Documentation
¶
Overview ¶
testutils/g117_samples.go
Index ¶
- Variables
- func NewLogger() (*log.Logger, *bytes.Buffer)
- type CodeSample
- type MockVisitor
- type Option
- type TestPackage
- func (p *TestPackage) AddFile(filename, content string)
- func (p *TestPackage) Build(opts ...Option) error
- func (p *TestPackage) Close()
- func (p *TestPackage) CreateContext(filename string, opts ...Option) *gosec.Context
- func (p *TestPackage) Pkgs() []*packages.Package
- func (p *TestPackage) PrintErrors() int
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // SampleCodeCompilationFail provides a file that won't compile. SampleCodeCompilationFail = []CodeSample{ {[]string{` package main func main() { fmt.Println("no package imported error") } `}, 1, gosec.NewConfig()}, } // SampleCodeBuildTag provides a small program that should only compile // provided a build tag. SampleCodeBuildTag = []CodeSample{ {[]string{` // +build tag package main import "fmt" func main() { fmt.Println("Hello world") } `}, 0, gosec.NewConfig()}, } )
View Source
var ( // SampleCodeG101 code snippets for hardcoded credentials SampleCodeG101 = []CodeSample{ {[]string{` package main import "fmt" func main() { username := "admin" password := "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" fmt.Println("Doing something with: ", username, password) } `}, 1, gosec.NewConfig()}, {[]string{` // Entropy check should not report this error by default package main import "fmt" func main() { username := "admin" password := "secret" fmt.Println("Doing something with: ", username, password) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" var password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" func main() { username := "admin" fmt.Println("Doing something with: ", username, password) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" const password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" func main() { username := "admin" fmt.Println("Doing something with: ", username, password) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" const ( username = "user" password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" ) func main() { fmt.Println("Doing something with: ", username, password) } `}, 1, gosec.NewConfig()}, {[]string{` package main var password string func init() { password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" } `}, 1, gosec.NewConfig()}, {[]string{` package main const ( ATNStateSomethingElse = 1 ATNStateTokenStart = 42 ) func main() { println(ATNStateTokenStart) } `}, 0, gosec.NewConfig()}, {[]string{` package main const ( ATNStateTokenStart = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" ) func main() { println(ATNStateTokenStart) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { var password string if password == "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" { fmt.Println("password equality") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { var password string if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" == password { fmt.Println("password equality") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { var password string if password != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" { fmt.Println("password equality") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { var password string if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" != password { fmt.Println("password equality") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { var p string if p != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" { fmt.Println("password equality") } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { var p string if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" != p { fmt.Println("password equality") } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" const ( pw = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA==" ) func main() { fmt.Println(pw) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" var ( pw string ) func main() { pw = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA==" fmt.Println(pw) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" const ( cred = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA==" ) func main() { fmt.Println(cred) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" var ( cred string ) func main() { cred = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA==" fmt.Println(cred) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" const ( apiKey = "KjasdlkjapoIKLlka98098sdf012U" ) func main() { fmt.Println(apiKey) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" var ( apiKey string ) func main() { apiKey = "KjasdlkjapoIKLlka98098sdf012U" fmt.Println(apiKey) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" const ( bearer = "Bearer: 2lkjdfoiuwer092834kjdwf09" ) func main() { fmt.Println(bearer) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" var ( bearer string ) func main() { bearer = "Bearer: 2lkjdfoiuwer092834kjdwf09" fmt.Println(bearer) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" // #nosec G101 const ( ConfigLearnerTokenAuth string = "learner_auth_token_config" // #nosec G101 ) func main() { fmt.Printf("%s\n", ConfigLearnerTokenAuth) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" // #nosec G101 const ( ConfigLearnerTokenAuth string = "learner_auth_token_config" ) func main() { fmt.Printf("%s\n", ConfigLearnerTokenAuth) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" const ( ConfigLearnerTokenAuth string = "learner_auth_token_config" // #nosec G101 ) func main() { fmt.Printf("%s\n", ConfigLearnerTokenAuth) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" //gosec:disable G101 const ( ConfigLearnerTokenAuth string = "learner_auth_token_config" //gosec:disable G101 ) func main() { fmt.Printf("%s\n", ConfigLearnerTokenAuth) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" //gosec:disable G101 const ( ConfigLearnerTokenAuth string = "learner_auth_token_config" ) func main() { fmt.Printf("%s\n", ConfigLearnerTokenAuth) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" const ( ConfigLearnerTokenAuth string = "learner_auth_token_config" //gosec:disable G101 ) func main() { fmt.Printf("%s\n", ConfigLearnerTokenAuth) } `}, 0, gosec.NewConfig()}, {[]string{` package main type DBConfig struct { Password string } func main() { _ = DBConfig{ Password: "f62e5bcda4fae4f82370da0c6f20697b8f8447ef", } } `}, 1, gosec.NewConfig()}, {[]string{` package main type DBConfig struct { Password string } func main() { _ = &DBConfig{ Password: "f62e5bcda4fae4f82370da0c6f20697b8f8447ef", } } `}, 1, gosec.NewConfig()}, {[]string{` package main func main() { _ = struct{ Password string }{ Password: "f62e5bcda4fae4f82370da0c6f20697b8f8447ef", } } `}, 1, gosec.NewConfig()}, {[]string{` package main func main() { _ = map[string]string{ "password": "f62e5bcda4fae4f82370da0c6f20697b8f8447ef", } } `}, 1, gosec.NewConfig()}, {[]string{` package main func main() { _ = map[string]string{ "apiKey": "f62e5bcda4fae4f82370da0c6f20697b8f8447ef", } } `}, 1, gosec.NewConfig()}, {[]string{` package main type Config struct { Username string Password string } func main() { _ = Config{ Username: "admin", Password: "f62e5bcda4fae4f82370da0c6f20697b8f8447ef", } } `}, 1, gosec.NewConfig()}, {[]string{` package main type DBConfig struct { Password string } func main() { _ = DBConfig{ // #nosec G101 Password: "f62e5bcda4fae4f82370da0c6f20697b8f8447ef", } } `}, 0, gosec.NewConfig()}, {[]string{` package main func main() { _ = struct{ Password string }{ Password: "secret", // low entropy } } `}, 0, gosec.NewConfig()}, {[]string{` package main func main() { _ = map[string]string{ "password": "secret", // low entropy } } `}, 0, gosec.NewConfig()}, {[]string{` package main func main() { _ = struct{ Username string }{ Username: "f62e5bcda4fae4f82370da0c6f20697b8f8447ef", // non-sensitive key } } `}, 0, gosec.NewConfig()}, {[]string{` package main func main() { _ = []string{"f62e5bcda4fae4f82370da0c6f20697b8f8447ef"} // unkeyed – no trigger } `}, 0, gosec.NewConfig()}, } // SampleCodeG101Values code snippets for hardcoded credentials SampleCodeG101Values = []CodeSample{ {[]string{` package main import "fmt" func main() { customerNameEnvKey := "FOO_CUSTOMER_NAME" fmt.Println(customerNameEnvKey) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { txnID := "3637cfcc1eec55a50f78a7c435914583ccbc75a21dec9a0e94dfa077647146d7" fmt.Println(txnID) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { url := "https://username:[email protected]/" fmt.Println(url) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { githubToken := "ghp_iR54dhCYg9Tfmoywi9xLmmKZrrnAw438BYh3" fmt.Println(githubToken) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { awsAccessKeyID := "AKIAI44QH8DHBEXAMPLE" fmt.Println(awsAccessKeyID) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { compareGoogleAPI := "test" if compareGoogleAPI == "AIzajtGS_aJGkoiAmSbXzu9I-1eytAi9Lrlh-vT" { fmt.Println(compareGoogleAPI) } } `}, 1, gosec.NewConfig()}, {[]string{` package main func main() { _ = struct{ SomeKey string }{ SomeKey: "AKIAI44QH8DHBEXAMPLE", } } `}, 1, gosec.NewConfig()}, {[]string{` package main func main() { _ = map[string]string{ "github_token": "ghp_iR54dhCYg9Tfmoywi9xLmmKZrrnAw438BYh3", } } `}, 1, gosec.NewConfig()}, } )
View Source
var ( // SampleCodeG104 finds errors that aren't being handled SampleCodeG104 = []CodeSample{ {[]string{` package main import "fmt" func test() (int,error) { return 0, nil } func main() { v, _ := test() fmt.Println(v) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "io/ioutil" "os" "fmt" ) func a() error { return fmt.Errorf("This is an error") } func b() { fmt.Println("b") ioutil.WriteFile("foo.txt", []byte("bar"), os.ModeExclusive) } func c() string { return fmt.Sprintf("This isn't anything") } func main() { _ = a() a() b() c() } `}, 2, gosec.NewConfig()}, {[]string{` package main import "fmt" func test() error { return nil } func main() { e := test() fmt.Println(e) } `}, 0, gosec.NewConfig()}, {[]string{` // +build go1.10 package main import "strings" func main() { var buf strings.Builder _, err := buf.WriteString("test string") if err != nil { panic(err) } }`, ` package main func dummy(){} `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "bytes" ) type a struct { buf *bytes.Buffer } func main() { a := &a{ buf: new(bytes.Buffer), } a.buf.Write([]byte{0}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "io/ioutil" "os" "fmt" ) func a() { fmt.Println("a") ioutil.WriteFile("foo.txt", []byte("bar"), os.ModeExclusive) } func main() { a() } `}, 0, gosec.Config{"G104": map[string]interface{}{"ioutil": []interface{}{"WriteFile"}}}}, {[]string{` package main import ( "bytes" "fmt" "io" "os" "strings" ) func createBuffer() *bytes.Buffer { return new(bytes.Buffer) } func main() { new(bytes.Buffer).WriteString("*bytes.Buffer") fmt.Fprintln(os.Stderr, "fmt") new(strings.Builder).WriteString("*strings.Builder") _, pw := io.Pipe() pw.CloseWithError(io.EOF) createBuffer().WriteString("*bytes.Buffer") b := createBuffer() b.WriteString("*bytes.Buffer") } `}, 0, gosec.NewConfig()}, {[]string{` package main import "crypto/rand" func main() { b := make([]byte, 8) rand.Read(b) _ = b } `}, 0, gosec.NewConfig()}, } // it shouldn't return any errors because all method calls are whitelisted by default // SampleCodeG104Audit finds errors that aren't being handled in audit mode SampleCodeG104Audit = []CodeSample{ {[]string{` package main import "fmt" func test() (int,error) { return 0, nil } func main() { v, _ := test() fmt.Println(v) } `}, 1, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}, {[]string{` package main import ( "io/ioutil" "os" "fmt" ) func a() error { return fmt.Errorf("This is an error") } func b() { fmt.Println("b") ioutil.WriteFile("foo.txt", []byte("bar"), os.ModeExclusive) } func c() string { return fmt.Sprintf("This isn't anything") } func main() { _ = a() a() b() c() } `}, 3, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}, {[]string{` package main import "fmt" func test() error { return nil } func main() { e := test() fmt.Println(e) } `}, 0, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}, {[]string{` // +build go1.10 package main import "strings" func main() { var buf strings.Builder _, err := buf.WriteString("test string") if err != nil { panic(err) } } `, ` package main func dummy(){} `}, 0, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}, } )
View Source
var ( // SampleCodeG401 - Use of weak crypto hash MD5 SampleCodeG401 = []CodeSample{ {[]string{` package main import ( "crypto/md5" "fmt" "io" "log" "os" ) func main() { f, err := os.Open("file.txt") if err != nil { log.Fatal(err) } defer f.Close() defer func() { err := f.Close() if err != nil { log.Printf("error closing the file: %s", err) } }() h := md5.New() if _, err := io.Copy(h, f); err != nil { log.Fatal(err) } fmt.Printf("%x", h.Sum(nil)) } `}, 1, gosec.NewConfig()}, } // SampleCodeG401b - Use of weak crypto hash SHA1 SampleCodeG401b = []CodeSample{ {[]string{` package main import ( "crypto/sha1" "fmt" "io" "log" "os" ) func main() { f, err := os.Open("file.txt") if err != nil { log.Fatal(err) } defer f.Close() h := sha1.New() if _, err := io.Copy(h, f); err != nil { log.Fatal(err) } fmt.Printf("%x", h.Sum(nil)) } `}, 1, gosec.NewConfig()}, } )
View Source
var ( // SampleCodeG405 - Use of weak crypto encryption DES SampleCodeG405 = []CodeSample{ {[]string{` package main import ( "crypto/des" "fmt" ) func main() { // Weakness: Usage of weak encryption algorithm c, e := des.NewCipher([]byte("mySecret")) if e != nil { panic("We have a problem: " + e.Error()) } data := []byte("hello world") fmt.Println("Plain", string(data)) c.Encrypt(data, data) fmt.Println("Encrypted", string(data)) c.Decrypt(data, data) fmt.Println("Plain Decrypted", string(data)) } `}, 1, gosec.NewConfig()}, } // SampleCodeG405b - Use of weak crypto encryption RC4 SampleCodeG405b = []CodeSample{ {[]string{` package main import ( "crypto/rc4" "fmt" ) func main() { // Weakness: Usage of weak encryption algorithm c, _ := rc4.NewCipher([]byte("mySecret")) data := []byte("hello world") fmt.Println("Plain", string(data)) c.XORKeyStream(data, data) cryptCipher2, _ := rc4.NewCipher([]byte("mySecret")) fmt.Println("Encrypted", string(data)) cryptCipher2.XORKeyStream(data, data) fmt.Println("Plain Decrypted", string(data)) } `}, 2, gosec.NewConfig()}, } )
View Source
var ( // SampleCodeG406 - Use of deprecated weak crypto hash MD4 SampleCodeG406 = []CodeSample{ {[]string{` package main import ( "encoding/hex" "fmt" "golang.org/x/crypto/md4" ) func main() { h := md4.New() h.Write([]byte("test")) fmt.Println(hex.EncodeToString(h.Sum(nil))) } `}, 1, gosec.NewConfig()}, } // SampleCodeG406b - Use of deprecated weak crypto hash RIPEMD160 SampleCodeG406b = []CodeSample{ {[]string{` package main import ( "encoding/hex" "fmt" "golang.org/x/crypto/ripemd160" ) func main() { h := ripemd160.New() h.Write([]byte("test")) fmt.Println(hex.EncodeToString(h.Sum(nil))) } `}, 1, gosec.NewConfig()}, } )
View Source
var ( SampleCodeG501 = []CodeSample{ {[]string{` package main import ( "crypto/md5" "fmt" "os" ) func main() { for _, arg := range os.Args { fmt.Printf("%x - %s\n", md5.Sum([]byte(arg)), arg) } } `}, 1, gosec.NewConfig()}, } // SampleCodeG501BuildTag provides a reportable file if a build tag is // supplied. SampleCodeG501BuildTag = []CodeSample{ {[]string{` //go:build tag package main import ( "crypto/md5" "fmt" "os" ) func main() { for _, arg := range os.Args { fmt.Printf("%x - %s\n", md5.Sum([]byte(arg)), arg) } } `}, 2, gosec.NewConfig()}, } )
SampleCodeG501 - Blocklisted import MD5
View Source
var SampleCodeCgo = []CodeSample{ {[]string{` package main import ( "fmt" "unsafe" ) /* #include <stdlib.h> #include <stdio.h> #include <string.h> int printData(unsigned char *data) { return printf("cData: %lu \"%s\"\n", (long unsigned int)strlen(data), data); } */ import "C" func main() { // Allocate C data buffer. width, height := 8, 2 lenData := width * height // add string terminating null byte cData := (*C.uchar)(C.calloc(C.size_t(lenData+1), C.sizeof_uchar)) // When no longer in use, free C allocations. defer C.free(unsafe.Pointer(cData)) // Go slice reference to C data buffer, // minus string terminating null byte gData := (*[1 << 30]byte)(unsafe.Pointer(cData))[:lenData:lenData] // Write and read cData via gData. for i := range gData { gData[i] = '.' } copy(gData[0:], "Data") gData[len(gData)-1] = 'X' fmt.Printf("gData: %d %q\n", len(gData), gData) C.printData(cData) } `}, 0, gosec.NewConfig()}, }
SampleCodeCgo - Cgo file sample
View Source
var SampleCodeG102 = []CodeSample{ {[]string{` package main import ( "log" "net" ) func main() { l, err := net.Listen("tcp", "0.0.0.0:2000") if err != nil { log.Fatal(err) } defer l.Close() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "net" ) func main() { l, err := net.Listen("tcp", ":2000") if err != nil { log.Fatal(err) } defer l.Close() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "net" ) func parseListenAddr(listenAddr string) (network string, addr string) { return "", "" } func main() { addr := ":2000" l, err := net.Listen(parseListenAddr(addr)) if err != nil { log.Fatal(err) } defer l.Close() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "net" ) const addr = ":2000" func parseListenAddr(listenAddr string) (network string, addr string) { return "", "" } func main() { l, err := net.Listen(parseListenAddr(addr)) if err != nil { log.Fatal(err) } defer l.Close() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "net" ) const addr = "0.0.0.0:2000" func main() { l, err := net.Listen("tcp", addr) if err != nil { log.Fatal(err) } defer l.Close() } `}, 1, gosec.NewConfig()}, }
