into a shell command, making it vulnerable to Command Injection. An attacker controlling the password can execute arbitrary commands.

Secure remediation using exec.Command with explicit arguments and no shell:

func handler(w http.ResponseWriter, r *http.Request) {
    user, pass, ok := r.BasicAuth()
    if !ok {
        http.Error(w, "Unauthorized", http.StatusUnauthorized)
        return
    }
    // Use exec.Command without a shell, passing arguments directly
    cmd := exec.Command("echo", pass)
    var out bytes.Buffer
    cmd.Stdout = &out
    err := cmd.Run()
    if err != nil {
        http.Error(w, "Internal error", http.StatusInternalServerError)
        return
    }
    w.Write(out.Bytes())
}

This approach avoids the shell entirely by passing the password as a direct argument. The command and arguments are provided as a slice, preventing the interpreter from parsing metacharacters. It is also recommended to validate the format of credentials before use, for example by checking that the password matches an expected pattern and does not contain shell metacharacters.

When building dynamic commands, prefer explicit argument lists over string concatenation. If logging or external tooling is required, use parameterized APIs or structured input rather than embedding credentials in command strings. middleBrick’s CLI tool can be used to scan endpoints with Basic Auth headers and report on risky patterns, while the GitHub Action can enforce checks in CI/CD pipelines to prevent insecure code from reaching production.