Llm Data Leakage in Gorilla Mux with Hmac Signatures

LLM data leakage in a Gorilla Mux context with HMAC signatures occurs when responses containing sensitive model output or system prompts are exposed through endpoints that incorrectly validate or trust HMAC-based authentication. Gorilla Mux is a common HTTP request multiplexer for Go services, often used to route API calls to backend handlers that may invoke LLM providers. If an endpoint relies solely on HMAC signatures for integrity without also enforcing proper authorization and context isolation, an attacker may be able to force the service to return LLM responses that should be restricted.

Consider an API route registered with Gorilla Mux that accepts a prompt, forwards it to an LLM, and returns the completion. If the route uses HMAC signatures to verify that the request originates from a trusted source (e.g., a frontend or service), but does not validate the identity or scope of the caller beyond the signature, an attacker might chain a valid HMAC-signed request with prompt injection or insecure routing to elicit training data, system instructions, or private metadata from the LLM response. This is a form of LLM data leakage: sensitive information embedded in model outputs or system prompts that should not be surfaced to unauthorized callers is returned because the application conflates request authenticity with authorization.

In practice, leakage can happen when HMAC verification is performed before authorization checks, or when the same HMAC key is shared across multiple roles without scoping. For example, a handler might verify the HMAC, then directly pass user-controlled parameters into a prompt template used for LLM calls. If the prompt is crafted to trigger a system prompt or training-data extraction via techniques like those in the LLM/AI Security checks (system prompt leakage detection or active prompt injection probes), the response may unintentionally reveal internal instructions or data. Because Gorilla Mux does not enforce application-level authorization, the presence of a valid HMAC does not guarantee the caller is permitted to access the LLM response content, creating a path for data exposure.

Additionally, if logs or error messages reflecting LLM outputs are stored or returned with insufficient redaction, HMAC-signed requests can amplify the risk: a valid signature may be reused to replay requests that trigger verbose error messages containing PII, API keys, or executable code snippets from LLM responses. This aligns with the scanner’s output checks for PII and credentials in LLM outputs. Without scoping the HMAC usage to specific operations or tenants, an attacker who obtains a valid signature might iterate over endpoints or parameters to harvest sensitive model outputs.

To summarize, the combination of Gorilla Mux routing, HMAC signatures for integrity, and LLM endpoints can lead to LLM data leakage when authorization and isolation are assumed from authentication alone. The scanner’s LLM/AI Security checks, such as system prompt leakage detection and output scanning, are designed to surface these risks by identifying exposed instructions or sensitive data in responses, while findings map to relevant parts of the OWASP API Top 10 and common compliance frameworks.

Remediation focuses on ensuring HMAC signatures are used for integrity and replay protection, while authorization and tenant scoping are enforced separately in Gorilla Mux handlers. Do not rely on HMAC verification alone to determine whether a caller may access LLM outputs. Apply least-privilege routing, validate input, and scope keys to operations or tenants.

Example 1: Scoped HMAC verification with explicit authorization. Use per-tenant or per-operation keys, and check roles after signature validation before invoking the LLM handler.

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/hex"
    "net/http"
    "strings"

    "github.com/gorilla/mux"
)

func verifyHmac(key, message, receivedMAC string) bool {
    mac := hmac.New(sha256.New, []byte(key))
    mac.Write([]byte(message))
    expected := hex.EncodeToString(mac.Sum(nil))
    return hmac.Equal([]byte(expected), []byte(receivedMAC))
}

func handlerTenantA(w http.ResponseWriter, r *http.Request) {
    // In practice, derive key per tenant/operation; do not use a global key.
    tenantKey := "tenant-a-specific-key"
    payload := r.Header.Get("X-Payload")
    receivedMAC := r.Header.Get("X-Hmac-Signature")
    if !verifyHmac(tenantKey, payload, receivedMAC) {
        http.Error(w, "invalid signature", http.StatusUnauthorized)
        return
    }
    // Perform tenant- and role-based authorization here, not just HMAC check.
    userRole := r.Header.Get("X-User-Role")
    if userRole != "assistant" {
        http.Error(w, "forbidden", http.StatusForbidden)
        return
    }
    vars := mux.Vars(r)
    prompt := vars["prompt"]
    // Call LLM safely with scoped context; avoid echoing raw system prompts.
    response, err := callLLMForTenantA(prompt)
    if err != nil {
        http.Error(w, "internal error", http.StatusInternalServerError)
        return
    }
    w.Write([]byte(response))
}

func callLLMForTenantA(prompt string) (string, error) {
    // Replace with actual LLM invocation logic; ensure no system prompt leakage.
    return "response for: " + prompt, nil
}

Example 2: Middleware approach for route-level scoping in Gorilla Mux. Attach tenant/operation identifiers early and enforce checks in a centralized handler.

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/hex"
    "net/http"

    "github.com/gorilla/mux"
)

func hmacMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        tenantID := mux.Vars(r)["tenant"]
        key := getKeyForTenant(tenantID)
        payload := r.Header.Get("X-Payload")
        receivedMAC := r.Header.Get("X-Hmac-Signature")
        if !verifyHmac(key, payload, receivedMAC) {
            http.Error(w, "invalid signature", http.StatusUnauthorized)
            return
        }
        // Attach tenant context for downstream handlers.
        ctx := context.WithValue(r.Context(), "tenant", tenantID)
        next.ServeHTTP(w, r.WithContext(ctx))
    })
}

func getKeyForTenant(tenantID string) string {
    // Map tenant to a scoped key; in production use a secure store.
    keys := map[string]string{
        "tenant-a": "tenant-a-specific-key",
        "tenant-b": "tenant-b-specific-key",
    }
    return keys[tenantID]
}

func verifyHmac(key, message, receivedMAC string) bool {
    mac := hmac.New(sha256.New, []byte(key))
    mac.Write([]byte(message))
    expected := hex.EncodeToString(mac.Sum(nil))
    return hmac.Equal([]byte(expected), []byte(receivedMAC))
}

func safeLLMHandler(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    prompt := vars["prompt"]
    // Use tenant from context set by middleware.
    tenant := r.Context().Value("tenant").(string)
    // Validate input and apply tenant-specific policies.
    if prompt == "" {
        http.Error(w, "missing prompt", http.StatusBadRequest)
        return
    }
    response, err := callLLM(tenant, prompt)
    if err != nil {
        http.Error(w, "internal error", http.StatusInternalServerError)
        return
    }
    w.Write([]byte(response))
}

func callLLM(tenant, prompt string) (string, error) {
    // Implement tenant-aware LLM calls; avoid returning raw system prompts.
    return "response for tenant " + tenant + ": " + prompt, nil
}

Key practices: rotate and scope HMAC keys per operation or tenant, verify signatures before decoding business context, enforce role-based authorization after authentication, avoid reflecting raw system prompts or error details that may contain PII or API keys, and use the scanner’s continuous monitoring to detect regressions. The Pro plan’s GitHub Action can enforce a maximum risk score in CI/CD, while the MCP Server allows on-demand scans from your IDE to catch issues early.