SampleCodeG102 code snippets for network binding
View Source
var SampleCodeG103 = []CodeSample{ {[]string{` package main import ( "fmt" "unsafe" ) type Fake struct{} func (Fake) Good() {} func main() { unsafeM := Fake{} unsafeM.Good() intArray := [...]int{1, 2} fmt.Printf("\nintArray: %v\n", intArray) intPtr := &intArray[0] fmt.Printf("\nintPtr=%p, *intPtr=%d.\n", intPtr, *intPtr) addressHolder := uintptr(unsafe.Pointer(intPtr)) intPtr = (*int)(unsafe.Pointer(addressHolder)) fmt.Printf("\nintPtr=%p, *intPtr=%d.\n\n", intPtr, *intPtr) } `}, 2, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "unsafe" ) func main() { chars := [...]byte{1, 2} charsPtr := &chars[0] str := unsafe.String(charsPtr, len(chars)) fmt.Printf("%s\n", str) ptr := unsafe.StringData(str) fmt.Printf("ptr: %p\n", ptr) } `}, 2, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "unsafe" ) func main() { chars := [...]byte{1, 2} charsPtr := &chars[0] slice := unsafe.Slice(charsPtr, len(chars)) fmt.Printf("%v\n", slice) ptr := unsafe.SliceData(slice) fmt.Printf("ptr: %p\n", ptr) } `}, 2, gosec.NewConfig()}, }
SampleCodeG103 find instances of unsafe blocks for auditing purposes
View Source
var SampleCodeG106 = []CodeSample{ {[]string{` package main import ( "golang.org/x/crypto/ssh" ) func main() { _ = ssh.InsecureIgnoreHostKey() } `}, 1, gosec.NewConfig()}, }
SampleCodeG106 - ssh InsecureIgnoreHostKey
View Source
var SampleCodeG107 = []CodeSample{ {[]string{` // Input from the std in is considered insecure package main import ( "net/http" "io/ioutil" "fmt" "os" "bufio" ) func main() { in := bufio.NewReader(os.Stdin) url, err := in.ReadString('\n') if err != nil { panic(err) } resp, err := http.Get(url) if err != nil { panic(err) } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil { panic(err) } fmt.Printf("%s", body) } `}, 1, gosec.NewConfig()}, {[]string{` // Variable defined a package level can be changed at any time // regardless of the initial value package main import ( "fmt" "io/ioutil" "net/http" ) var url string = "https://www.google.com" func main() { resp, err := http.Get(url) if err != nil { panic(err) } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil { panic(err) } fmt.Printf("%s", body) }`}, 1, gosec.NewConfig()}, {[]string{` // Environmental variables are not considered as secure source package main import ( "net/http" "io/ioutil" "fmt" "os" ) func main() { url := os.Getenv("tainted_url") resp, err := http.Get(url) if err != nil { panic(err) } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil { panic(err) } fmt.Printf("%s", body) } `}, 1, gosec.NewConfig()}, {[]string{` // Constant variables or hard-coded strings are secure package main import ( "fmt" "net/http" ) const url = "http://127.0.0.1" func main() { resp, err := http.Get(url) if err != nil { fmt.Println(err) } fmt.Println(resp.Status) } `}, 0, gosec.NewConfig()}, {[]string{` // A variable at function scope which is initialized to // a constant string is secure (e.g. cannot be changed concurrently) package main import ( "fmt" "net/http" ) func main() { var url string = "http://127.0.0.1" resp, err := http.Get(url) if err != nil { fmt.Println(err) } fmt.Println(resp.Status) } `}, 0, gosec.NewConfig()}, {[]string{` // A variable at function scope which is initialized to // a constant string is secure (e.g. cannot be changed concurrently) package main import ( "fmt" "net/http" ) func main() { url := "http://127.0.0.1" resp, err := http.Get(url) if err != nil { fmt.Println(err) } fmt.Println(resp.Status) } `}, 0, gosec.NewConfig()}, {[]string{` // A variable at function scope which is initialized to // a constant string is secure (e.g. cannot be changed concurrently) package main import ( "fmt" "net/http" ) func main() { url1 := "test" var url2 string = "http://127.0.0.1" url2 = url1 resp, err := http.Get(url2) if err != nil { fmt.Println(err) } fmt.Println(resp.Status) } `}, 0, gosec.NewConfig()}, {[]string{` // An exported variable declared a packaged scope is not secure // because it can changed at any time package main import ( "fmt" "net/http" ) var Url string func main() { resp, err := http.Get(Url) if err != nil { fmt.Println(err) } fmt.Println(resp.Status) } `}, 1, gosec.NewConfig()}, {[]string{` // An url provided as a function argument is not secure package main import ( "fmt" "net/http" ) func get(url string) { resp, err := http.Get(url) if err != nil { fmt.Println(err) } fmt.Println(resp.Status) } func main() { url := "http://127.0.0.1" get(url) } `}, 1, gosec.NewConfig()}, }
SampleCodeG107 - SSRF via http requests with variable url
View Source
var SampleCodeG108 = []CodeSample{ {[]string{` package main import ( "fmt" "log" "net/http" _ "net/http/pprof" ) func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello World!") }) log.Fatal(http.ListenAndServe(":8080", nil)) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "log" "net/http" ) func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello World!") }) log.Fatal(http.ListenAndServe(":8080", nil)) } `}, 0, gosec.NewConfig()}, }
SampleCodeG108 - pprof endpoint automatically exposed
View Source
var SampleCodeG109 = []CodeSample{ {[]string{` package main import ( "fmt" "strconv" ) func main() { bigValue, err := strconv.Atoi("2147483648") if err != nil { panic(err) } value := int32(bigValue) fmt.Println(value) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "strconv" ) func main() { bigValue, err := strconv.Atoi("32768") if err != nil { panic(err) } if int16(bigValue) < 0 { fmt.Println(bigValue) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "strconv" ) func main() { bigValue, err := strconv.Atoi("2147483648") if err != nil { panic(err) } fmt.Println(bigValue) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "strconv" ) func main() { bigValue, err := strconv.Atoi("2147483648") if err != nil { panic(err) } fmt.Println(bigValue) test() } func test() { bigValue := 30 value := int64(bigValue) fmt.Println(value) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "strconv" ) func main() { value := 10 if value == 10 { value, _ := strconv.Atoi("2147483648") fmt.Println(value) } v := int64(value) fmt.Println(v) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "strconv" ) func main() { a, err := strconv.Atoi("a") b := int64(a) //#nosec G109 fmt.Println(b, err) } `}, 0, gosec.NewConfig()}, }
SampleCodeG109 - Potential Integer OverFlow
View Source
var SampleCodeG110 = []CodeSample{ {[]string{` package main import ( "bytes" "compress/zlib" "io" "os" ) func main() { buff := []byte{120, 156, 202, 72, 205, 201, 201, 215, 81, 40, 207, 47, 202, 73, 225, 2, 4, 0, 0, 255, 255, 33, 231, 4, 147} b := bytes.NewReader(buff) r, err := zlib.NewReader(b) if err != nil { panic(err) } _, err = io.Copy(os.Stdout, r) if err != nil { panic(err) } r.Close() }`}, 1, gosec.NewConfig()}, {[]string{` package main import ( "bytes" "compress/zlib" "io" "os" ) func main() { buff := []byte{120, 156, 202, 72, 205, 201, 201, 215, 81, 40, 207, 47, 202, 73, 225, 2, 4, 0, 0, 255, 255, 33, 231, 4, 147} b := bytes.NewReader(buff) r, err := zlib.NewReader(b) if err != nil { panic(err) } buf := make([]byte, 8) _, err = io.CopyBuffer(os.Stdout, r, buf) if err != nil { panic(err) } r.Close() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "archive/zip" "io" "os" "strconv" ) func main() { r, err := zip.OpenReader("tmp.zip") if err != nil { panic(err) } defer r.Close() for i, f := range r.File { out, err := os.OpenFile("output" + strconv.Itoa(i), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode()) if err != nil { panic(err) } rc, err := f.Open() if err != nil { panic(err) } _, err = io.Copy(out, rc) out.Close() rc.Close() if err != nil { panic(err) } } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "io" "os" ) func main() { s, err := os.Open("src") if err != nil { panic(err) } defer s.Close() d, err := os.Create("dst") if err != nil { panic(err) } defer d.Close() _, err = io.Copy(d, s) if err != nil { panic(err) } } `}, 0, gosec.NewConfig()}, }
SampleCodeG110 - potential DoS vulnerability via decompression bomb
View Source
var SampleCodeG111 = []CodeSample{ {[]string{` package main import ( "fmt" "log" "net/http" "os" ) func main() { http.Handle("/bad/", http.StripPrefix("/bad/", http.FileServer(http.Dir("/")))) http.HandleFunc("/", HelloServer) log.Fatal(http.ListenAndServe(":"+os.Getenv("PORT"), nil)) } func HelloServer(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) } `}, 1, gosec.NewConfig()}, }
SampleCodeG111 - potential directory traversal
View Source
var SampleCodeG112 = []CodeSample{ {[]string{` package main import ( "fmt" "net/http" ) func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) }) err := (&http.Server{ Addr: ":1234", }).ListenAndServe() if err != nil { panic(err) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "time" "net/http" ) func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) }) server := &http.Server{ Addr: ":1234", ReadHeaderTimeout: 3 * time.Second, } err := server.ListenAndServe() if err != nil { panic(err) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "time" "net/http" ) func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) }) server := &http.Server{ Addr: ":1234", ReadTimeout: 1 * time.Second, } err := server.ListenAndServe() if err != nil { panic(err) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "net/http" "sync" ) type Server struct { hs *http.Server mux *http.ServeMux mu sync.Mutex } func New(listenAddr string) *Server { mux := http.NewServeMux() return &Server{ hs: &http.Server{ // #nosec G112 - Not publicly exposed Addr: listenAddr, Handler: mux, }, mux: mux, mu: sync.Mutex{}, } } func main() { fmt.Print("test") } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "net/http" "sync" ) type Server struct { hs *http.Server mux *http.ServeMux mu sync.Mutex } func New(listenAddr string) *Server { mux := http.NewServeMux() return &Server{ hs: &http.Server{ //gosec:disable G112 - Not publicly exposed Addr: listenAddr, Handler: mux, }, mux: mux, mu: sync.Mutex{}, } } func main() { fmt.Print("test") } `}, 0, gosec.NewConfig()}, }
SampleCodeG112 - potential slowloris attack
View Source
var SampleCodeG113 = []CodeSample{ {[]string{` package main import ( "net/http" ) func handler(w http.ResponseWriter, r *http.Request) { w.Header().Set("Transfer-Encoding", "chunked") w.Header().Set("Content-Length", "100") w.Write([]byte("response body")) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "net/http" ) func handler(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Length", "100") w.Header().Set("Transfer-Encoding", "chunked") w.Write([]byte("response body")) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "net/http" ) func handler(w http.ResponseWriter, r *http.Request) { header := w.Header() header.Set("Transfer-Encoding", "chunked") header.Set("Content-Length", "50") w.Write([]byte("data")) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "net/http" ) func safeHandler(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Length", "100") w.Write([]byte("response body")) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "net/http" ) func safeHandler(w http.ResponseWriter, r *http.Request) { w.Header().Set("Transfer-Encoding", "chunked") w.Write([]byte("response body")) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "net/http" ) func anotherSafeHandler(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/json") w.Header().Set("Cache-Control", "no-cache") w.Write([]byte("{}")) } `}, 0, gosec.NewConfig()}, }
SampleCodeG113 - HTTP request smuggling vulnerabilities
View Source
var SampleCodeG114 = []CodeSample{ {[]string{` package main import ( "log" "net/http" ) func main() { err := http.ListenAndServe(":8080", nil) log.Fatal(err) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "net/http" ) func main() { err := http.ListenAndServeTLS(":8443", "cert.pem", "key.pem", nil) log.Fatal(err) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "net" "net/http" ) func main() { l, err := net.Listen("tcp", ":8080") if err != nil { log.Fatal(err) } defer l.Close() err = http.Serve(l, nil) log.Fatal(err) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "net" "net/http" ) func main() { l, err := net.Listen("tcp", ":8443") if err != nil { log.Fatal(err) } defer l.Close() err = http.ServeTLS(l, nil, "cert.pem", "key.pem") log.Fatal(err) } `}, 1, gosec.NewConfig()}, }
SampleCodeG114 - Use of net/http serve functions that have no support for setting timeouts
View Source
var SampleCodeG115 = []CodeSample{}/* 134 elements not displayed */
View Source
var ( // SampleCodeG116 - TrojanSource code snippets SampleCodeG116 = []CodeSample{ {[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// This comment contains bidirectional unicode: access\u202e\u2066 granted\u2069\u202d\n\tisAdmin := false\n\tfmt.Println(\"Access status:\", isAdmin)\n}\n"}, 1, gosec.NewConfig()}, {[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Trojan source with RLO character\n\taccessLevel := \"user\"\n\t// Actually assigns \"nimda\" due to bidi chars: accessLevel = \"\u202enimda\"\n\tif accessLevel == \"admin\" {\n\t\tfmt.Println(\"Access granted\")\n\t}\n}\n"}, 1, gosec.NewConfig()}, {[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// String with bidirectional override\n\tusername := \"admin\u202e \u2066Check if admin\u2069 \u2066\"\n\tpassword := \"secret\"\n\tfmt.Println(username, password)\n}\n"}, 1, gosec.NewConfig()}, {[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains LRI (Left-to-Right Isolate) U+2066\n\tcomment := \"Safe comment \u2066with hidden text\u2069\"\n\tfmt.Println(comment)\n}\n"}, 1, gosec.NewConfig()}, {[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains RLI (Right-to-Left Isolate) U+2067\n\tmessage := \"Normal text \u2067hidden\u2069\"\n\tfmt.Println(message)\n}\n"}, 1, gosec.NewConfig()}, {[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains FSI (First Strong Isolate) U+2068\n\ttext := \"Text with \u2068hidden content\u2069\"\n\tfmt.Println(text)\n}\n"}, 1, gosec.NewConfig()}, {[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains LRE (Left-to-Right Embedding) U+202A\n\tembedded := \"Text with \u202aembedded\u202c content\"\n\tfmt.Println(embedded)\n}\n"}, 1, gosec.NewConfig()}, {[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains RLE (Right-to-Left Embedding) U+202B\n\trtlEmbedded := \"Text with \u202bembedded\u202c content\"\n\tfmt.Println(rtlEmbedded)\n}\n"}, 1, gosec.NewConfig()}, {[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains PDF (Pop Directional Formatting) U+202C\n\tformatted := \"Text with \u202cformatting\"\n\tfmt.Println(formatted)\n}\n"}, 1, gosec.NewConfig()}, {[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains LRO (Left-to-Right Override) U+202D\n\toverride := \"Text \u202doverride\"\n\tfmt.Println(override)\n}\n"}, 1, gosec.NewConfig()}, {[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains RLO (Right-to-Left Override) U+202E\n\trloText := \"Text \u202eoverride\"\n\tfmt.Println(rloText)\n}\n"}, 1, gosec.NewConfig()}, {[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains RLM (Right-to-Left Mark) U+200F\n\tmarked := \"Text \u200fmarked\"\n\tfmt.Println(marked)\n}\n"}, 1, gosec.NewConfig()}, {[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains LRM (Left-to-Right Mark) U+200E\n\tlrmText := \"Text \u200emarked\"\n\tfmt.Println(lrmText)\n}\n"}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" // Safe code without bidirectional characters func main() { username := "admin" password := "secret" fmt.Println("Username:", username) fmt.Println("Password:", password) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" // Normal comment with regular text func main() { // This is a safe comment isAdmin := true if isAdmin { fmt.Println("Access granted") } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { // Regular ASCII characters only message := "Hello, World!" fmt.Println(message) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func authenticateUser(username, password string) bool { // Normal authentication logic if username == "admin" && password == "secret" { return true } return false } func main() { result := authenticateUser("user", "pass") fmt.Println("Authenticated:", result) } `}, 0, gosec.NewConfig()}, } )
#nosec - This file intentionally contains bidirectional Unicode characters for testing trojan source detection. The G116 rule scans the entire file content (not just AST nodes) because trojan source attacks work by manipulating visual representation of code through bidirectional text control characters, which can appear in comments, strings or anywhere in the source file. Without this #nosec exclusion, gosec would detect these test samples as actual vulnerabilities.
