go.lang.security.audit.crypto.bad_imports.insecure-module-used
Verifed by r2c
Community Favorite

Author
157,350
Download Count*
License
The package net/http/cgi
is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use net/http
or a web framework to build a web application instead.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-module-used
message: The package `net/http/cgi` is on the import blocklist. The package is
vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use
`net/http` or a web framework to build a web application instead.
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
source-rule-url: https://github.com/securego/gosec
references:
- https://godoc.org/golang.org/x/crypto/sha3
category: security
technology:
- go
confidence: MEDIUM
subcategory:
- audit
likelihood: MEDIUM
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- go
severity: WARNING
pattern-either:
- patterns:
- pattern-inside: |
import "net/http/cgi"
...
- pattern: |
cgi.$FUNC(...)
Examples
bad_imports.go
package main
import (
"crypto/cipher"
"crypto/des"
"crypto/md5"
"crypto/rand"
"crypto/rc4"
"crypto/sha1"
"encoding/hex"
"fmt"
"io"
"net/http"
"net/http/cgi"
"os"
)
func main1() {
// ruleid: insecure-module-used
cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
}
func main2() {
// ok: insecure-module-used
block, err := des.NewCipher([]byte("sekritz"))
if err != nil {
panic(err)
}
plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
ciphertext := make([]byte, des.BlockSize+len(plaintext))
iv := ciphertext[:des.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
panic(err)
}
stream := cipher.NewCFBEncrypter(block, iv)
stream.XORKeyStream(ciphertext[des.BlockSize:], plaintext)
fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}
func main3() {
for _, arg := range os.Args {
// ok: insecure-module-used
fmt.Printf("%x - %s\n", md5.Sum([]byte(arg)), arg)
}
}
func main4() {
// ok: insecure-module-used
cipher, err := rc4.NewCipher([]byte("sekritz"))
if err != nil {
panic(err)
}
plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
ciphertext := make([]byte, len(plaintext))
cipher.XORKeyStream(ciphertext, plaintext)
fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}
func main5() {
for _, arg := range os.Args {
// ok: insecure-module-used
fmt.Printf("%x - %s\n", sha1.Sum([]byte(arg)), arg)
}
}
Short Link: https://sg.run/l2gj