Formula Injection in Gin with Hmac Signatures

Formula Injection occurs when an attacker can control part of a formula or expression that is later evaluated, often in server-side templates or query languages. In the Go web framework Gin, this risk appears when application logic builds queries, file paths, or system commands using untrusted input, even when an HMAC signature is used for request authentication.

HMAC signatures in Gin are commonly implemented to verify integrity and authenticity of requests, for example by signing a subset of request parameters or a canonical string. If the server uses the signature to authorize a sensitive operation but then incorporates untrusted data into a formula or command, an attacker can supply malicious payloads that bypass signature checks while still achieving injection. A typical pattern is signing a token containing user identity or role, then using that token to decide access without further validation of the data used in the formula.

Consider a Gin handler that accepts price, quantity, and a signed discount_token. The server verifies the HMAC, extracts the claimed user role, and then computes a final price using a formula expressed as a string or via arithmetic on untrusted inputs. If the formula is constructed by concatenating user values directly, an attacker can inject operators or function calls that change the evaluation outcome. Even when the HMAC is valid, the server may trust the computed result because it assumes the signature guarantees safety, but the signature only covers the token, not the dynamic formula content.

In API parameter handling, Formula Injection can also occur when query parameters are used to build database queries or shell commands. For example, a Gin route might accept filter values and an HMAC to prevent tampering, but if the filter values are interpolated into a raw query string or into a JSONPath expression, the attacker can manipulate the resulting structure. The HMAC prevents unauthorized clients from submitting valid signatures, but it does not prevent a signed request from carrying malicious payloads that exploit injection logic.

Real-world attack patterns include attempts to manipulate pricing calculations, escalate privileges via injected roles embedded in signed tokens, or coerce the server into accessing unintended resources through path traversal patterns constructed from signed but not sanitized inputs. These scenarios map to OWASP API Top 10 categories such as Broken Object Level Authorization and Injection, and may align with real CVE patterns involving logic flaws where trust is incorrectly attributed to a signature without validating downstream usage.

To detect such issues, scanning tools evaluate whether HMAC verification is followed by unsafe use of untrusted data in evaluative contexts. They check whether input validation, type constraints, and output encoding are applied before the formula is executed, and whether the signature scope explicitly covers the data used in the computation. Without these safeguards, a valid HMAC does not prevent Formula Injection in Gin.

Remediation focuses on ensuring that HMAC signatures protect the integrity of verifiable components while untrusted data is never directly embedded into executable formulas. In Gin, implement strict separation between authenticated metadata and dynamic values, and apply canonicalization and validation before using any input in arithmetic or query construction.

First, define a clear canonical string for the HMAC that includes only the fields needed for authentication, such as user ID or a nonce, and exclude any data used later in formula evaluation. Verify the signature before parsing the request, and store the authenticated claims in a typed structure rather than relying on raw concatenated strings.

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/hex"
    "net/http"
    "strconv"
    "strings"

    "github.com/gin-gonic/gin"
)

func verifyHMAC(c *gin.Context) bool {
    token := c.Query("token")
    receivedMAC := c.Query("hmac")
    key := []byte("super-secret-key")

    mac := hmac.New(sha256.New, key)
    mac.Write([]byte(token))
    expectedMAC := hex.EncodeToString(mac.Sum(nil))

    return hmac.Equal([]byte(expectedMAC), []byte(receivedMAC))
}

func safePriceHandler(c *gin.Context) {
    if !verifyHMAC(c) {
        c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid signature"})
        c.Abort()
        return
    }

    token := c.Query("token")
    // Parse token to extract claims, e.g., userID
    userID := extractUserIDFromToken(token)

    priceStr := c.Query("price")
    qtyStr := c.Query("quantity")

    price, err := strconv.ParseFloat(priceStr, 64)
    if err != nil {
        c.JSON(http.StatusBadRequest, gin.H{"error": "invalid price"})
        c.Abort()
        return
    }
    qty, err := strconv.Atoi(qtyStr)
    if err != nil {
        c.JSON(http.StatusBadRequest, gin.H{"error": "invalid quantity"})
        c.Abort()
        return
    }

    // Safe arithmetic, no formula injection from untrusted sources
    total := price * float64(qty)
    c.JSON(http.StatusOK, gin.H{"user_id": userID, "total": total})
}

func extractUserIDFromToken(token string) string {
    // Example: token format userID:nonce, validate structure
    parts := strings.Split(token, ":")
    if len(parts) != 2 {
        return "unknown"
    }
    return parts[0]
}

Second, avoid building executable formulas from concatenated input. If a calculation requires dynamic coefficients, map them through a controlled lookup rather than interpreting strings as code or arithmetic expressions. For JSON-based APIs, validate numeric fields against defined ranges and reject unexpected operators or delimiters that could alter evaluation order.

Third, apply output encoding when the result of a computation is rendered in contexts such as JSON or HTML. While Gin’s c.JSON helps prevent many injection vectors, ensuring that floating-point values are serialized consistently reduces risk of parser-level injection in downstream consumers.

Finally, use the middleBrick CLI to scan your Gin endpoints and verify that HMAC-protected routes are not vulnerable to Formula Injection. Run middlebrick scan <url> to get a security risk score and prioritized findings, including checks related to input validation and authentication scope. The dashboard and GitHub Action integrations can help you track these issues over time and fail CI/CD pipelines when new risks are detected.