View Source
var SampleCodeG117 = []CodeSample{ {[]string{` package main import "encoding/json" type Config struct { Password string } func main() { _, _ = json.Marshal(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { APIKey *string ` + "`json:\"api_key\"`" + ` } func main() { _, _ = json.MarshalIndent(Config{}, "", " ") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "encoding/json" "os" ) type Config struct { PrivateKey []byte ` + "`json:\"private_key\"`" + ` } func main() { _ = json.NewEncoder(os.Stdout).Encode(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { Password string ` + "`json:\"text_field\"`" + ` } func main() { _, _ = json.Marshal(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { SafeField string ` + "`json:\"api_key\"`" + ` } func main() { _, _ = json.Marshal(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { Token string ` + "`json:\"auth_token\"`" + ` } func main() { _, _ = json.Marshal(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { Key string ` + "`json:\"access-key\"`" + ` } func main() { _, _ = json.Marshal(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { Secret string ` + "`json:\",omitempty\"`" + ` } func main() { _, _ = json.Marshal(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { ApiTokens []string } func main() { _, _ = json.Marshal(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { RefreshTokens []string ` + "`json:\"refresh_tokens\"`" + ` } func main() { _, _ = json.Marshal(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { AccessTokens []*string } func main() { _, _ = json.Marshal(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { CustomSecret string ` + "`json:\"my_custom_secret\"`" + ` } func main() { _, _ = json.Marshal(Config{}) } `}, 1, func() gosec.Config { cfg := gosec.NewConfig() cfg.Set("G117", map[string]interface{}{ "pattern": "(?i)custom[_-]?secret", }) return cfg }()}, {[]string{` package main import "encoding/json" type Config struct { Password string } func main() { _, _ = json.Marshal(&Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { Password string } func main() { _, _ = json.Marshal([]Config{{}}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { Password string } func main() { _, _ = json.Marshal(map[string]Config{"x": {}}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "go.yaml.in/yaml/v3" type Config struct { Password string ` + "`yaml:\"password\"`" + ` } func main() { _, _ = yaml.Marshal(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/xml" type Config struct { SafeField string ` + "`xml:\"api_key\"`" + ` } func main() { _, _ = xml.Marshal(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "github.com/BurntSushi/toml" import "os" type Config struct { Password string ` + "`toml:\"password\"`" + ` } func main() { _ = toml.NewEncoder(os.Stdout).Encode(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main type Config struct { Password string } func main() {} `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "bytes" "text/template" ) func main() { t := template.Must(template.New("x").Parse("{{.Username}}")) var tpl bytes.Buffer _ = t.Execute(&tpl, struct { Username string Password string }{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main type AppConfig struct { ApiSecret string ` + "`env:\"API_SECRET\"`" + ` } func main() {} `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { Password string ` + "`json:\"-\"`" + ` } func main() { _, _ = json.Marshal(Config{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "go.yaml.in/yaml/v3" type Config struct { Password string ` + "`yaml:\"-\"`" + ` } func main() { _, _ = yaml.Marshal(Config{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/xml" type Config struct { Password string ` + "`xml:\"-\"`" + ` } func main() { _, _ = xml.Marshal(Config{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "github.com/BurntSushi/toml" import "os" type Config struct { Password string ` + "`toml:\"-\"`" + ` } func main() { _ = toml.NewEncoder(os.Stdout).Encode(Config{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { UserID string ` + "`json:\"user_id\"`" + ` } func main() { _, _ = json.Marshal(Config{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/json" func main() { _, _ = json.Marshal("api_key") } `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { password string } func main() { _, _ = json.Marshal(Config{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { password string ` + "`json:\"password\"`" + ` } func main() { _, _ = json.Marshal(Config{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { SafeField string ` + "`json:\"-,\"`" + ` } func main() { _, _ = json.Marshal(Config{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { MaxTokens int } func main() { _, _ = json.Marshal(Config{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { RedactionTokens []string ` + "`json:\"redactionTokens,omitempty\"`" + ` } func main() { _, _ = json.Marshal(Config{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { Safe, Password string } func main() { _, _ = json.Marshal(Config{}) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { Password string } func main() { _, _ = json.Marshal(Config{}) // #nosec G117 } `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { Password string } func main() { // #nosec G117 -- false positive _, _ = json.Marshal(Config{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { APIKey string ` + "`json:\"api_key\"`" + ` } func main() { _, _ = json.Marshal(Config{}) // #nosec G117 -- public key } `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/json" type Config struct { Password string } func main() { _, _ = json.MarshalIndent(Config{}, "", " ") // #nosec G117 } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "encoding/json" "os" ) type Config struct { Password string } func main() { _ = json.NewEncoder(os.Stdout).Encode(Config{}) // #nosec G117 } `}, 0, gosec.NewConfig()}, {[]string{` package main import "go.yaml.in/yaml/v3" type Config struct { Password string } func main() { _, _ = yaml.Marshal(Config{}) // #nosec G117 } `}, 0, gosec.NewConfig()}, {[]string{` package main import "encoding/xml" type Config struct { Password string } func main() { _, _ = xml.Marshal(Config{}) // #nosec G117 } `}, 0, gosec.NewConfig()}, {[]string{` package main import "github.com/BurntSushi/toml" import "os" type Config struct { Password string } func main() { _ = toml.NewEncoder(os.Stdout).Encode(Config{}) // #nosec G117 } `}, 0, gosec.NewConfig()}, {[]string{` package main type Config struct { Password string } func Marshal(any) {} func main() { Marshal(Config{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main type Encoder struct{} func (Encoder) Encode(any) error { return nil } type Config struct { Password string } func main() { _ = Encoder{}.Encode(Config{}) } `}, 0, gosec.NewConfig()}, }
View Source
var SampleCodeG118 = []CodeSample{ {[]string{` package main import ( "context" "net/http" "time" ) func handler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() _ = ctx go func() { child, _ := context.WithTimeout(context.Background(), time.Second) _ = child }() } `}, 2, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func work(ctx context.Context) { child, _ := context.WithTimeout(ctx, time.Second) _ = child } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func run(ctx context.Context) { for { time.Sleep(time.Second) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func complexInfinite(ctx context.Context, ch <-chan int) { _ = ctx for { select { case <-ch: time.Sleep(time.Millisecond) default: time.Sleep(time.Millisecond) } } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" "time" ) func handler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() go func(ctx2 context.Context) { for { select { case <-ctx2.Done(): return case <-time.After(time.Millisecond): } } }(ctx) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func work(ctx context.Context) { child, cancel := context.WithTimeout(ctx, time.Second) defer cancel() _ = child } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" func forwarded(ctx context.Context) { child, cancel := context.WithCancel(ctx) _ = child cancelCopy := cancel defer cancelCopy() } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func run(ctx context.Context) { for { select { case <-ctx.Done(): return case <-time.After(time.Second): } } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func bounded(ctx context.Context) { _ = ctx for i := 0; i < 3; i++ { time.Sleep(time.Millisecond) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func worker(ctx context.Context, max int) { _ = ctx i := 0 for { if i >= max { break } time.Sleep(time.Millisecond) i++ } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" func work(ctx context.Context) { child, _ := context.WithCancel(ctx) _ = child } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func work(ctx context.Context) { child, _ := context.WithDeadline(ctx, time.Now().Add(time.Second)) _ = child } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" ) func handler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() _ = ctx go func() { bg := context.TODO() _ = bg }() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" ) func handler(r *http.Request) { _ = r.Context() go func() { go func() { ctx := context.Background() _ = ctx }() }() } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func worker(ctx context.Context) { _ = ctx go func() { newCtx := context.Background() _, _ = context.WithTimeout(newCtx, time.Second) }() } `}, 2, gosec.NewConfig()}, {[]string{` package main import "context" func consume(ctx context.Context, ch <-chan int) { _ = ctx for val := range ch { _ = val } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func selectLoop(ctx context.Context, ch <-chan int) { _ = ctx for { select { case <-ch: case <-time.After(time.Second): } } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" func multiContext(ctx context.Context) { ctx1, cancel1 := context.WithCancel(ctx) defer cancel1() _ = ctx1 ctx2, _ := context.WithCancel(ctx) _ = ctx2 } `}, 1, gosec.NewConfig()}, {[]string{` package main import "context" func createContext(ctx context.Context) (context.Context, context.CancelFunc) { return context.WithCancel(ctx) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" ) func simpleHandler(w http.ResponseWriter, r *http.Request) { go func() { ctx := context.Background() _ = ctx }() } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" "time" ) func pollAPI(ctx context.Context) { for { resp, _ := http.Get("https://api.example.com") if resp != nil { resp.Body.Close() } time.Sleep(time.Second) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "database/sql" "time" ) func pollDB(ctx context.Context, db *sql.DB) { for { db.Query("SELECT 1") time.Sleep(time.Second) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "os" "time" ) func watchFile(ctx context.Context) { for { os.ReadFile("config.txt") time.Sleep(time.Second) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" "time" ) func safePoller(ctx context.Context) { ticker := time.NewTicker(time.Second) defer ticker.Stop() for { select { case <-ctx.Done(): return case <-ticker.C: resp, _ := http.Get("https://api.example.com") if resp != nil { resp.Body.Close() } } } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func startWorker(ctx context.Context) { go func() { newCtx, cancel := context.WithTimeout(context.TODO(), time.Second) defer cancel() _ = newCtx }() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func leakyLoop(ctx context.Context) { for i := 0; i < 10; i++ { child, _ := context.WithTimeout(ctx, time.Second) _ = child } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func properLoop(ctx context.Context) { for i := 0; i < 10; i++ { child, cancel := context.WithTimeout(ctx, time.Second) defer cancel() _ = child } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" func storeCancel(ctx context.Context) { _, cancel := context.WithCancel(ctx) _ = cancel } `}, 1, gosec.NewConfig()}, {[]string{` package main import "context" func interfaceCancel(ctx context.Context) { _, cancel := context.WithCancel(ctx) var fn func() = cancel defer fn() } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" func nestedContext(ctx context.Context) { ctx1, cancel1 := context.WithCancel(ctx) defer cancel1() ctx2, _ := context.WithCancel(ctx1) _ = ctx2 } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func spawnWorkers(ctx context.Context) { for { go func() { time.Sleep(time.Millisecond) }() time.Sleep(time.Second) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "os" "time" ) func deferredWrites(ctx context.Context) { for { defer func() { os.WriteFile("log.txt", []byte("data"), 0644) }() time.Sleep(time.Second) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "io" "time" ) func readLoop(ctx context.Context, r io.Reader) { buf := make([]byte, 1024) for { r.Read(buf) time.Sleep(time.Millisecond) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" ) func fetchWithBreak(ctx context.Context) error { client := &http.Client{} for i := 0; i < 5; i++ { req, _ := http.NewRequest("GET", "https://example.com", nil) _, err := client.Do(req) if err != nil { return err } } return nil } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" type Job struct { cancelFn context.CancelFunc } func NewJob(ctx context.Context) *Job { childCtx, cancel := context.WithCancel(ctx) job := &Job{cancelFn: cancel} _ = childCtx return job } func (j *Job) Close() { if j.cancelFn != nil { j.cancelFn() } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" type Worker struct { cancel context.CancelFunc } func NewWorker(ctx context.Context) *Worker { childCtx, cancel := context.WithCancel(ctx) w := &Worker{cancel: cancel} _ = childCtx return w } `}, 1, gosec.NewConfig()}, {[]string{` package main import "context" type Service struct { stopFn func() } func (s *Service) Start(ctx context.Context) { childCtx, cancel := context.WithCancel(ctx) s.stopFn = cancel _ = childCtx } func (s *Service) Stop() { if s.stopFn != nil { s.stopFn() } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" func conditionalCancel(ctx context.Context, useTimeout bool) { var cancel context.CancelFunc if useTimeout { _, cancel = context.WithCancel(ctx) } else { _, cancel = context.WithCancel(ctx) } defer cancel() } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" func storeAndLoad(ctx context.Context) { _, cancel := context.WithCancel(ctx) var holder func() holder = cancel defer holder() } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" func changeType(ctx context.Context) { _, cancel := context.WithCancel(ctx) fn := (func())(cancel) defer fn() } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" func makeInterface(ctx context.Context) { _, cancel := context.WithCancel(ctx) var iface interface{} = cancel defer iface.(func())() } `}, 1, gosec.NewConfig()}, {[]string{` package main import "context" type Container struct { cleanup func() } func (c *Container) Setup(ctx context.Context) { _, cancel := context.WithCancel(ctx) c.cleanup = cancel } func (c *Container) Teardown() { if c.cleanup != nil { c.cleanup() } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" type TaskA struct { cancelFn func() } type TaskB struct { cancelFn func() } func NewTaskA(ctx context.Context) *TaskA { _, cancel := context.WithCancel(ctx) return &TaskA{cancelFn: cancel} } func (t *TaskB) Close() { if t.cancelFn != nil { t.cancelFn() } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "context" type MultiField struct { name string cancelFn context.CancelFunc data []byte } func (m *MultiField) Init(ctx context.Context) { _, cancel := context.WithCancel(ctx) m.cancelFn = cancel } func (m *MultiField) Cleanup() { if m.cancelFn != nil { m.cancelFn() } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" func helper(fn func()) { defer fn() } func useHelper(ctx context.Context) { _, cancel := context.WithCancel(ctx) helper(cancel) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" func callAsValue(ctx context.Context) { _, cancel := context.WithCancel(ctx) (func(f func()) { defer f() })(cancel) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" func multiPhiEdges(ctx context.Context, a, b, c bool) { var cancel context.CancelFunc if a { _, cancel = context.WithCancel(ctx) } else if b { _, cancel = context.WithCancel(ctx) } else if c { _, cancel = context.WithCancel(ctx) } else { _, cancel = context.WithCancel(ctx) } defer cancel() } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" type Outer struct { inner Inner } type Inner struct { cancel func() } func (o *Outer) Setup(ctx context.Context) { _, cancel := context.WithCancel(ctx) o.inner.cancel = cancel } func (o *Outer) Teardown() { if o.inner.cancel != nil { o.inner.cancel() } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" ) type HTTPClient interface { Do(*http.Request) (*http.Response, error) } func pollWithInterface(ctx context.Context, client HTTPClient) { for { req, _ := http.NewRequest("GET", "https://example.com", nil) client.Do(req) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "context" type Sender interface { Send(interface{}) error } func sendLoop(ctx context.Context, s Sender) { for { s.Send("data") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "context" type Receiver interface { Recv() (interface{}, error) } func recvLoop(ctx context.Context, r Receiver) { for { r.Recv() } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "database/sql" ) type Querier interface { QueryContext(context.Context, string, ...interface{}) (*sql.Rows, error) } func queryLoop(ctx context.Context, q Querier) { for { q.QueryContext(ctx, "SELECT 1") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "database/sql" ) type Executor interface { ExecContext(context.Context, string, ...interface{}) (sql.Result, error) } func execLoop(ctx context.Context, e Executor) { for { e.ExecContext(ctx, "UPDATE foo SET bar = 1") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" ) func roundTripLoop(ctx context.Context, rt http.RoundTripper) { for { req, _ := http.NewRequest("GET", "https://example.com", nil) rt.RoundTrip(req) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" ) func