gitlab.gosec.G107-1
unknown
Download Count*
License
Url provided to HTTP request as taint input
Run Locally
Run in CI
Defintion
rules:
- id: gosec.G107-1
patterns:
- pattern-either:
- patterns:
- pattern: http.Get($URL)
- pattern-not: http.Get("...")
- patterns:
- pattern: http.Head($URL)
- pattern-not: http.Head("...")
- patterns:
- pattern: http.Post($URL, ...)
- pattern-not: http.Post("...", ...)
- patterns:
- pattern: http.PostForm($URL, ...)
- pattern-not: http.PostForm("...", ...)
- patterns:
- pattern-inside: |
$REQ, ... := http.NewRequest(..., url, ...)
...
$CLIENT := &http.Client{...}
...
- pattern: $CLIENT.Do($REQ)
- patterns:
- pattern-not-inside: |
const $X = "..."
...
- pattern-not-inside: |
var $Y string = "..."
...
$X = $Y
...
- pattern-not-inside: |
$Y := "..."
...
$X = $Y
...
- pattern: http.Get($X)
message: |
Url provided to HTTP request as taint input
metadata:
cwe: "CWE-88: Improper Neutralization of Argument Delimiters in a Command"
primary_identifier: gosec.G107-1
secondary_identifiers:
- name: Gosec Rule ID G107
type: gosec_rule_id
value: G107
license: MIT
severity: WARNING
languages:
- go
Short Link: https://sg.run/rDQj