go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace
Verifed by r2c
Community Favorite
semgrepAuthor
100,201
Download Count*
License
Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.
Run Locally
Run in CI
Defintion
rules:
- id: dynamic-httptrace-clienttrace
message: Detected a potentially dynamic ClientTrace. This occurred because
semgrep could not find a static definition for '$TRACE'. Dynamic
ClientTraces are dangerous because they deserialize function code to run
when certain Request events occur, which could lead to code being run
without your knowledge. Ensure that your ClientTrace is statically
defined.
metadata:
cwe:
- "CWE-913: Improper Control of Dynamically-Managed Code Resources"
owasp:
- A01:2021 - Broken Access Control
references:
- https://github.com/returntocorp/semgrep-rules/issues/518
category: security
technology:
- go
confidence: MEDIUM
subcategory:
- vuln
likelihood: LOW
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
patterns:
- pattern-not-inside: |
package $PACKAGE
...
&httptrace.ClientTrace { ... }
...
- pattern: httptrace.WithClientTrace($ANY, $TRACE)
severity: WARNING
languages:
- go
Examples
dynamic-httptrace-clienttrace.go
package uhoh
import (
"context"
"net"
"net/http"
"net/http/httptrace"
)
func WithTrace(req *http.Request, trace *httptrace.ClientTrace) *http.Request {
// ruleid: dynamic-httptrace-clienttrace
return req.WithContext(httptrace.WithClientTrace(req.Context(), trace))
}
Short Link: https://sg.run/kXEK