headLoop(ctx context.Context) { for { http.Head("https://example.com") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" ) func postLoop(ctx context.Context) { for { http.Post("https://example.com", "text/plain", nil) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" "net/url" ) func postFormLoop(ctx context.Context) { for { http.PostForm("https://example.com", url.Values{}) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "database/sql" ) func beginLoop(ctx context.Context, db *sql.DB) { for { db.Begin() } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "database/sql" ) func beginTxLoop(ctx context.Context, db *sql.DB) { for { db.BeginTx(ctx, nil) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "os" ) func openLoop(ctx context.Context) { for { os.Open("file.txt") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "os" ) func openFileLoop(ctx context.Context) { for { os.OpenFile("file.txt", os.O_RDONLY, 0644) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "os" ) func writeFileLoop(ctx context.Context) { for { os.WriteFile("file.txt", []byte("data"), 0644) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "context" func withContext(ctx context.Context) { _, cancel := context.WithCancel(ctx) defer cancel() } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func deadlineNotCalled(ctx context.Context) { deadline := time.Now().Add(time.Hour) child, _ := context.WithDeadline(ctx, deadline) _ = child } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" ) func useRequestContext(w http.ResponseWriter, r *http.Request) { ctx := r.Context() child, cancel := context.WithCancel(ctx) defer cancel() _ = child } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func withDoneCheck(ctx context.Context) { for { select { case <-ctx.Done(): return case <-time.After(time.Millisecond): } } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func workerWithBackground(ctx context.Context) { go func() { bg := context.Background() time.Sleep(time.Second) _ = bg }() } `}, 1, gosec.NewConfig()}, {[]string{` package main import "context" func usesBackground() { ctx := context.Background() _ = ctx } func launchWorker(ctx context.Context) { go usesBackground() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func boundedSleep(ctx context.Context) { for i := 0; i < 10; i++ { time.Sleep(time.Millisecond) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func loopWithBreak(ctx context.Context) { count := 0 for { time.Sleep(time.Millisecond) count++ if count > 100 { break } } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" func emptyFunc(ctx context.Context) { } `}, 0, gosec.NewConfig()}, {[]string{` package main import "net/http" func simpleHTTPHandler(w http.ResponseWriter, r *http.Request) { w.Write([]byte("OK")) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func multipleGoroutines(ctx context.Context) { go func() { bg1 := context.Background() time.Sleep(time.Millisecond) _ = bg1 }() go func() { bg2 := context.TODO() time.Sleep(time.Millisecond) _ = bg2 }() } `}, 2, gosec.NewConfig()}, {[]string{` package main import "context" func spawnWithBg(ctx context.Context) { bg := context.Background() go func(c context.Context) { _ = c }(bg) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "context" func singleBlockLoop(ctx context.Context) { for i := 0; i < 5; i++ { _ = i } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "context" type CancelFunc func() func convertCancel(ctx context.Context) { _, cancel := context.WithCancel(ctx) converted := CancelFunc(cancel) defer converted() } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "io" ) func readLoop(ctx context.Context, r io.Reader) { buf := make([]byte, 1024) for { r.Read(buf) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "io" ) func writeLoop(ctx context.Context, w io.Writer) { for { w.Write([]byte("data")) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "context" func noIssues(ctx context.Context) { _ = ctx } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "database/sql" ) func queryInLoop(ctx context.Context, db *sql.DB) { for { rows, _ := db.Query("SELECT * FROM users") if rows != nil { rows.Close() } } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "database/sql" ) func execInLoop(ctx context.Context, db *sql.DB) { for { db.Exec("UPDATE users SET active = 1") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func worker(ctx context.Context) { defer time.Sleep(time.Second) // work... } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) type Job struct { cancel context.CancelFunc } func (j *Job) Start(ctx context.Context) { childCtx, cancel := context.WithTimeout(ctx, time.Second) j.cancel = cancel _ = childCtx } func (j *Job) Stop() { if j.cancel != nil { j.cancel() } } func run(ctx context.Context) { job := &Job{} job.Start(ctx) job.Stop() } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) type Task struct { cancelFn context.CancelFunc } func (t *Task) Execute(ctx context.Context) { childCtx, cancel := context.WithTimeout(ctx, time.Second) t.cancelFn = cancel _ = childCtx } func run(ctx context.Context) { task := &Task{} task.Execute(ctx) // Never calls task.cancelFn() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "context" "time" ) func multipleViolations(ctx context.Context) { _, cancel1 := context.WithTimeout(ctx, time.Second) _, cancel2 := context.WithTimeout(ctx, time.Second) _, cancel3 := context.WithTimeout(ctx, time.Second) _, _, _ = cancel1, cancel2, cancel3 } `}, 3, gosec.NewConfig()}, }
SampleCodeG118 - Context propagation failures that may leak goroutines/resources
View Source
var SampleCodeG119 = []CodeSample{ {[]string{` package main import "net/http" func client() *http.Client { return &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { req.Header = via[len(via)-1].Header.Clone() return nil }, } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "net/http" func client() *http.Client { return &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { req.Header.Set("Authorization", "Bearer token") return nil }, } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "net/http" func client() *http.Client { return &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { req.Header.Add("Cookie", "a=b") return nil }, } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "errors" "net/http" ) func client() *http.Client { return &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { _ = req _ = via return errors.New("stop") }, } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "net/http" func client() *http.Client { return &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { _ = via req.Header.Set("X-Trace-ID", "123") return nil }, } } `}, 0, gosec.NewConfig()}, }
SampleCodeG119 - Unsafe redirect policy that may leak sensitive headers
View Source
var SampleCodeG120 = []CodeSample{ {[]string{` package main import "net/http" func handler(w http.ResponseWriter, r *http.Request) { _ = w _ = r.ParseForm() } `}, 1, gosec.NewConfig()}, {[]string{` package main import "net/http" func handler(w http.ResponseWriter, r *http.Request) { _ = w _ = r.FormValue("q") } `}, 1, gosec.NewConfig()}, {[]string{` package main import "net/http" func handler(w http.ResponseWriter, r *http.Request) { _ = w _ = r.ParseMultipartForm(32 << 20) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "net/http" func handler(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, 1<<20) _ = r.ParseForm() } `}, 0, gosec.NewConfig()}, {[]string{` package main import "net/http" func handler(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, 1<<20) _ = r.FormValue("name") } `}, 0, gosec.NewConfig()}, {[]string{` package main import "net/http" func middleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, 1<<20) next.ServeHTTP(w, r) }) } func handler(w http.ResponseWriter, r *http.Request) { _ = w _ = r.ParseForm() } func register() { http.Handle("/safe", middleware(http.HandlerFunc(handler))) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "net/http" func middleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { next.ServeHTTP(w, r) }) } func handler(w http.ResponseWriter, r *http.Request) { _ = w _ = r.ParseForm() } func register() { http.Handle("/unsafe", middleware(http.HandlerFunc(handler))) } `}, 1, gosec.NewConfig()}, }
SampleCodeG120 - Unbounded form parsing in HTTP handlers
View Source
var SampleCodeG121 = []CodeSample{ {[]string{` package main import "net/http" func setup() { var cop http.CrossOriginProtection cop.AddInsecureBypassPattern("/") } `}, 1, gosec.NewConfig()}, {[]string{` package main import "net/http" func setup() { var cop http.CrossOriginProtection cop.AddInsecureBypassPattern("/*") } `}, 1, gosec.NewConfig()}, {[]string{` package main import "net/http" func handler(w http.ResponseWriter, r *http.Request) { _ = w var cop http.CrossOriginProtection pattern := r.URL.Query().Get("bypass") cop.AddInsecureBypassPattern(pattern) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "net/http" func setup() { var cop http.CrossOriginProtection cop.AddInsecureBypassPattern("/healthz") } `}, 0, gosec.NewConfig()}, {[]string{` package main import "net/http" func setup() { var cop http.CrossOriginProtection cop.AddInsecureBypassPattern("/status") cop.AddInsecureBypassPattern("/metrics") } `}, 0, gosec.NewConfig()}, }
SampleCodeG121 - Unsafe CORS bypass patterns via CrossOriginProtection
View Source
var SampleCodeG122 = []CodeSample{ {[]string{` package main import ( "io/fs" "os" "path/filepath" ) func main() { _ = filepath.WalkDir("/tmp", func(path string, d fs.DirEntry, err error) error { _ = d _ = err return os.Remove(path) }) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "io/fs" "os" "path/filepath" ) func main() { _ = filepath.WalkDir("/var/data", func(path string, d fs.DirEntry, err error) error { _ = d _ = err target := path + ".bak" _, openErr := os.OpenFile(target, os.O_RDWR|os.O_CREATE, 0o600) return openErr }) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "io/fs" "path/filepath" ) func main() { _ = filepath.WalkDir("/tmp", func(path string, d fs.DirEntry, err error) error { _ = path _ = d _ = err return nil }) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "os" "path/filepath" ) func main() { _ = filepath.Walk("/tmp", func(path string, info os.FileInfo, err error) error { _ = path _ = info _ = err return os.Remove("/tmp/fixed-file") }) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "io/fs" "os" "path/filepath" ) func main() { root, err := os.OpenRoot("/tmp") if err != nil { return } defer root.Close() _ = filepath.WalkDir("/tmp", func(path string, d fs.DirEntry, err error) error { _ = d _ = err _, openErr := root.Open(path) return openErr }) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "io/fs" "os" "path/filepath" ) func main() { root, err := os.OpenRoot("/tmp") if err != nil { return } defer root.Close() _ = filepath.WalkDir("/tmp", func(path string, d fs.DirEntry, err error) error { _ = d _ = err return root.Remove(path) }) } `}, 0, gosec.NewConfig()}, }
SampleCodeG122 - Filesystem TOCTOU race risk in filepath.Walk/WalkDir callbacks
View Source
var SampleCodeG123 = []CodeSample{ {[]string{` package main import ( "crypto/tls" "crypto/x509" ) func main() { _ = &tls.Config{ VerifyPeerCertificate: func(_ [][]byte, _ [][]*x509.Certificate) error { return nil }, } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "crypto/tls" "crypto/x509" ) func main() { _ = &tls.Config{ GetConfigForClient: func(ch *tls.ClientHelloInfo) (*tls.Config, error) { _ = ch return &tls.Config{ VerifyPeerCertificate: func(_ [][]byte, _ [][]*x509.Certificate) error { return nil }, }, nil }, } } `}, 2, gosec.NewConfig()}, {[]string{` package main import ( "crypto/tls" "crypto/x509" ) func main() { _ = &tls.Config{ VerifyPeerCertificate: func(_ [][]byte, _ [][]*x509.Certificate) error { return nil }, VerifyConnection: func(_ tls.ConnectionState) error { return nil }, } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "crypto/tls" "crypto/x509" ) func main() { cfg := &tls.Config{} cfg.VerifyPeerCertificate = func(_ [][]byte, _ [][]*x509.Certificate) error { return nil } cfg.SessionTicketsDisabled = true _ = cfg } `}, 0, gosec.NewConfig()}, }
SampleCodeG123 - TLS resumption bypass of VerifyPeerCertificate when VerifyConnection is unset
View Source
var SampleCodeG201 = []CodeSample{ {[]string{` // Format string without proper quoting package main import ( "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1]) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // Format string without proper quoting case insensitive package main import ( "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1]) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // Format string without proper quoting with context package main import ( "context" "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1]) rows, err := db.QueryContext(context.Background(), q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // Format string without proper quoting with transaction package main import ( "context" "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } tx, err := db.Begin() if err != nil { panic(err) } defer tx.Rollback() q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1]) rows, err := tx.QueryContext(context.Background(), q) if err != nil { panic(err) } defer rows.Close() if err := tx.Commit(); err != nil { panic(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // Format string without proper quoting with connection package main import ( "context" "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } conn, err := db.Conn(context.Background()) if err != nil { panic(err) } q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1]) rows, err := conn.QueryContext(context.Background(), q) if err != nil { panic(err) } defer rows.Close() if err := conn.Close(); err != nil { panic(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // Format string false positive, safe string spec. package main import ( "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM foo where id = %d", os.Args[1]) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // Format string false positive package main import ( "database/sql" ) const staticQuery = "SELECT * FROM foo WHERE age < 32" func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query(staticQuery) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // Format string false positive, quoted formatter argument. package main import ( "database/sql" "fmt" "os" "github.com/lib/pq" ) func main(){ db, err := sql.Open("postgres", "localhost") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM %s where id = 1", pq.QuoteIdentifier(os.Args[1])) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // false positive package main import ( "database/sql" "fmt" ) const Table = "foo" func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM %s where id = 1", Table) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) func main(){ fmt.Sprintln() } `}, 0, gosec.NewConfig()}, {[]string{` // Format string with \n\r package main import ( "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM foo where\n name = '%s'", os.Args[1]) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // Format string with \n\r package main import ( "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM foo where\nname = '%s'", os.Args[1]) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // SQLI by db.Query(some).Scan(&other) package main import ( "database/sql" "fmt" "os" ) func main() { var name string db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT name FROM users where id = '%s'", os.Args[1]) row := db.QueryRow(q) err = row.Scan(&name) if err != nil { panic(err) } defer db.Close() }`}, 1, gosec.NewConfig()}, {[]string{` // SQLI by db.Query(some).Scan(&other) package main import ( "database/sql" "fmt" "os" ) func main() { var name string db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT name FROM users where id = '%s'", os.Args[1]) err = db.QueryRow(q).Scan(&name) if err != nil { panic(err) } defer db.Close() }`}, 1, gosec.NewConfig()}, {[]string{` // SQLI by db.Prepare(some) package main import ( "database/sql" "fmt" "log" "os" ) const Table = "foo" func main() { var album string db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT name FROM users where '%s' = ?", os.Args[1]) stmt, err := db.Prepare(q) if err != nil { log.Fatal(err) } stmt.QueryRow(fmt.Sprintf("%s", os.Args[2])).Scan(&album) if err != nil { if err == sql.ErrNoRows { log.Fatal(err) } } defer stmt.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // SQLI by db.PrepareContext(some) package main import ( "context" "database/sql" "fmt" "log" "os" ) const Table = "foo" func main() { var album string db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT name FROM users where '%s' = ?", os.Args[1]) stmt, err := db.PrepareContext(context.Background(), q) if err != nil { log.Fatal(err) } stmt.QueryRow(fmt.Sprintf("%s", os.Args[2])).Scan(&album) if err != nil { if err == sql.ErrNoRows { log.Fatal(err) } } defer stmt.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // false positive package main import ( "database/sql" "fmt" "log" "os" ) const Table = "foo" func main() { var album string db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } stmt, err := db.Prepare("SELECT * FROM album WHERE id = ?") if err != nil { log.Fatal(err) } stmt.QueryRow(fmt.Sprintf("%s", os.Args[1])).Scan(&album) if err != nil { if err == sql.ErrNoRows { log.Fatal(err) } } defer stmt.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // Safe verb (%d) with tainted input - no string injection risk package main import ( "database/sql" "fmt" "os" "strconv" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } id, _ := strconv.Atoi(os.Args[1]) // tainted but used with %d q := fmt.Sprintf("SELECT * FROM foo WHERE id = %d", id) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // Mixed args: unsafe %s (tainted) + safe %d (constant) package main import ( "database/sql" "fmt" "os" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM %s WHERE id = %d", os.Args[1], 42) // tainted table + safe int rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // All args constant but unsafe verb present - safe package main import ( "database/sql" "fmt" ) const name = "admin" func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM users WHERE name = '%s'", name) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // Formatter from concatenation - risky package main import ( "database/sql" "fmt" "os" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } base := "SELECT * FROM foo WHERE" q := fmt.Sprintf(base + " name = '%s'", os.Args[1]) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // No unsafe % verb but SQL pattern + tainted concat - G202, not G201 package main import ( "database/sql" "os" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := "SELECT * FROM foo WHERE name = " + os.Args[1] // concat, no % rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // Fprintf to os.Stderr - no issue package main import ( "database/sql" "fmt" "os" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM foo WHERE name = '%s'", os.Args[1]) fmt.Fprintf(os.Stderr, "Debug query: %s\n", q) // log, not exec rows, err := db.Query("SELECT * FROM foo") if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, }
