net/http/pprof: disallow package to register to the default mux in Go 2 #42834

rakyll · 2020-11-25T20:06:25Z

net/http/pprof registers handlers to the default mux at init time. In order to register the handlers on a custom mux, you still have to import to package and have the debug handlers registered to the default mux. This creates the situation everyone who has a direct or transient dependency to the net/http/pprof package has the debug handles registered.

This creates security issues and long-term maintenance problems where you want to 100% avoid the use of the default mux to make sure debug endpoints are never exposed to the Internet accidentally. Instead of the current model, export a new API that registers these handlers to the default mux if users want to opt in.

(I remember seeing a similar issue but couldn't find it, filing another one but please close if it's a duplicate.)

The text was updated successfully, but these errors were encountered:

cagedmantis · 2020-12-02T16:11:24Z

/cc @rsc

cagedmantis changed the title ~~Disallow net/http/pprof to register to the default mux in Go 2~~ net/http/pprof: disallow package to register to the default mux in Go 2 Dec 2, 2020

cagedmantis added the NeedsInvestigation label Dec 2, 2020

cagedmantis added this to the Go 2 milestone Dec 2, 2020

golang / go

net/http/pprof: disallow package to register to the default mux in Go 2 #42834

net/http/pprof: disallow package to register to the default mux in Go 2 #42834

rakyll commented Nov 25, 2020

cagedmantis commented Dec 2, 2020

golang / go

net/http/pprof: disallow package to register to the default mux in Go 2 #42834

net/http/pprof: disallow package to register to the default mux in Go 2 #42834

Comments

rakyll commented Nov 25, 2020

cagedmantis commented Dec 2, 2020