go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url

rules:
  - id: unescaped-data-in-url
    message: Found a formatted template string passed to 'template.URL()'.
      'template.URL()' does not escape contents, and this could result in XSS
      (cross-site scripting)  and therefore confidential data being
      stolen.  Sanitize data coming into this function or make sure that  no
      user-controlled input is coming into the function.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://golang.org/pkg/html/template/#URL
      category: security
      technology:
        - go
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - go
    severity: WARNING
    pattern-either:
      - pattern: template.URL($T + $X, ...)
      - pattern: template.URL(fmt.$P("...", ...), ...)
      - pattern: |
          $T = "..."
          ...
          $T = $FXN(..., $T, ...)
          ...
          template.URL($T, ...)
      - pattern: |
          $T = fmt.$P("...", ...)
          ...
          template.URL($T, ...)
      - pattern: |
          $T, $ERR = fmt.$P("...", ...)
          ...
          template.URL($T, ...)
      - pattern: |
          $T = $X + $Y
          ...
          template.URL($T, ...)
      - pattern: |-
          $T = "..."
          ...
          $OTHER, $ERR = fmt.$P(..., $T, ...)
          ...
          template.URL($OTHER, ...)