Insecure Direct Object Reference in Chi

Chi's routing architecture creates unique IDOR vulnerabilities through its parameter binding and handler chaining patterns. The framework's lightweight middleware stack means developers must explicitly validate object ownership at each layer, creating opportunities for subtle authorization bypasses.

The most common Chi IDOR pattern emerges in REST endpoints where route parameters directly map to database queries without ownership verification. Consider a typical Chi user profile endpoint:

func getUserProfile(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    userID := vars["id"]
    
    // Vulnerable: No ownership check
    user, err := db.GetUserByID(userID)
    if err != nil {
        http.Error(w, "User not found", http.StatusNotFound)
        return
    }
    
    json.NewEncoder(w).Encode(user)
}

r := chi.NewRouter()
r.Get("/api/users/{id}", getUserProfile)

This pattern becomes particularly dangerous in Chi applications because the framework's context passing makes it easy to chain handlers without realizing authorization gaps. A common anti-pattern involves middleware that sets user context but fails to validate access rights:

func WithUser(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        // Sets user from token
        user := getCurrentUser(r)
        ctx := context.WithValue(r.Context(), "user", user)
        next.ServeHTTP(w, r.WithContext(ctx))
    })
}

// Missing: validation that user can access requested resource
r := chi.NewRouter()
r.Use(WithUser)
r.Get("/api/users/{id}", getUserProfile)

Chi's path parameter binding creates additional risks when combined with database operations. The framework's URL parameter parsing doesn't distinguish between numeric IDs and other types, allowing attackers to manipulate query parameters:

// Vulnerable to SQL injection via IDOR
func getDocument(w http.ResponseWriter, r *http.Request) {
    id := chi.URLParam(r, "id")
    doc, err := db.QueryRow("SELECT * FROM documents WHERE id = $1", id)
    
    // No check that requesting user owns this document
    json.NewEncoder(w).Encode(doc)
}

Property-level IDOR vulnerabilities are especially prevalent in Chi applications managing multi-tenant data. Without proper scoping, endpoints can expose data across tenant boundaries:

func getTenantData(w http.ResponseWriter, r *http.Request) {
    tenantID := chi.URLParam(r, "tenant_id")
    
    // Vulnerable: assumes tenantID matches authenticated user's tenant
    data, err := db.GetTenantData(tenantID)
    json.NewEncoder(w).Encode(data)
}

r.Get("/api/tenants/{tenant_id}/data", getTenantData)

Chi's middleware composition model can obscure authorization logic when handlers are nested. Developers often assume upstream middleware handles all security concerns:

func RequireAuth(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        // Only checks authentication, not authorization
        if !isAuthenticated(r) {
            http.Error(w, "Unauthorized", http.StatusUnauthorized)
            return
        }
        next.ServeHTTP(w, r)
    })
}

// Vulnerable: authenticated ≠ authorized
r.Use(RequireAuth)
r.Get("/api/users/{id}/settings", userSettingsHandler)

Detecting IDOR vulnerabilities in Chi applications requires understanding both the framework's routing patterns and common anti-patterns. Static analysis can identify risky parameter handling, but runtime scanning with middleBrick reveals actual exploitation paths.

middleBrick's Chi-specific detection examines route definitions and parameter binding patterns. The scanner analyzes your OpenAPI spec (if available) alongside runtime behavior to identify endpoints where object IDs flow directly to database queries without authorization checks.

Key detection patterns middleBrick looks for in Chi applications:

• Route parameters that map directly to database IDs without ownership validation
• Missing tenant scoping in multi-tenant applications
• Unprotected CRUD operations on user-owned resources
• Parameter types that allow ID manipulation (numeric IDs, UUIDs)
• Middleware chains that only handle authentication, not authorization

middleBrick's black-box scanning approach is particularly effective for Chi applications because it tests the actual API surface without requiring source code access. The scanner attempts authenticated and unauthenticated access to various ID permutations, revealing whether object boundaries are properly enforced.

