Protection of sensitive business information in source code
package main
import (
"github.com/gin-gonic/gin"
"net/http"
)
type Employee struct {
Name string `json:"name"`
Email string `json:"email"`
}
type Customer struct {
Name string `json:"name"`
Email string `json:"email"`
}
func main() {
r := gin.Default()
r.GET("/employee", func(c *gin.Context) {
employee := Employee{Name: "John Doe", Email: "john.doe@company.com"}
c.JSON(http.StatusOK, employee)
})
r.GET("/customer", func(c *gin.Context) {
customer := Customer{Name: "Jane Doe", Email: "jane.doe@customer.com"}
c.JSON(http.StatusOK, customer)
})
r.Run() // listen and serve on 0.0.0.0:8080 (for windows "localhost:8080")
}
The above code represents a basic Go backend application using the Gin framework. It defines two routes,
/employee and
/customer, that return sensitive business information in JSON format when accessed.
In the
/employee route, an
Employee struct is created with hardcoded values for
Name and
Email. The struct is then converted to JSON format and sent as a response. This exposes sensitive employee information that could be exploited by malicious users.
Similarly, in the
/customer route, a
Customer struct is created with hardcoded values for
Name and
Email. The struct is then converted to JSON format and sent as a response. This exposes sensitive customer information that could be exploited by malicious users.
This represents a business information leak vulnerability as the application is exposing sensitive business information (employee and customer details) without any form of authorization or validation.
package main
import (
"github.com/gin-gonic/gin"
"net/http"
)
type Employee struct {
Name string `json:"name"`
Email string `json:"-"`
}
type Customer struct {
Name string `json:"name"`
Email string `json:"-"`
}
func main() {
r := gin.Default()
r.GET("/employee", func(c *gin.Context) {
employee := Employee{Name: "John Doe"}
c.JSON(http.StatusOK, employee)
})
r.GET("/customer", func(c *gin.Context) {
customer := Customer{Name: "Jane Doe"}
c.JSON(http.StatusOK, customer)
})
r.Run() // listen and serve on 0.0.0.0:8080 (for windows "localhost:8080")
}
The updated code removes the exposure of sensitive business information, specifically the email addresses of employees and customers. This is achieved by removing the
Email field from the JSON response in the
Employee and
Customer structs.
In the
Employee and
Customer structs, the
Email field is tagged with
json:"-" which tells the JSON encoder to ignore this field when encoding to JSON. As a result, when the
Employee and
Customer objects are returned in the HTTP response, the
Email field is not included.
This is a simple fix for the given code snippet, but in a real-world application, you would also want to implement proper access controls, authentication and authorization mechanisms, encryption for sensitive data, and logging and monitoring for unauthorized access attempts. These additional security measures would help to further protect the sensitive business information from being exposed.