SampleCodeG201 - SQL injection via format string
View Source
var SampleCodeG202 = []CodeSample{ {[]string{` // infixed concatenation package main import ( "database/sql" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := "INSERT INTO foo (name) VALUES ('" + os.Args[0] + "')" rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query("SELECT * FROM foo WHERE name = " + os.Args[1]) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // case insensitive match package main import ( "database/sql" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query("select * from foo where name = " + os.Args[1]) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // context match package main import ( "context" "database/sql" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.QueryContext(context.Background(), "select * from foo where name = " + os.Args[1]) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // DB transaction check package main import ( "context" "database/sql" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } tx, err := db.Begin() if err != nil { panic(err) } defer tx.Rollback() rows, err := tx.QueryContext(context.Background(), "select * from foo where name = " + os.Args[1]) if err != nil { panic(err) } defer rows.Close() if err := tx.Commit(); err != nil { panic(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // DB connection check package main import ( "context" "database/sql" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } conn, err := db.Conn(context.Background()) if err != nil { panic(err) } rows, err := conn.QueryContext(context.Background(), "select * from foo where name = " + os.Args[1]) if err != nil { panic(err) } defer rows.Close() if err := conn.Close(); err != nil { panic(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // multiple string concatenation package main import ( "database/sql" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query("SELECT * FROM foo" + "WHERE name = " + os.Args[1]) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // false positive package main import ( "database/sql" ) var staticQuery = "SELECT * FROM foo WHERE age < " func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query(staticQuery + "32") if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" ) const age = "32" var staticQuery = "SELECT * FROM foo WHERE age < " func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query(staticQuery + age) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` package main const gender = "M" `, ` package main import ( "database/sql" ) const age = "32" var staticQuery = "SELECT * FROM foo WHERE age < " func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query("SELECT * FROM foo WHERE gender = " + gender) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // ExecContext match package main import ( "context" "database/sql" "fmt" "os" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } result, err := db.ExecContext(context.Background(), "select * from foo where name = "+os.Args[1]) if err != nil { panic(err) } fmt.Println(result) }`}, 1, gosec.NewConfig()}, {[]string{` // Exec match package main import ( "database/sql" "fmt" "os" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } result, err := db.Exec("select * from foo where name = " + os.Args[1]) if err != nil { panic(err) } fmt.Println(result) }`}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "fmt" ) const gender = "M" const age = "32" var staticQuery = "SELECT * FROM foo WHERE age < " func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } result, err := db.Exec("SELECT * FROM foo WHERE gender = " + gender) if err != nil { panic(err) } fmt.Println(result) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "fmt" _ "github.com/lib/pq" ) func main() { db, err := sql.Open("postgres", "user=postgres password=password dbname=mydb sslmode=disable") if err!= nil { panic(err) } defer db.Close() var username string fmt.Println("请输入用户名:") fmt.Scanln(&username) var query string = "SELECT * FROM users WHERE username = '" + username + "'" rows, err := db.Query(query) if err!= nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "os" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } query := "SELECT * FROM album WHERE id = " query += os.Args[0] rows, err := db.Query(query) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func main() { query := "SELECT * FROM album WHERE id = " query += os.Args[0] fmt.Println(query) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "os" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } query := "SELECT * FROM album WHERE id = " query = query + os.Args[0] // risky reassignment concatenation rows, err := db.Query(query) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } query := "SELECT * FROM album WHERE id = " query = query + "42" // safe literal reassignment concatenation rows, err := db.Query(query) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // Shadowing edge case: tainted mutation on shadowed variable - should NOT flag // The outer 'query' is safe and passed to db.Query. // The inner shadowed 'query' is mutated with tainted input (irrelevant). package main import ( "database/sql" "os" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } query := "SELECT * FROM foo WHERE id = 42" // safe outer query { query := "base" // shadows outer query query += os.Args[1] // tainted mutation on shadow - should be ignored _ = query // prevent unused warning } rows, err := db.Query(query) // uses safe outer query if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // Shadowing edge case: no mutation on shadow, safe outer - regression guard package main import ( "database/sql" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } query := "SELECT * FROM foo WHERE id = 42" { query := "shadowed but unused" _ = query } rows, err := db.Query(query) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // package-level SQL string with tainted concatenation in init() package main import ( "os" ) var query string = "SELECT * FROM foo WHERE name = " func init() { query += os.Args[1] } `, ` package main import ( "database/sql" ) func main() { db, _ := sql.Open("sqlite3", ":memory:") _, _ = db.Query(query) } `}, 1, gosec.NewConfig()}, }
SampleCodeG202 - SQL query string building via string concatenation
View Source
var SampleCodeG203 = []CodeSample{ {[]string{` // We assume that hardcoded template strings are safe as the programmer would // need to be explicitly shooting themselves in the foot (as below) package main import ( "html/template" "os" ) const tmpl = "" func main() { t := template.Must(template.New("ex").Parse(tmpl)) v := map[string]interface{}{ "Title": "Test <b>World</b>", "Body": template.HTML("<script>alert(1)</script>"), } t.Execute(os.Stdout, v) } `}, 0, gosec.NewConfig()}, {[]string{` // Using a variable to initialize could potentially be dangerous. Under the // current model this will likely produce some false positives. package main import ( "html/template" "os" ) const tmpl = "" func main() { a := "something from another place" t := template.Must(template.New("ex").Parse(tmpl)) v := map[string]interface{}{ "Title": "Test <b>World</b>", "Body": template.HTML(a), } t.Execute(os.Stdout, v) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "html/template" "os" ) const tmpl = "" func main() { a := "something from another place" t := template.Must(template.New("ex").Parse(tmpl)) v := map[string]interface{}{ "Title": "Test <b>World</b>", "Body": template.JS(a), } t.Execute(os.Stdout, v) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "html/template" "os" ) const tmpl = "" func main() { a := "something from another place" t := template.Must(template.New("ex").Parse(tmpl)) v := map[string]interface{}{ "Title": "Test <b>World</b>", "Body": template.URL(a), } t.Execute(os.Stdout, v) } `}, 1, gosec.NewConfig()}, }
SampleCodeG203 - Template checks
View Source
var SampleCodeG204 = []CodeSample{ {[]string{` package main import ( "log" "os/exec" "context" ) func main() { err := exec.CommandContext(context.Background(), "git", "rev-parse", "--show-toplevel").Run() if err != nil { log.Fatal(err) } log.Printf("Command finished with error: %v", err) } `}, 0, gosec.NewConfig()}, {[]string{` // Calling any function which starts a new process with using // command line arguments as it's arguments is considered dangerous package main import ( "context" "log" "os" "os/exec" ) func main() { err := exec.CommandContext(context.Background(), os.Args[0], "5").Run() if err != nil { log.Fatal(err) } log.Printf("Command finished with error: %v", err) } `}, 1, gosec.NewConfig()}, {[]string{` // Initializing a local variable using a environmental // variable is consider as a dangerous user input package main import ( "log" "os" "os/exec" ) func main() { run := "sleep" + os.Getenv("SOMETHING") cmd := exec.Command(run, "5") err := cmd.Start() if err != nil { log.Fatal(err) } log.Printf("Waiting for command to finish...") err = cmd.Wait() log.Printf("Command finished with error: %v", err) } `}, 1, gosec.NewConfig()}, {[]string{` // gosec doesn't have enough context to decide that the // command argument of the RunCmd function is hardcoded string // and that's why it's better to warn the user so he can audit it package main import ( "log" "os/exec" ) func RunCmd(command string) { cmd := exec.Command(command, "5") err := cmd.Start() if err != nil { log.Fatal(err) } log.Printf("Waiting for command to finish...") err = cmd.Wait() } func main() { RunCmd("sleep") } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "log" "os/exec" ) func RunCmd(a string, c string) { cmd := exec.Command(c) err := cmd.Start() if err != nil { log.Fatal(err) } log.Printf("Waiting for command to finish...") err = cmd.Wait() cmd = exec.Command(a) err = cmd.Start() if err != nil { log.Fatal(err) } log.Printf("Waiting for command to finish...") err = cmd.Wait() } func main() { RunCmd("ll", "ls") } `}, 0, gosec.NewConfig()}, {[]string{` // syscall.Exec function called with hardcoded arguments // shouldn't be consider as a command injection package main import ( "fmt" "syscall" ) func main() { err := syscall.Exec("/bin/cat", []string{"/etc/passwd"}, nil) if err != nil { fmt.Printf("Error: %v\n", err) } } `}, 0, gosec.NewConfig()}, { []string{` package main import ( "fmt" "syscall" ) func RunCmd(command string) { _, err := syscall.ForkExec(command, []string{}, nil) if err != nil { fmt.Printf("Error: %v\n", err) } } func main() { RunCmd("sleep") } `}, 1, gosec.NewConfig(), }, {[]string{` package main import ( "fmt" "syscall" ) func RunCmd(command string) { _, _, err := syscall.StartProcess(command, []string{}, nil) if err != nil { fmt.Printf("Error: %v\n", err) } } func main() { RunCmd("sleep") } `}, 1, gosec.NewConfig()}, {[]string{` // starting a process with a variable as an argument // even if not constant is not considered as dangerous // because it has hardcoded value package main import ( "log" "os/exec" ) func main() { run := "sleep" cmd := exec.Command(run, "5") err := cmd.Start() if err != nil { log.Fatal(err) } log.Printf("Waiting for command to finish...") err = cmd.Wait() log.Printf("Command finished with error: %v", err) } `}, 0, gosec.NewConfig()}, {[]string{` // exec.Command from supplemental package sys/execabs // using variable arguments package main import ( "context" "log" "os" exec "golang.org/x/sys/execabs" ) func main() { err := exec.CommandContext(context.Background(), os.Args[0], "5").Run() if err != nil { log.Fatal(err) } log.Printf("Command finished with error: %v", err) } `}, 1, gosec.NewConfig()}, {[]string{` // Initializing a local variable using a environmental // variable is consider as a dangerous user input package main import ( "log" "os" "os/exec" ) func main() { var run = "sleep" + os.Getenv("SOMETHING") cmd := exec.Command(run, "5") err := cmd.Start() if err != nil { log.Fatal(err) } log.Printf("Waiting for command to finish...") err = cmd.Wait() log.Printf("Command finished with error: %v", err) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "os/exec" "runtime" ) // Safe OS-specific command selection using a hard-coded map and slice operations. // Closely matches the pattern in https://github.com/securego/gosec/issues/1199. // The command name and fixed arguments are fully resolved from constant composite literals, // even though the map key is runtime.GOOS (non-constant in analysis). func main() { commands := map[string][]string{ "darwin": {"open"}, "freebsd": {"xdg-open"}, "linux": {"xdg-open"}, "netbsd": {"xdg-open"}, "openbsd": {"xdg-open"}, "windows": {"cmd", "/c", "start"}, } platform := runtime.GOOS cmdArgs := commands[platform] if cmdArgs == nil { return // unsupported platform } exe := cmdArgs[0] args := cmdArgs[1:] // No dynamic/tainted input; fixed args passed via ... expansion _ = exec.Command(exe, args...) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "os/exec" ) // Direct use of a function parameter in exec.Command. // This is clearly tainted input (parameter from caller, potentially user-controlled). func vulnerable(command string) { // Dangerous pattern: passing unsanitized input to a shell _ = exec.Command("bash", "-c", command) } func main() { // In real scenarios, this could be user input (e.g., via flag, HTTP param, etc.) vulnerable("echo safe") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "os/exec" ) // Indirect use: assign parameter to local variable before use. // Included for comparison/regression testing. func vulnerable(command string) { cmdStr := command // local assignment _ = exec.Command("bash", "-c", cmdStr) } func main() { vulnerable("echo safe") } `}, 1, gosec.NewConfig()}, }
SampleCodeG204 - Subprocess auditing
View Source
var SampleCodeG301 = []CodeSample{ {[]string{` package main import ( "fmt" "os" ) func main() { err := os.Mkdir("/tmp/mydir", 0777) if err != nil { fmt.Println("Error when creating a directory!") return } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func main() { err := os.MkdirAll("/tmp/mydir", 0777) if err != nil { fmt.Println("Error when creating a directory!") return } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func main() { err := os.Mkdir("/tmp/mydir", 0600) if err != nil { fmt.Println("Error when creating a directory!") return } } `}, 0, gosec.NewConfig()}, }
SampleCodeG301 - mkdir permission check
View Source
var SampleCodeG302 = []CodeSample{ {[]string{` package main import ( "fmt" "os" ) func main() { err := os.Chmod("/tmp/somefile", 0777) if err != nil { fmt.Println("Error when changing file permissions!") return } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func main() { _, err := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666) if err != nil { fmt.Println("Error opening a file!") return } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func main() { err := os.Chmod("/tmp/mydir", 0400) if err != nil { fmt.Println("Error") return } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func main() { _, err := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600) if err != nil { fmt.Println("Error opening a file!") return } } `}, 0, gosec.NewConfig()}, }
SampleCodeG302 - file create / chmod permissions check
View Source
var SampleCodeG303 = []CodeSample{ {[]string{` package samples import ( "fmt" "io/ioutil" "os" "path" "path/filepath" ) func main() { err := ioutil.WriteFile("/tmp/demo2", []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } f, err := os.Create("/tmp/demo2") if err != nil { fmt.Println("Error while writing!") } else if err = f.Close(); err != nil { fmt.Println("Error while closing!") } err = os.WriteFile("/tmp/demo2", []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } err = os.WriteFile("/usr/tmp/demo2", []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } err = os.WriteFile("/tmp/" + "demo2", []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } err = os.WriteFile(os.TempDir() + "/demo2", []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } err = os.WriteFile(path.Join("/var/tmp", "demo2"), []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } err = os.WriteFile(path.Join(os.TempDir(), "demo2"), []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } err = os.WriteFile(filepath.Join(os.TempDir(), "demo2"), []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } } `}, 9, gosec.NewConfig()}, }
SampleCodeG303 - bad tempfile permissions & hardcoded shared path
View Source