Manual detection techniques for Chi IDOR include:

// Static analysis: identify risky patterns
func analyzeIDORRisks(router *chi.Mux) {
    // Look for handlers with ID parameters
    router.Walk(func(method string, route string, handler http.Handler, middlewares ...func(http.Handler) http.Handler) error {
        if strings.Contains(route, "{") {
            // This route has parameters - check for authorization
            // Look for patterns like /users/{id}, /documents/{doc_id}
        }
        return nil
    })
}

Runtime testing involves systematically testing parameter manipulation:

func testIDOR(router *chi.Mux, currentUser User) {
    // Test incrementing IDs to find accessible objects
    for i := 1; i <= 100; i++ {
        // Try accessing user profiles with sequential IDs
        testEndpoint("/api/users/" + strconv.Itoa(i), currentUser)
        
        // Try accessing documents with sequential IDs
        testEndpoint("/api/documents/" + strconv.Itoa(i), currentUser)
    }
    
    // Test tenant boundary violations
    testEndpoint("/api/tenants/999/data", currentUser)
}

middleBrick automates these detection patterns across your entire API surface in seconds, providing a security score and specific findings with remediation guidance. The scanner's parallel processing tests multiple ID permutations simultaneously, uncovering IDOR vulnerabilities that manual testing might miss.

Remediating IDOR vulnerabilities in Chi applications requires implementing proper authorization checks at the handler level. The most effective approach combines role-based access control with resource ownership verification.

The core remediation pattern involves validating that the authenticated user has rights to access the requested resource:

func getUserProfile(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    requestedID := vars["id"]
    
    // Get authenticated user from context
    currentUser := r.Context().Value("user").(User)
    
    // Verify ownership before accessing data
    if currentUser.ID != requestedID && !currentUser.IsAdmin {
        http.Error(w, "Access denied", http.StatusForbidden)
        return
    }
    
    user, err := db.GetUserByID(requestedID)
    if err != nil {
        http.Error(w, "User not found", http.StatusNotFound)
        return
    }
    
    json.NewEncoder(w).Encode(user)
}

For multi-tenant applications, tenant scoping must be enforced at the database query level:

func getTenantData(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    tenantID := vars["tenant_id"]
    
    currentUser := r.Context().Value("user").(User)
    
    // Verify tenant membership
    if currentUser.TenantID != tenantID && !currentUser.IsAdmin {
        http.Error(w, "Access denied", http.StatusForbidden)
        return
    }
    
    // Query with tenant scoping
    data, err := db.Query("SELECT * FROM tenant_data WHERE tenant_id = $1", tenantID)
    json.NewEncoder(w).Encode(data)
}

Chi's middleware system can be leveraged to centralize authorization logic:

func AuthorizeResource(resourceType string, resourceID string) func(http.Handler) http.Handler {
    return func(next http.Handler) http.Handler {
        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            currentUser := r.Context().Value("user").(User)
            
            // Central authorization check
            if !canAccessResource(currentUser, resourceType, resourceID) {
                http.Error(w, "Access denied", http.StatusForbidden)
                return
            }
            
            next.ServeHTTP(w, r)
        })
    }
}

// Usage in route definitions
r.Get("/api/users/{id}/settings", 
    AuthorizeResource("user", chi.URLParam(r, "id")),
    userSettingsHandler)

For property-level authorization, implement granular access controls:

func getProperty(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    propertyID := vars["property_id"]
    
    currentUser := r.Context().Value("user").(User)
    
    // Check if user owns this property or has explicit access
    if !userOwnsProperty(currentUser.ID, propertyID) && !currentUser.IsAdmin {
        http.Error(w, "Access denied", http.StatusForbidden)
        return
    }
    
    property, err := db.GetPropertyByID(propertyID)
    if err != nil {
        http.Error(w, "Property not found", http.StatusNotFound)
        return
    }
    
    json.NewEncoder(w).Encode(property)
}

middleBrick's remediation guidance specifically addresses Chi's patterns, recommending the use of middleware for cross-cutting authorization concerns and providing code examples tailored to Chi's routing conventions. The scanner's findings include severity ratings and step-by-step remediation instructions for each identified vulnerability.