gitlab.gosec.G104-1.G107-1
unknown
Download Count*
License
Url provided to HTTP request as taint input
Run Locally
Run in CI
Defintion
rules:
- id: gosec.G104-1.G107-1
patterns:
- pattern-either:
- patterns:
- pattern: http.Get($URL)
- pattern-not: http.Get("...")
- patterns:
- pattern: http.Head($URL)
- pattern-not: http.Head("...")
- patterns:
- pattern: http.Post($URL, ...)
- pattern-not: http.Post("...", ...)
- patterns:
- pattern: http.PostForm($URL, ...)
- pattern-not: http.PostForm("...", ...)
- patterns:
- pattern-inside: |
$REQ, ... := http.NewRequest(..., url, ...)
...
$CLIENT := &http.Client{...}
...
- pattern: $CLIENT.Do($REQ)
- patterns:
- pattern-not-inside: |
const $X = "..."
...
- pattern-not-inside: |
var $Y string = "..."
...
$X = $Y
...
- pattern-not-inside: |
$Y := "..."
...
$X = $Y
...
- pattern: http.Get($X)
message: |
Url provided to HTTP request as taint input
metadata:
cwe: "CWE-88: Improper Neutralization of Argument Delimiters in a Command"
license: MIT
severity: WARNING
languages:
- go
Short Link: https://sg.run/Y8vd