var SampleCodeG304 = []CodeSample{ {[]string{` package main import ( "os" "io/ioutil" "log" ) func main() { f := os.Getenv("tainted_file") body, err := ioutil.ReadFile(f) if err != nil { log.Printf("Error: %v\n", err) } log.Print(body) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "os" "log" ) func main() { f := os.Getenv("tainted_file") body, err := os.ReadFile(f) if err != nil { log.Printf("Error: %v\n", err) } log.Print(body) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "log" "net/http" "os" ) func main() { http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) { title := r.URL.Query().Get("title") f, err := os.Open(title) if err != nil { fmt.Printf("Error: %v\n", err) } body := make([]byte, 5) if _, err = f.Read(body); err != nil { fmt.Printf("Error: %v\n", err) } fmt.Fprintf(w, "%s", body) }) log.Fatal(http.ListenAndServe(":3000", nil)) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "log" "net/http" "os" ) func main() { http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) { title := r.URL.Query().Get("title") f, err := os.OpenFile(title, os.O_RDWR|os.O_CREATE, 0755) if err != nil { fmt.Printf("Error: %v\n", err) } body := make([]byte, 5) if _, err = f.Read(body); err != nil { fmt.Printf("Error: %v\n", err) } fmt.Fprintf(w, "%s", body) }) log.Fatal(http.ListenAndServe(":3000", nil)) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "os" "io/ioutil" ) func main() { f2 := os.Getenv("tainted_file2") body, err := ioutil.ReadFile("/tmp/" + f2) if err != nil { log.Printf("Error: %v\n", err) } log.Print(body) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "bufio" "fmt" "os" "path/filepath" ) func main() { reader := bufio.NewReader(os.Stdin) fmt.Print("Please enter file to read: ") file, _ := reader.ReadString('\n') file = file[:len(file)-1] f, err := os.Open(filepath.Join("/tmp/service/", file)) if err != nil { fmt.Printf("Error: %v\n", err) } contents := make([]byte, 15) if _, err = f.Read(contents); err != nil { fmt.Printf("Error: %v\n", err) } fmt.Println(string(contents)) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "os" "io/ioutil" "path/filepath" ) func main() { dir := os.Getenv("server_root") f3 := os.Getenv("tainted_file3") // edge case where both a binary expression and file Join are used. body, err := ioutil.ReadFile(filepath.Join("/var/"+dir, f3)) if err != nil { log.Printf("Error: %v\n", err) } log.Print(body) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "os" "path/filepath" ) func main() { repoFile := "path_of_file" cleanRepoFile := filepath.Clean(repoFile) _, err := os.OpenFile(cleanRepoFile, os.O_RDONLY, 0600) if err != nil { panic(err) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "os" "path/filepath" ) func openFile(filePath string) { _, err := os.OpenFile(filepath.Clean(filePath), os.O_RDONLY, 0600) if err != nil { panic(err) } } func main() { repoFile := "path_of_file" openFile(repoFile) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "os" "path/filepath" ) func openFile(dir string, filePath string) { fp := filepath.Join(dir, filePath) fp = filepath.Clean(fp) _, err := os.OpenFile(fp, os.O_RDONLY, 0600) if err != nil { panic(err) } } func main() { repoFile := "path_of_file" dir := "path_of_dir" openFile(dir, repoFile) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "os" "path/filepath" ) func main() { repoFile := "path_of_file" relFile, err := filepath.Rel("./", repoFile) if err != nil { panic(err) } _, err = os.OpenFile(relFile, os.O_RDONLY, 0600) if err != nil { panic(err) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "io" "os" ) func createFile(file string) *os.File { f, err := os.Create(file) if err != nil { panic(err) } return f } func main() { s, err := os.Open("src") if err != nil { panic(err) } defer s.Close() d := createFile("dst") defer d.Close() _, err = io.Copy(d, s) if err != nil { panic(err) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "path/filepath" ) type foo struct { } func (f *foo) doSomething(silly string) error { whoCares, err := filepath.Rel(THEWD, silly) if err != nil { return err } fmt.Printf("%s", whoCares) return nil } func main() { f := &foo{} if err := f.doSomething("irrelevant"); err != nil { panic(err) } } `, ` package main var THEWD string `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "os" "path/filepath" ) func open(fn string, perm os.FileMode) { fh, err := os.OpenFile(filepath.Clean(fn), os.O_RDONLY, perm) if err != nil { panic(err) } defer fh.Close() } func main() { fn := "filename" open(fn, 0o600) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "os" "path/filepath" ) func open(fn string, flag int) { fh, err := os.OpenFile(filepath.Clean(fn), flag, 0o600) if err != nil { panic(err) } defer fh.Close() } func main() { fn := "filename" open(fn, os.O_RDONLY) } `}, 0, gosec.NewConfig()}, }
SampleCodeG304 - potential file inclusion vulnerability
View Source
var SampleCodeG305 = []CodeSample{ {[]string{` package unzip import ( "archive/zip" "io" "os" "path/filepath" ) func unzip(archive, target string) error { reader, err := zip.OpenReader(archive) if err != nil { return err } if err := os.MkdirAll(target, 0750); err != nil { return err } for _, file := range reader.File { path := filepath.Join(target, file.Name) if file.FileInfo().IsDir() { os.MkdirAll(path, file.Mode()) //#nosec continue } fileReader, err := file.Open() if err != nil { return err } defer fileReader.Close() targetFile, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode()) if err != nil { return err } defer targetFile.Close() if _, err := io.Copy(targetFile, fileReader); err != nil { return err } } return nil } `}, 1, gosec.NewConfig()}, {[]string{` package unzip import ( "archive/zip" "io" "os" "path/filepath" ) func unzip(archive, target string) error { reader, err := zip.OpenReader(archive) if err != nil { return err } if err := os.MkdirAll(target, 0750); err != nil { return err } for _, file := range reader.File { archiveFile := file.Name path := filepath.Join(target, archiveFile) if file.FileInfo().IsDir() { os.MkdirAll(path, file.Mode()) //#nosec continue } fileReader, err := file.Open() if err != nil { return err } defer fileReader.Close() targetFile, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode()) if err != nil { return err } defer targetFile.Close() if _, err := io.Copy(targetFile, fileReader); err != nil { return err } } return nil } `}, 1, gosec.NewConfig()}, {[]string{` package zip import ( "archive/zip" "io" "os" "path" ) func extractFile(f *zip.File, destPath string) error { filePath := path.Join(destPath, f.Name) os.MkdirAll(path.Dir(filePath), os.ModePerm) rc, err := f.Open() if err != nil { return err } defer rc.Close() fw, err := os.Create(filePath) if err != nil { return err } defer fw.Close() if _, err = io.Copy(fw, rc); err != nil { return err } if f.FileInfo().Mode()&os.ModeSymlink != 0 { return nil } if err = os.Chtimes(filePath, f.ModTime(), f.ModTime()); err != nil { return err } return os.Chmod(filePath, f.FileInfo().Mode()) } `}, 1, gosec.NewConfig()}, {[]string{` package tz import ( "archive/tar" "io" "os" "path" ) func extractFile(f *tar.Header, tr *tar.Reader, destPath string) error { filePath := path.Join(destPath, f.Name) os.MkdirAll(path.Dir(filePath), os.ModePerm) fw, err := os.Create(filePath) if err != nil { return err } defer fw.Close() if _, err = io.Copy(fw, tr); err != nil { return err } if f.FileInfo().Mode()&os.ModeSymlink != 0 { return nil } if err = os.Chtimes(filePath, f.FileInfo().ModTime(), f.FileInfo().ModTime()); err != nil { return err } return os.Chmod(filePath, f.FileInfo().Mode()) } `}, 1, gosec.NewConfig()}, }
SampleCodeG305 - File path traversal when extracting zip/tar archives
View Source
var SampleCodeG306 = []CodeSample{ {[]string{` package main import ( "bufio" "fmt" "io/ioutil" "os" ) func check(e error) { if e != nil { panic(e) } } func main() { d1 := []byte("hello\ngo\n") err := ioutil.WriteFile("/tmp/dat1", d1, 0744) check(err) allowed := ioutil.WriteFile("/tmp/dat1", d1, 0600) check(allowed) f, err := os.Create("/tmp/dat2") check(err) defer f.Close() d2 := []byte{115, 111, 109, 101, 10} n2, err := f.Write(d2) defer check(err) fmt.Printf("wrote %d bytes\n", n2) n3, err := f.WriteString("writes\n") fmt.Printf("wrote %d bytes\n", n3) f.Sync() w := bufio.NewWriter(f) n4, err := w.WriteString("buffered\n") fmt.Printf("wrote %d bytes\n", n4) w.Flush() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "io/ioutil" "os" ) func check(e error) { if e != nil { panic(e) } } func main() { content := []byte("hello\ngo\n") err := ioutil.WriteFile("/tmp/dat1", content, os.ModePerm) check(err) } `}, 1, gosec.NewConfig()}, }
SampleCodeG306 - Poor permissions for WriteFile
View Source
var SampleCodeG307 = []CodeSample{ {[]string{` package main import ( "fmt" "os" ) func check(e error) { if e != nil { panic(e) } } func main() { f, err := os.Create("/tmp/dat2") check(err) defer f.Close() } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func check(e error) { if e != nil { panic(e) } } func main() { f, err := os.Create("/tmp/dat2") check(err) defer f.Close() } `}, 1, gosec.Config{"G307": "0o600"}}, }
SampleCodeG307 - Poor permissions for os.Create
View Source
var SampleCodeG402 = []CodeSample{ {[]string{` // InsecureSkipVerify package main import ( "crypto/tls" "fmt" "net/http" ) func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, } client := &http.Client{Transport: tr} _, err := client.Get("https://go.dev/") if err != nil { fmt.Println(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // InsecureSkipVerify from variable package main import ( "crypto/tls" ) func main() { var conf tls.Config conf.InsecureSkipVerify = true } `}, 1, gosec.NewConfig()}, {[]string{` // Insecure minimum version package main import ( "crypto/tls" "fmt" "net/http" ) func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{MinVersion: 0}, } client := &http.Client{Transport: tr} _, err := client.Get("https://go.dev/") if err != nil { fmt.Println(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // Insecure minimum version package main import ( "crypto/tls" "fmt" ) func CaseNotError() *tls.Config { var v uint16 = tls.VersionTLS13 return &tls.Config{ MinVersion: v, } } func main() { a := CaseNotError() fmt.Printf("Debug: %v\n", a.MinVersion) } `}, 0, gosec.NewConfig()}, {[]string{` // Insecure minimum version package main import ( "crypto/tls" "fmt" ) func CaseNotError() *tls.Config { return &tls.Config{ MinVersion: tls.VersionTLS13, } } func main() { a := CaseNotError() fmt.Printf("Debug: %v\n", a.MinVersion) } `}, 0, gosec.NewConfig()}, {[]string{` // Insecure minimum version package main import ( "crypto/tls" "fmt" ) func CaseError() *tls.Config { var v = &tls.Config{ MinVersion: 0, } return v } func main() { a := CaseError() fmt.Printf("Debug: %v\n", a.MinVersion) } `}, 1, gosec.NewConfig()}, {[]string{` // Insecure minimum version package main import ( "crypto/tls" "fmt" ) func CaseError() *tls.Config { var v = &tls.Config{ MinVersion: getVersion(), } return v } func getVersion() uint16 { return tls.VersionTLS12 } func main() { a := CaseError() fmt.Printf("Debug: %v\n", a.MinVersion) } `}, 1, gosec.NewConfig()}, {[]string{` // Insecure minimum version package main import ( "crypto/tls" "fmt" "net/http" ) var theValue uint16 = 0x0304 func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{MinVersion: theValue}, } client := &http.Client{Transport: tr} _, err := client.Get("https://go.dev/") if err != nil { fmt.Println(err) } } `}, 0, gosec.NewConfig()}, {[]string{` // Insecure max version package main import ( "crypto/tls" "fmt" "net/http" ) func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{MaxVersion: 0}, } client := &http.Client{Transport: tr} _, err := client.Get("https://go.dev/") if err != nil { fmt.Println(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // Insecure ciphersuite selection package main import ( "crypto/tls" "fmt" "net/http" ) func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{ CipherSuites: []uint16{ tls.TLS_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, }, }, } client := &http.Client{Transport: tr} _, err := client.Get("https://go.dev/") if err != nil { fmt.Println(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // secure max version when min version is specified package main import ( "crypto/tls" "fmt" "net/http" ) func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{ MaxVersion: 0, MinVersion: tls.VersionTLS13, }, } client := &http.Client{Transport: tr} _, err := client.Get("https://go.dev/") if err != nil { fmt.Println(err) } } `}, 0, gosec.NewConfig()}, {[]string{` package p0 import "crypto/tls" func TlsConfig0() *tls.Config { var v uint16 = 0 return &tls.Config{MinVersion: v} } `, ` package p0 import "crypto/tls" func TlsConfig1() *tls.Config { return &tls.Config{MinVersion: 0x0304} } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "crypto/tls" "fmt" ) func main() { cfg := tls.Config{ MinVersion: MinVer, } fmt.Println("tls min version", cfg.MinVersion) } `, ` package main import "crypto/tls" const MinVer = tls.VersionTLS13 `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "crypto/tls" cryptotls "crypto/tls" ) func main() { _ = tls.Config{MinVersion: tls.VersionTLS12} _ = cryptotls.Config{MinVersion: cryptotls.VersionTLS12} } `}, 0, gosec.NewConfig()}, {[]string{` // InsecureSkipVerify with unary NOT (direct !false → true, high confidence) package main import "crypto/tls" func main() { _ = &tls.Config{InsecureSkipVerify: !false} } `}, 1, gosec.NewConfig()}, {[]string{` // InsecureSkipVerify with unary NOT (direct !true → false, no issue) package main import "crypto/tls" func main() { _ = &tls.Config{InsecureSkipVerify: !true} } `}, 0, gosec.NewConfig()}, {[]string{` // InsecureSkipVerify via const with NOT (resolves to true, high confidence) package main import "crypto/tls" const skipVerify = !false func main() { _ = &tls.Config{InsecureSkipVerify: skipVerify} } `}, 1, gosec.NewConfig()}, {[]string{` // PreferServerCipherSuites false (direct, medium severity) package main import "crypto/tls" func main() { _ = &tls.Config{PreferServerCipherSuites: false} } `}, 1, gosec.NewConfig()}, {[]string{` // PreferServerCipherSuites with !true (resolves to false) package main import "crypto/tls" func main() { _ = &tls.Config{PreferServerCipherSuites: !true} } `}, 1, gosec.NewConfig()}, {[]string{` // PreferServerCipherSuites true (no issue) package main import "crypto/tls" func main() { _ = &tls.Config{PreferServerCipherSuites: true} } `}, 0, gosec.NewConfig()}, {[]string{` // MaxVersion explicitly low via variable package main import "crypto/tls" func main() { var lowMax uint16 = tls.VersionTLS10 _ = &tls.Config{MaxVersion: lowMax} } `}, 1, gosec.NewConfig()}, {[]string{` // PreferServerCipherSuites unknown → low-confidence package main import "crypto/tls" var prefer bool // unresolved func main() { _ = &tls.Config{PreferServerCipherSuites: prefer} } `}, 1, gosec.NewConfig()}, }
SampleCodeG402 - TLS settings
View Source
var SampleCodeG403 = []CodeSample{ {[]string{` package main import ( "crypto/rand" "crypto/rsa" "fmt" ) func main() { //Generate Private Key pvk, err := rsa.GenerateKey(rand.Reader, 1024) if err != nil { fmt.Println(err) } fmt.Println(pvk) } `}, 1, gosec.NewConfig()}, }
SampleCodeG403 - weak key strength
View Source
var SampleCodeG404 = []CodeSample{ {[]string{` package main import "crypto/rand" func main() { good, _ := rand.Read(nil) println(good) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "math/rand" func main() { bad := rand.Int() println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "math/rand/v2" func main() { bad := rand.Int() println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "crypto/rand" mrand "math/rand" ) func main() { good, _ := rand.Read(nil) println(good) bad := mrand.Int31() println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "crypto/rand" mrand "math/rand/v2" ) func main() { good, _ := rand.Read(nil) println(good) bad := mrand.Int32() println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "math/rand" ) func main() { gen := rand.New(rand.NewSource(10)) bad := gen.Int() println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "math/rand/v2" ) func main() { gen := rand.New(rand.NewPCG(1, 2)) bad := gen.Int() println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "math/rand" ) func main() { bad := rand.Intn(10) println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "math/rand/v2" ) func main() { bad := rand.IntN(10) println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "crypto/rand" "math/big" rnd "math/rand" ) func main() { good, _ := rand.Int(rand.Reader, big.NewInt(int64(2))) println(good) bad := rnd.Intn(2) println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "crypto/rand" "math/big" rnd "math/rand/v2" ) func main() { good, _ := rand.Int(rand.Reader, big.NewInt(int64(2))) println(good) bad := rnd.IntN(2) println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( crand "crypto/rand" "math/big" "math/rand" rand2 "math/rand" rand3 "math/rand" ) func main() { _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good _ = rand.Intn(2) // bad _ = rand2.Intn(2) // bad _ = rand3.Intn(2) // bad } `}, 3, gosec.NewConfig()}, {[]string{` package main import ( crand "crypto/rand" "math/big" "math/rand/v2" rand2 "math/rand/v2" rand3 "math/rand/v2" ) func main() { _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good _ = rand.IntN(2) // bad _ = rand2.IntN(2) // bad _ = rand3.IntN(2) // bad } `}, 3, gosec.NewConfig()}, }
SampleCodeG404 - weak random number
View Source
