Time Of Check Time Of Use in Fiber
How Time Of Check Time Of Use Manifests in Fiber
Time Of Check Time Of Use (TOCTOU) vulnerabilities in Fiber applications occur when an application checks a resource's state before using it, but the state changes between the check and the use. This race condition creates windows where attackers can exploit the gap between validation and execution.
In Fiber applications, TOCTOU commonly appears in file operations, database transactions, and authorization checks. Consider a file upload endpoint that validates a file's MIME type before processing it. Between the validation check and the actual processing, an attacker could swap the file with malicious content.
app.Post("/upload", func(c *fiber.Ctx) error {
file, err := c.FormFile("file")
if err != nil {
return c.Status(400).SendString("No file uploaded")
}
// TOCTOU vulnerability: checking file type before processing
if file.Header.Get("Content-Type") != "image/jpeg" {
return c.Status(400).SendString("Invalid file type")
}
// Race condition: file could be swapped before Save() executes
return c.SaveFile(file, fmt.Sprintf("/uploads/%s", file.Filename))
})Another Fiber-specific TOCTOU scenario involves concurrent database operations. When checking user permissions before performing an action, the user's role might change between the check and the operation:
app.Post("/admin/delete-user", func(c *fiber.Ctx) error {
userID := c.FormValue("user_id")
// TOCTOU vulnerability: permission check before deletion
user := getUserFromDB(userID)
if user.Role != "admin" {
return c.Status(403).SendString("Unauthorized")
}
// User role could change before deletion executes
return deleteUserFromDB(userID)
})Session-based TOCTOU attacks in Fiber often target authentication state changes. An application might check if a session is valid, then perform sensitive operations, but the session could expire or be invalidated during the processing window.
Fiber-Specific Detection
Detecting TOCTOU vulnerabilities in Fiber applications requires both static analysis and runtime testing. middleBrick's black-box scanning approach is particularly effective for identifying TOCTOU race conditions without requiring source code access.
middleBrick scans Fiber endpoints by submitting concurrent requests that manipulate timing between validation and execution. For file upload endpoints, it tests whether changing file properties between the initial check and final processing can bypass validation. The scanner identifies endpoints vulnerable to race conditions by analyzing response patterns and timing variations.
Key detection patterns for Fiber applications include:
- Concurrent request testing: Submitting multiple requests to the same endpoint with slight timing variations to observe state changes
- State validation checks: Verifying that resource states remain consistent between check and use operations
- Authorization bypass attempts: Testing whether permission changes between validation and execution can be exploited
- Session timing analysis: Checking for vulnerabilities related to session state changes during processing
For development teams working with Fiber, integrating middleBrick's CLI tool provides continuous TOCTOU detection:
middlebrick scan http://localhost:3000/api/upload \
--concurrent 5 \
--timeout 30 \
--output jsonThe scanner's LLM/AI security features also detect TOCTOU patterns in AI-powered Fiber applications, where model state or prompt injection timing can create exploitation windows.
Fiber-Specific Remediation
Remediating TOCTOU vulnerabilities in Fiber applications requires atomic operations and proper synchronization. The most effective approach is to combine validation and execution into a single atomic operation that cannot be interrupted.
For file operations, use Fiber's built-in file handling with atomic operations:
app.Post("/upload", func(c *fiber.Ctx) error {
file, err := c.FormFile("file")
if err != nil {
return c.Status(400).SendString("No file uploaded")
}
// Atomic operation: validate and save in single step
if !isValidImage(file) {
return c.Status(400).SendString("Invalid file type")
}
// Use atomic file operations with temporary naming
tempPath := "/uploads/.temp/" + file.Filename
finalPath := "/uploads/" + file.Filename
if err := c.SaveFile(file, tempPath); err != nil {
return c.Status(500).SendString("Upload failed")
}
// Atomic rename operation
if err := os.Rename(tempPath, finalPath); err != nil {
return c.Status(500).SendString("Upload failed")
}
return c.SendString("Upload successful")
})For database operations, use transactions to ensure atomicity:
app.Post("/admin/delete-user", func(c *fiber.Ctx) error {
userID := c.FormValue("user_id")
// Atomic transaction: check permissions and delete in one operation
tx := db.Begin()
defer tx.Rollback()
var user User
if err := tx.First(&user, userID).Error; err != nil {
return c.Status(404).SendString("User not found")
}
if user.Role != "admin" {
return c.Status(403).SendString("Unauthorized")
}
if err := tx.Delete(&user).Error; err != nil {
return c.Status(500).SendString("Deletion failed")
}
if err := tx.Commit().Error; err != nil {
return c.Status(500).SendString("Transaction failed")
}
return c.SendString("User deleted successfully")
})Session-based TOCTOU protection in Fiber involves using atomic session operations and immediate validation:
app.Get("/sensitive-data", func(c *fiber.Ctx) error {
// Atomic session validation and data retrieval
session := c.Locals("session").(*Session)
if !session.IsValid() {
return c.Status(403).SendString("Session expired")
}
// Perform operation immediately after validation
data, err := getSensitiveData(session.UserID)
if err != nil {
return c.Status(500).SendString("Error retrieving data")
}
return c.JSON(data)
})For comprehensive protection, integrate middleBrick's continuous monitoring to detect TOCTOU vulnerabilities in production Fiber applications. The Pro plan's scheduled scanning can identify race conditions that emerge from concurrent user activity patterns.