How secure are go lang based HTTP Servers?

3

How secure should I consider the go lang net/http framework to be?

I understand just how broad a question this is, but I'm wondering how robust I should consider the framework itself, NOT the application built on top of it.

If I were to build the following example code, and run it on port open to the internet, need I worry about the server being compromised?

package main

import (
    "fmt"
    "net/http"
)

func handler(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, "Hi there, I love %s!", r.URL.Path[1:])
}

func main() {
    http.HandleFunc("/", handler)
    http.ListenAndServe(":8080", nil)
}

DonGar

Posted 2014-12-21T21:16:42.770

Reputation: 151

Question was closed 2014-12-21T22:39:57.337

As is, this question sounds almost like "How heavy is a box of hammers?" - It depends on the implimentation and the libraries used. – Journeyman Geek – 2014-12-21T22:40:39.650

That's why I gave a very specific example. I fully understand that any custom app on top of the framework will have it's own issues. I'm trying to understand how much confidence people have in the framework itself. – DonGar – 2014-12-24T21:55:10.470

Answers

1

In general:

It all comes down to the sophistication of the attacker. Finding a(n exploitable) bug is always function of resources burned to find it (vs. skill of the original programmer).

You're more likely to get a bug in a lower level language than higher level (mainly because there's more lines to find the bug in case of the lower level one); plus it's more likely to find a bug in a homegrown piece of software than in a mainstream language VM like Go, Java, etc.

To be specific:

Even though Go is still a young language, it's actively maintained by relatively small community of skilled professionals.

So I wouldn't expect gaping holes the likes of bind, sendmail, openssl, or bash.

In any case, if I were in your shoes I wouldn't run the server without proper precautions (separate uid/gid, chroot, ulimits, limited cgroup, hardened distro) no matter what language it is written in.

Wejn

Posted 2014-12-21T21:16:42.770

Reputation: 181

Asked: 2014-12-21T21:16:42.770

Viewed: 2 097 times

Active: 2014-12-21T22:23:28.103