var SampleCodeG407 = []CodeSample{ {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesOFB := cipher.NewOFB(block, []byte("ILoveMyNonceAlot")) var output = make([]byte, 16) aesOFB.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func encrypt(nonce []byte) { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesOFB := cipher.NewOFB(block, nonce) var output = make([]byte, 16) aesOFB.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) } func main() { var nonce = []byte("ILoveMyNonceAlot") encrypt(nonce) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesOFB := cipher.NewOFB(block, []byte("ILoveMyNonceAlot")) // #nosec G407 var output = make([]byte, 16) aesOFB.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher( []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, func() []byte { if true { return []byte("ILoveMyNonce") } else { return []byte("IDont'Love..") } }(), []byte("My secret message"), nil) // #nosec G407 fmt.Println(string(cipherText)) cipherText, _ = aesGCM.Open(nil, func() []byte { if true { return []byte("ILoveMyNonce") } else { return []byte("IDont'Love..") } }(), cipherText, nil) // #nosec G407 fmt.Println(string(cipherText)) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesOFB := cipher.NewOFB(block, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) var output = make([]byte, 16) aesOFB.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) }`}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCTR := cipher.NewCTR(block, []byte("ILoveMyNonceAlot")) var output = make([]byte, 16) aesCTR.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) }`}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCTR := cipher.NewCTR(block, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) var output = make([]byte, 16) aesCTR.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, []byte("ILoveMyNonce"), []byte("My secret message"), nil) fmt.Println(string(cipherText)) cipherText, _ = aesGCM.Open(nil, []byte("ILoveMyNonce"), cipherText, nil) fmt.Println(string(cipherText)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, []byte{}, []byte("My secret message"), nil) fmt.Println(string(cipherText)) cipherText, _ = aesGCM.Open(nil, []byte{}, cipherText, nil) fmt.Println(string(cipherText)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}, []byte("My secret message"), nil) fmt.Println(string(cipherText)) cipherText, _ = aesGCM.Open(nil, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}, cipherText, nil) fmt.Println(string(cipherText)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher( []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, func() []byte { if true { return []byte("ILoveMyNonce") } else { return []byte("IDont'Love..") } }(), []byte("My secret message"), nil) fmt.Println(string(cipherText)) cipherText, _ = aesGCM.Open(nil, func() []byte { if true { return []byte("ILoveMyNonce") } else { return []byte("IDont'Love..") } }(), cipherText, nil) fmt.Println(string(cipherText)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, func() []byte { if true { return []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} } else { return []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} } }(), []byte("My secret message"), nil) fmt.Println(string(cipherText)) cipherText, _ = aesGCM.Open(nil, func() []byte { if true { return []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} } else { return []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} } }(), cipherText, nil) fmt.Println(string(cipherText)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipheredText := aesGCM.Seal(nil, func() []byte { return []byte("ILoveMyNonce") }(), []byte("My secret message"), nil) fmt.Println(string(cipheredText)) cipheredText, _ = aesGCM.Open(nil, func() []byte { return []byte("ILoveMyNonce") }(), cipheredText, nil) fmt.Println(string(cipheredText)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipheredText := aesGCM.Seal(nil, func() []byte { return []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} }(), []byte("My secret message"), nil) fmt.Println(string(cipheredText)) cipheredText, _ = aesGCM.Open(nil, func() []byte { return []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} }(), cipheredText, nil) fmt.Println(string(cipheredText)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCFB := cipher.NewCFBEncrypter(block, []byte("ILoveMyNonceAlot")) var output = make([]byte, 16) aesCFB.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) aesCFB = cipher.NewCFBDecrypter(block, []byte("ILoveMyNonceAlot")) aesCFB.XORKeyStream(output, output) fmt.Println(string(output)) }`}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCFB := cipher.NewCFBEncrypter(block, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) var output = make([]byte, 16) aesCFB.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) aesCFB = cipher.NewCFBDecrypter(block, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCFB.XORKeyStream(output, output) fmt.Println(string(output)) }`}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCBC := cipher.NewCBCEncrypter(block, []byte("ILoveMyNonceAlot")) var output = make([]byte, 16) aesCBC.CryptBlocks(output, []byte("Very Cool thing!")) fmt.Println(string(output)) aesCBC = cipher.NewCBCDecrypter(block, []byte("ILoveMyNonceAlot")) aesCBC.CryptBlocks(output, output) fmt.Println(string(output)) }`}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCBC := cipher.NewCBCEncrypter(block, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) var output = make([]byte, 16) aesCBC.CryptBlocks(output, []byte("Very Cool thing!")) fmt.Println(string(output)) aesCBC = cipher.NewCBCDecrypter(block, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCBC.CryptBlocks(output, output) fmt.Println(string(output)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { var nonce = []byte("ILoveMyNonce") block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) fmt.Println(string(aesGCM.Seal(nil, nonce, []byte("My secret message"), nil))) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { var nonce = []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCTR := cipher.NewCTR(block, nonce) var output = make([]byte, 16) aesCTR.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" "fmt" ) func coolFunc(size int) []byte{ buf := make([]byte, size) rand.Read(buf) return buf } func main() { var nonce = coolFunc(16) block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCTR := cipher.NewCTR(block, nonce) var output = make([]byte, 16) aesCTR.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) var nonce = []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, nonce, []byte("My secret message"), nil) fmt.Println(string(cipherText)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) func Decrypt(data []byte, key []byte) ([]byte, error) { block, _ := aes.NewCipher(key) gcm, _ := cipher.NewGCM(block) nonceSize := gcm.NonceSize() if len(data) < nonceSize { return nil, nil } nonce, ciphertext := data[:nonceSize], data[nonceSize:] return gcm.Open(nil, nonce, ciphertext, nil) } func main() {} `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) const iv = "1234567812345678" func wrapper(s string, b cipher.Block) { cipher.NewCTR(b, []byte(s)) } func main() { b, _ := aes.NewCipher([]byte("1234567812345678")) wrapper(iv, b) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) var globalIV = []byte("1234567812345678") func wrapper(iv []byte, b cipher.Block) { cipher.NewCTR(b, iv) } func main() { b, _ := aes.NewCipher([]byte("1234567812345678")) wrapper(globalIV, b) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/cipher" ) func recursive(s string, b cipher.Block) { recursive(s, b) cipher.NewCTR(b, []byte(s)) } func main() { recursive("1234567812345678", nil) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) func main() { k := make([]byte, 48) key, iv := k[:32], k[32:] block, _ := aes.NewCipher(key) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) func main() { k := make([]byte, 48) k[32] = 1 key, iv := k[:32], k[32:] block, _ := aes.NewCipher(key) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func main() { iv := make([]byte, 16) rand.Read(iv) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "io" ) func main() { iv := make([]byte, 16) io.ReadFull(nil, iv) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) func fill(b []byte) { b[0] = 1 } func main() { iv := make([]byte, 16) fill(iv) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func main() { iv := make([]byte, 16) rand.Read(iv) iv[0] = 1 // overwriting block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func main() { iv := make([]byte, 16) rand.Read(iv[0:8]) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func main() { iv := make([]byte, 16) rand.Read(iv[0:16]) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func main() { buf := make([]byte, 128) rand.Read(buf[32:48]) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, buf[32:48]) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "os" ) func main() { key := []byte("example key 1234") block, _ := aes.NewCipher(key) iv := []byte("1234567890123456") var f func(cipher.Block, []byte) cipher.Stream if len(os.Args) > 1 { f = cipher.NewCTR } else { f = cipher.NewOFB } stream := f(block, iv) _ = stream } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" "os" ) func main() { key := []byte("example key 1234") block, _ := aes.NewCipher(key) iv := []byte("1234567890123456") rand.Read(iv) var f func(cipher.Block, []byte) cipher.Stream if len(os.Args) > 1 { f = cipher.NewCTR } else { f = cipher.NewOFB } stream := f(block, iv) _ = stream } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func myReaderDirect(b []byte) (int, error) { return rand.Read(b) } func main() { iv := make([]byte, 16) // Direct call to user function (myReaderDirect) which calls rand.Read myReaderDirect(iv) key := []byte("example key 1234") block, _ := aes.NewCipher(key) _ = cipher.NewCTR(block, iv) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func myReaderDirect(b []byte) (int, error) { n, err := rand.Read(b) if n > 1 { b[0] = 1 // overwriting } return n, err } func main() { iv := make([]byte, 16) // Direct call to user function (myReaderDirect) which calls rand.Read but overwrites the IV myReaderDirect(iv) key := []byte("example key 1234") block, _ := aes.NewCipher(key) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/cipher" ) func myBadCipher(n int, block cipher.Block) cipher.Stream { iv := make([]byte, n) iv[0] = 0x01 return cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/cipher" ) func myBadCipher(n int, block cipher.Block) cipher.Stream { iv := make([]byte, n) return cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/cipher" "os" ) func myGoodCipher(block cipher.Block) (cipher.Stream, error) { iv, err := os.ReadFile("iv.bin") if err != nil { return nil, err } return cipher.NewCTR(block, iv), nil } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/cipher" "io" ) func myGoodInterfaceCipher(r io.Reader, block cipher.Block) { iv := make([]byte, 16) r.Read(iv) stream := cipher.NewCTR(block, iv) _ = stream } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func main() { key := []byte("example key 1234") block, _ := aes.NewCipher(key) iv := []byte("1234567890123456") iv[8] = 0 rand.Read(iv) stream := cipher.NewCTR(block, iv) _ = stream } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) func test(init func([]byte)) { key := []byte("example key 1234") block, _ := aes.NewCipher(key) iv := make([]byte, 16) init(iv) // We can't resolve 'init', should default to Dynamic to avoid FP stream := cipher.NewCTR(block, iv) _ = stream } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "io" ) type CustomReader interface { io.Reader } func testCustomReader(cr CustomReader) { key := []byte("example key 1234") block, _ := aes.NewCipher(key) iv := make([]byte, 16) cr.Read(iv) stream := cipher.NewCTR(block, iv) _ = stream } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/cipher" "io" ) func interfaceSafeOverwrite(r io.Reader, block cipher.Block) { iv := make([]byte, 16) iv[0] = 0 // Tainted r.Read(iv) // Dynamic Interface Read (covers taint) stream := cipher.NewCTR(block, iv) _ = stream } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "io" ) type CustomReader interface { io.Reader } func testCustomReaderOverwrite(cr CustomReader) { key := []byte("example key 1234") block, _ := aes.NewCipher(key) iv := make([]byte, 16) iv[15] = 1 // Taint cr.Read(iv) // Cover via embedded interface stream := cipher.NewCTR(block, iv) _ = stream } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/cipher" "io" ) func interfaceSafeOverwriteSlice(r io.Reader, block cipher.Block) { iv := make([]byte, 16) iv[0] = 0 r.Read(iv[:]) stream := cipher.NewCTR(block, iv) _ = stream } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/cipher" ) func pointerUnOpIV(block cipher.Block) { iv := make([]byte, 16) // Hardcoded ptr := &iv stream := cipher.NewCTR(block, *ptr) _ = stream } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/rand" "crypto/cipher" ) func pointerUnOpSafeIV(block cipher.Block) { iv := make([]byte, 16) rand.Read(iv) // Dynamic ptr := &iv stream := cipher.NewCTR(block, *ptr) // dynamic dereference _ = stream } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func main() { iv := make([]byte, 16) rand.Read(iv[6:12]) rand.Read(iv[0:6]) rand.Read(iv[12:16]) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func main() { iv := make([]byte, 16) rand.Read(iv[6:12]) iv[6] = 0 rand.Read(iv[0:7]) iv[10] = 0 rand.Read(iv[10:16]) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "os" ) func main() { iv := make([]byte, len(os.Args)) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" "os" ) func main() { iv := make([]byte, 16) low := len(os.Args) sub := iv[low:] rand.Read(sub) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "os" ) func main() { iv := make([]byte, 16) i := len(os.Args) iv[i] = 0 block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) func test(iv []byte) { iv[0] = 0 block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } func main() { test(make([]byte, 16)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func main() { iv := make([]byte, 16) rand.Read(iv[6:12]) iv[6] = 0 rand.Read(iv[0:7]) iv[10] = 0 rand.Read(iv[10:16]) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "os" ) func main() { iv := make([]byte, len(os.Args)) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" "os" ) func main() { iv := make([]byte, 16) low := len(os.Args) sub := iv[low:] rand.Read(sub) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "os" ) func main() { iv := make([]byte, 16) i := len(os.Args) iv[i] = 0 block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) func test(iv []byte) { iv[0] = 0 block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } func main() { test(make([]byte, 16)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func unsafeOverwrite(i int) { iv := make([]byte, 16) rand.Read(iv) if i >= 10 && i < 16 { iv[i] = 0 } block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv[:16]) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func safeOverwrite(i int) { iv := make([]byte, 128) rand.Read(iv) if i >= 16 && i < 128{ iv[i] = 0 } block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv[:16]) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func unsafeOverwrite(i int) { iv := make([]byte, 16) rand.Read(iv) if i > 0 { iv[i % 16] = 0 } block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func unsafeOverwrite(i int) { iv := make([]byte, 16) rand.Read(iv) if i - 16 > 0 && i + 16 < 32 { iv[i - 16] = 0 } block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" ) func main() { iv := make([]byte, 16) rand.Read(iv) // Alias assignment alias := iv alias[0] = 0 // Hardcoded write via alias (unsafe) block, _ := aes.NewCipher([]byte("12345678123456781234567812345678")) _ = cipher.NewCTR(block, iv) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) func Decrypt(data []byte, key [32]byte) ([]byte, error) { block, _ := aes.NewCipher(key[:32]) gcm, _ := cipher.NewGCM(block) // Using a hardcoded nonce for DECRYPTION is safe - must match encryption nonce nonce := []byte("ILoveMyNonce") return gcm.Open(nil, nonce, data[gcm.NonceSize():], nil) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) // Encrypt with hardcoded nonce - SHOULD be flagged cipherText := aesGCM.Seal(nil, []byte("ILoveMyNonce"), []byte("My secret message"), nil) // Decrypt with same nonce - should NOT be flagged (same nonce as encryption) cipherText, _ = aesGCM.Open(nil, []byte("ILoveMyNonce"), cipherText, nil) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) // NewCBCDecrypter should not be flagged - decryption must use same nonce as encryption aesCBC := cipher.NewCBCDecrypter(block, []byte("ILoveMyNonceAlot")) var output = make([]byte, 16) aesCBC.CryptBlocks(output, []byte("encrypted_block!")) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) // NewCFBDecrypter should not be flagged - decryption must use same nonce as encryption aesCFB := cipher.NewCFBDecrypter(block, []byte("ILoveMyNonceAlot")) var output = make([]byte, 16) aesCFB.XORKeyStream(output, []byte("Very Cool thing!")) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) // NewCBCEncrypter SHOULD be flagged - encryption should use random nonce aesCBC := cipher.NewCBCEncrypter(block, []byte("ILoveMyNonceAlot")) var output = make([]byte, 16) aesCBC.CryptBlocks(output, []byte("Very Cool thing!")) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) // NewCFBEncrypter SHOULD be flagged - encryption should use random nonce aesCFB := cipher.NewCFBEncrypter(block, []byte("ILoveMyNonceAlot")) var output = make([]byte, 16) aesCFB.XORKeyStream(output, []byte("Very Cool thing!")) } `}, 1, gosec.NewConfig()}, }
SampleCodeG407 - Use of hardcoded nonce/IV
View Source
