Exploiting Parameter Pollution in Golang Web Apps

We discussed this vulnerability during Episode 191 on 27 February 2023

A desync between the parameter the authorization check reads, and the value the actual action reads. Leading to an attacker being able to access resources that would have been denied normally.

In Concourse CI, thecheckAuthoriztionhandler will read the a team name value from the URL explicitly using a call to:


On its own this is fine, is presumably does the appropiate authorization checks here to ensure the user is allowed to access this team and perform whatever action they are attempting. Later on, in the pipelineScopedHandler function the team name is parsed again. This time using:

teamName := r.FormValue(":team_name")

In this case, the :team_name parameter in the POST or PUT body (if any) would be given priority over the one in the URL. An attacker could abuse this difference to provide a team name they are authorized to access in teh URL, while accessing a different team’s pipelines in the actual handler.