Bug: Accessible Swagger Path without Required API Key

[yusufmeteyilmaz]

Description:

The current implementation of the API authorization logic checks for the presence of the exact word "swagger" in the request path to determine if an API key is required. However, this check can be easily bypassed by altering the capitalization of the word. For example, accessing "/Swagger/index.html" instead of "/swagger/index.html" allows unauthorized access without providing the required API key.

Example:

• Accessing https://backend.gonullu.io/swagger/index.html requires an API key for authorization.
  
• Accessing https://backend.gonullu.io/Swagger/index.html (with altered capitalization) grants access without requiring an API key.
  
  
  

Steps to reproduce:

1. Attempt to access "https://backend.gonullu.io/swagger/index.html" without providing an API key.
2. You will notice that access is denied, indicating that the API key is required.
3. Access "https://backend.gonullu.io/Swagger/index.html" (note the altered capitalization).
4. Observe that access is granted without requiring an API key.

Impact:

Although the current vulnerability may not pose a significant security risk right now, it has the potential to cause future issues if an important file or resource is exposed within the "/swagger/" directory. This could allow unauthorized individuals to access sensitive information or exploit the exposed resources for malicious purposes.

Vulnerable code part:

if strings.Contains(ctx.Path(), "pprof") || strings.Contains(ctx.Path(), "swagger") || restrictedMethod {
			apiKeyNeeded = true
		}

Link: https://github.com/acikkaynak/musahit-harita-backend/blob/3e109cfb09da43b858c62f91fb282ef89fcdcc94/middleware/auth/auth.go
Line: 25

[9ssi7]

I'm working on it