var SampleCodeG408 = []CodeSample{ {[]string{` package main // Mock ssh types for testing type PublicKey interface { Marshal() []byte } type ConnMetadata interface { User() string } type Permissions struct { Extensions map[string]string } type ServerConfig struct { PublicKeyCallback func(ConnMetadata, PublicKey) (*Permissions, error) } var lastKey PublicKey func setupServer() { config := &ServerConfig{} config.PublicKeyCallback = func(conn ConnMetadata, key PublicKey) (*Permissions, error) { lastKey = key return &Permissions{}, nil } _ = config } `}, 1, gosec.NewConfig()}, {[]string{` package main // Mock ssh types for testing type PublicKey interface { Marshal() []byte } type ConnMetadata interface { User() string } type Permissions struct { Extensions map[string]string } type ServerConfig struct { PublicKeyCallback func(ConnMetadata, PublicKey) (*Permissions, error) } type Server struct { currentKey PublicKey } func setupServer() { srv := &Server{} config := &ServerConfig{} config.PublicKeyCallback = func(conn ConnMetadata, key PublicKey) (*Permissions, error) { srv.currentKey = key return &Permissions{}, nil } _ = config } `}, 1, gosec.NewConfig()}, {[]string{` package main // Mock ssh types for testing type PublicKey interface { Marshal() []byte } type ConnMetadata interface { User() string } type Permissions struct { Extensions map[string]string } type ServerConfig struct { PublicKeyCallback func(ConnMetadata, PublicKey) (*Permissions, error) } func setupServer() { keyMap := make(map[string]PublicKey) config := &ServerConfig{} config.PublicKeyCallback = func(conn ConnMetadata, key PublicKey) (*Permissions, error) { keyMap[conn.User()] = key return &Permissions{}, nil } _ = config } `}, 1, gosec.NewConfig()}, {[]string{` package main // Mock ssh types for testing type PublicKey interface { Marshal() []byte } type ConnMetadata interface { User() string } type Permissions struct { Extensions map[string]string } type ServerConfig struct { PublicKeyCallback func(ConnMetadata, PublicKey) (*Permissions, error) } func setupServer() { keys := make([]PublicKey, 10) config := &ServerConfig{} config.PublicKeyCallback = func(conn ConnMetadata, key PublicKey) (*Permissions, error) { keys[0] = key return &Permissions{}, nil } _ = config } `}, 1, gosec.NewConfig()}, {[]string{` package main // Mock ssh types for testing type PublicKey interface { Marshal() []byte } type ConnMetadata interface { User() string } type Permissions struct { Extensions map[string]string } type ServerConfig struct { PublicKeyCallback func(ConnMetadata, PublicKey) (*Permissions, error) } type Session struct { Auth struct { LastKey PublicKey } } func setupServer() { session := &Session{} config := &ServerConfig{} config.PublicKeyCallback = func(conn ConnMetadata, key PublicKey) (*Permissions, error) { session.Auth.LastKey = key return &Permissions{}, nil } _ = config } `}, 1, gosec.NewConfig()}, {[]string{` package main // Mock ssh types for testing type PublicKey interface { Marshal() []byte } type ConnMetadata interface { User() string } type Permissions struct { Extensions map[string]string } type ServerConfig struct { PublicKeyCallback func(ConnMetadata, PublicKey) (*Permissions, error) } func setupServer() { config := &ServerConfig{} config.PublicKeyCallback = func(conn ConnMetadata, key PublicKey) (*Permissions, error) { if isAuthorized(key) { return &Permissions{}, nil } return nil, nil } _ = config } func isAuthorized(key PublicKey) bool { return true } `}, 0, gosec.NewConfig()}, {[]string{` package main // Mock ssh types for testing type PublicKey interface { Marshal() []byte } type ConnMetadata interface { User() string } type Permissions struct { Extensions map[string]string } type ServerConfig struct { PublicKeyCallback func(ConnMetadata, PublicKey) (*Permissions, error) } func setupServer() { config := &ServerConfig{} config.PublicKeyCallback = func(conn ConnMetadata, key PublicKey) (*Permissions, error) { return &Permissions{ Extensions: map[string]string{ "pubkey": string(key.Marshal()), }, }, nil } _ = config } `}, 0, gosec.NewConfig()}, {[]string{` package main // Mock ssh types for testing type PublicKey interface { Marshal() []byte } type ConnMetadata interface { User() string } type Permissions struct { Extensions map[string]string } type ServerConfig struct { PublicKeyCallback func(ConnMetadata, PublicKey) (*Permissions, error) } func setupServer() { authorizedKeys := map[string]bool{ "ssh-rsa AAA...": true, } config := &ServerConfig{} config.PublicKeyCallback = func(conn ConnMetadata, key PublicKey) (*Permissions, error) { keyStr := string(key.Marshal()) if authorizedKeys[keyStr] { return &Permissions{}, nil } return nil, nil } _ = config } `}, 0, gosec.NewConfig()}, {[]string{` package main // Mock ssh types for testing type PublicKey interface { Marshal() []byte } type ConnMetadata interface { User() string } type Permissions struct { Extensions map[string]string } type ServerConfig struct { PublicKeyCallback func(ConnMetadata, PublicKey) (*Permissions, error) } func setupServer() { config := &ServerConfig{} config.PublicKeyCallback = checkKey _ = config } func checkKey(conn ConnMetadata, key PublicKey) (*Permissions, error) { return nil, nil } `}, 0, gosec.NewConfig()}, {[]string{` package main // Mock ssh types for testing type PublicKey interface { Marshal() []byte } type ConnMetadata interface { User() string } type Permissions struct { Extensions map[string]string } type ServerConfig struct { PublicKeyCallback func(ConnMetadata, PublicKey) (*Permissions, error) } func authenticateKey(conn ConnMetadata, key PublicKey) (*Permissions, error) { // This is a module-level function, not a closure return &Permissions{}, nil } func setupServer() { config := &ServerConfig{} config.PublicKeyCallback = authenticateKey _ = config } `}, 0, gosec.NewConfig()}, }
SampleCodeG408 - SSH PublicKeyCallback stateful misuse
View Source
var SampleCodeG502 = []CodeSample{ {[]string{` package main import ( "crypto/cipher" "crypto/des" "crypto/rand" "encoding/hex" "fmt" "io" ) func main() { block, err := des.NewCipher([]byte("sekritz")) if err != nil { panic(err) } plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ") ciphertext := make([]byte, des.BlockSize+len(plaintext)) iv := ciphertext[:des.BlockSize] if _, err := io.ReadFull(rand.Reader, iv); err != nil { panic(err) } stream := cipher.NewCFBEncrypter(block, iv) stream.XORKeyStream(ciphertext[des.BlockSize:], plaintext) fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext)) } `}, 1, gosec.NewConfig()}, }
SampleCodeG502 - Blocklisted import DES
View Source
var SampleCodeG503 = []CodeSample{ {[]string{` package main import ( "crypto/rc4" "encoding/hex" "fmt" ) func main() { cipher, err := rc4.NewCipher([]byte("sekritz")) if err != nil { panic(err) } plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ") ciphertext := make([]byte, len(plaintext)) cipher.XORKeyStream(ciphertext, plaintext) fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext)) } `}, 1, gosec.NewConfig()}, }
SampleCodeG503 - Blocklisted import RC4
View Source
var SampleCodeG504 = []CodeSample{ {[]string{` package main import ( "net/http/cgi" "net/http" ) func main() { cgi.Serve(http.FileServer(http.Dir("/usr/share/doc"))) } `}, 1, gosec.NewConfig()}, }
SampleCodeG504 - Blocklisted import CGI
View Source
var SampleCodeG505 = []CodeSample{ {[]string{` package main import ( "crypto/sha1" "fmt" "os" ) func main() { for _, arg := range os.Args { fmt.Printf("%x - %s\n", sha1.Sum([]byte(arg)), arg) } } `}, 1, gosec.NewConfig()}, }
SampleCodeG505 - Blocklisted import SHA1
View Source
var SampleCodeG506 = []CodeSample{ {[]string{` package main import ( "encoding/hex" "fmt" "golang.org/x/crypto/md4" ) func main() { h := md4.New() h.Write([]byte("test")) fmt.Println(hex.EncodeToString(h.Sum(nil))) } `}, 1, gosec.NewConfig()}, }
SampleCodeG506 - Blocklisted import MD4
View Source
var SampleCodeG507 = []CodeSample{ {[]string{` package main import ( "encoding/hex" "fmt" "golang.org/x/crypto/ripemd160" ) func main() { h := ripemd160.New() h.Write([]byte("test")) fmt.Println(hex.EncodeToString(h.Sum(nil))) } `}, 1, gosec.NewConfig()}, }
SampleCodeG507 - Blocklisted import RIPEMD160
View Source
var SampleCodeG601 = []CodeSample{ {[]string{` package main import "fmt" var vector []*string func appendVector(s *string) { vector = append(vector, s) } func printVector() { for _, item := range vector { fmt.Printf("%s", *item) } fmt.Println() } func foo() (int, **string, *string) { for _, item := range vector { return 0, &item, item } return 0, nil, nil } func main() { for _, item := range []string{"A", "B", "C"} { appendVector(&item) } printVector() zero, c_star, c := foo() fmt.Printf("%d %v %s", zero, c_star, c) } `}, 1, gosec.NewConfig()}, {[]string{` // see: github.com/securego/gosec/issues/475 package main import ( "fmt" ) func main() { sampleMap := map[string]string{} sampleString := "A string" for sampleString, _ = range sampleMap { fmt.Println(sampleString) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) type sampleStruct struct { name string } func main() { samples := []sampleStruct{ {name: "a"}, {name: "b"}, } for _, sample := range samples { fmt.Println(sample.name) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) type sampleStruct struct { name string } func main() { samples := []*sampleStruct{ {name: "a"}, {name: "b"}, } for _, sample := range samples { fmt.Println(&sample) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) type sampleStruct struct { name string } func main() { samples := []*sampleStruct{ {name: "a"}, {name: "b"}, } for _, sample := range samples { fmt.Println(&sample.name) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) type sampleStruct struct { name string } func main() { samples := []sampleStruct{ {name: "a"}, {name: "b"}, } for _, sample := range samples { fmt.Println(&sample.name) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) type subStruct struct { name string } type sampleStruct struct { sub subStruct } func main() { samples := []sampleStruct{ {sub: subStruct{name: "a"}}, {sub: subStruct{name: "b"}}, } for _, sample := range samples { fmt.Println(&sample.sub.name) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) type subStruct struct { name string } type sampleStruct struct { sub subStruct } func main() { samples := []*sampleStruct{ {sub: subStruct{name: "a"}}, {sub: subStruct{name: "b"}}, } for _, sample := range samples { fmt.Println(&sample.sub.name) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) func main() { one, two := 1, 2 samples := []*int{&one, &two} for _, sample := range samples { fmt.Println(&sample) } } `}, 1, gosec.NewConfig()}, }
SampleCodeG601 - Implicit aliasing over range statement
View Source
var SampleCodeG602 = []CodeSample{ {[]string{` package main import "fmt" func main() { s := make([]byte, 0) fmt.Println(s[:3]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) fmt.Println(s[3:]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 16) fmt.Println(s[:17]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 16) fmt.Println(s[:16]) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 16) fmt.Println(s[5:17]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 4) fmt.Println(s[3]) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 4) fmt.Println(s[5]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) s = make([]byte, 3) fmt.Println(s[:3]) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0, 4) fmt.Println(s[:3]) fmt.Println(s[3]) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0, 4) fmt.Println(s[:5]) fmt.Println(s[7]) } `}, 2, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0, 4) x := s[:2] y := x[:10] fmt.Println(y) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]int, 0, 4) doStuff(s) } func doStuff(x []int) { newSlice := x[:10] fmt.Println(newSlice) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]int, 0, 30) doStuff(s) x := make([]int, 20) y := x[10:] doStuff(y) z := y[5:] doStuff(z) } func doStuff(x []int) { newSlice := x[:10] fmt.Println(newSlice) newSlice2 := x[:6] fmt.Println(newSlice2) } `}, 2, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { testMap := make(map[string]any, 0) testMap["test1"] = map[string]interface{}{ "test2": map[string]interface{}{ "value": 0, }, } fmt.Println(testMap) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) if len(s) > 0 { fmt.Println(s[0]) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) if len(s) > 0 { switch s[0] { case 0: fmt.Println("zero") return default: fmt.Println(s[0]) return } } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) if len(s) > 0 { switch s[0] { case 0: b := true if b == true { // Should work for many-levels of nesting when the condition is not on the target slice fmt.Println(s[0]) } return default: fmt.Println(s[0]) return } } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) if len(s) > 0 { if len(s) > 1 { fmt.Println(s[1]) } fmt.Println(s[0]) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 2) fmt.Println(s[1]) s = make([]byte, 0) fmt.Println(s[1]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) if len(s) > 0 { if len(s) > 4 { fmt.Println(s[3]) } else { // Should error fmt.Println(s[2]) } fmt.Println(s[0]) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) if len(s) > 0 { fmt.Println("fake test") } fmt.Println(s[0]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]int, 16) for i := 0; i < 17; i++ { s = append(s, i) } if len(s) < 16 { fmt.Println(s[10:16]) } else { fmt.Println(s[3:18]) } fmt.Println(s[0]) for i := range s { fmt.Println(s[i]) } } `}, 0, gosec.NewConfig()}, {[]string{` package main func main() { s := make([]int, 16) for i := 10; i < 17; i++ { s[i]=i } } `}, 1, gosec.NewConfig()}, {[]string{` package main func main() { var s []int for i := 10; i < 17; i++ { s[i]=i } } `}, 1, gosec.NewConfig()}, {[]string{` package main func main() { s := make([]int,5, 16) for i := 1; i < 6; i++ { s[i]=i } } `}, 1, gosec.NewConfig()}, {[]string{` package main func main() { var s [20]int for i := 10; i < 17; i++ { s[i]=i } }`}, 0, gosec.NewConfig()}, {[]string{` package main func main() { var s [20]int for i := 1; i < len(s); i++ { s[i]=i } } `}, 0, gosec.NewConfig()}, {[]string{` package main func main() { var s [20]int for i := 1; i <= len(s); i++ { s[i]=i } } `}, 1, gosec.NewConfig()}, {[]string{` package main func main() { var s [20]int for i := 18; i <= 22; i++ { s[i]=i } } `}, 1, gosec.NewConfig()}, {[]string{` package main func main() { args := []any{"1"} switch len(args) - 1 { case 1: _ = args[1] } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { value := "1234567890" weight := []int{2, 3, 4, 5, 6, 7} wLen := len(weight) l := len(value) - 1 addr := make([]any, 7) sum := 0 weight[2] = 3 for i := l; i >= 0; i-- { v := int(value[i] - '0') if v < 0 || v > 9 { fmt.Println("invalid number at column", i+1) break } addr[2] = v sum += v * weight[(l-i)%wLen] } fmt.Println(sum) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func pairwise(list []any) { for i := 0; i < len(list)-1; i += 2 { // Safe: i < len-1 implies i+1 < len fmt.Printf("%v %v\n", list[i], list[i+1]) } } func main() { // Calls with both even and odd lengths (and empty) to exercise the path pairwise([]any{"a", "b", "c", "d"}) pairwise([]any{"x", "y", "z"}) pairwise([]any{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" type Handler struct{} func (h *Handler) HandleArgs(list []any) { for i := 0; i < len(list)-1; i += 2 { fmt.Printf("%v %v\n", list[i], list[i+1]) } } func main() { // Empty main: no call to HandleArgs, mimicking library code or unreachable for constant prop } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func safeTriples(list []int) { for i := 0; i < len(list)-2; i += 3 { fmt.Println(list[i], list[i+1], list[i+2]) } } func main() { safeTriples([]int{1,2,3,4,5,6,7}) safeTriples([]int{1,2,3,4,5}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func pairwise(list []any) { for i := 0; i+1 < len(list); i += 2 { // Safe: i+1 < len implies i < len-1 fmt.Printf("%v %v\n", list[i], list[i+1]) } } func main() { // Calls with both even and odd lengths (and empty) to exercise the path pairwise([]any{"a", "b", "c", "d"}) pairwise([]any{"x", "y", "z"}) pairwise([]any{}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0, 4) // Extending length up to capacity is valid x := s[:3] fmt.Println(x) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0, 4) // 3-index slice exceeding capacity x := s[:2:5] fmt.Println(x) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0, 10) // 3-index slice within capacity x := s[2:5:8] fmt.Println(x) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 4) for i := range 3 { x := s[i+2] fmt.Println(x) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 5) for i := range 3 { x := s[i+2] fmt.Println(x) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 2) for i := 0; i < 3; i++ { x := s[i+2] fmt.Println(x) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 2) i := 0 // decomposeIndex should handle i + 1 + 2 = i + 3 fmt.Println(s[i+1+2]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 5) for i := 0; i+1 < len(s); i++ { // i+1 < 5 => i < 4. Max i = 3. i+1 = 4. s[4] is safe. fmt.Println(s[i+1]) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { var a [10]int idx := 12 fmt.Println(a[idx]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 4) if 5 < len(s) { fmt.Println(s[4]) } } `}, 0, gosec.NewConfig()}, {[]string{` package main func main() { var a [10]int k := 11 _ = a[:5:k] } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]int, 5) idx := -1 fmt.Println(s[idx]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log/slog" "runtime" "time" ) func main() { var pcs [1]uintptr runtime.Callers(2, pcs[:]) r := slog.NewRecord(time.Now(), slog.LevelError, "test", pcs[0]) _ = r } `}, 0, gosec.NewConfig()}, {[]string{` package main func main() { var buf [4]byte copy(buf[:], []byte("test")) _ = buf[0] _ = buf[1] _ = buf[2] _ = buf[3] } `}, 0, gosec.NewConfig()}, {[]string{` package main func main() { var buf [2]byte copy(buf[:], []byte("ab")) idx := 3 _ = buf[idx] } `}, 1, gosec.NewConfig()}, {[]string{` package main func doWork(s []int) {} func main() { var arr [5]int doWork(arr[:]) _ = arr[0] _ = arr[4] } `}, 0, gosec.NewConfig()}, {[]string{` package main func main() { var arr [8]int for i := range arr { arr[i] = i } } `}, 0, gosec.NewConfig()}, {[]string{` package main func main() { var arr [8]int for i := range arr { _ = arr[i+1] } } `}, 1, gosec.NewConfig()}, {[]string{` package main func main() { ranged := [1]int{1} var accessed [1]*int for i, r := range ranged { accessed[i] = &r } } `}, 0, gosec.NewConfig()}, {[]string{` package main func main() { ranged := [2]int{1, 2} var accessed [1]*int for i, r := range ranged { accessed[i] = &r } } `}, 1, gosec.NewConfig()}, }
SampleCodeG602 - Slice access out of bounds
View Source
var SampleCodeG701 = []CodeSample{ {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { name := r.URL.Query().Get("name") query := "SELECT * FROM users WHERE name = '" + name + "'" db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "fmt" ) func handler(db *sql.DB, r *http.Request) { id := r.FormValue("id") query := fmt.Sprintf("DELETE FROM users WHERE id = %s", id) db.Exec(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" ) func safeQuery(db *sql.DB) { // Safe - no user input db.Query("SELECT * FROM users") } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func preparedStatement(db *sql.DB, r *http.Request) { // Safe - using prepared statement name := r.URL.Query().Get("name") db.Query("SELECT * FROM users WHERE name = ?", name) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type Query struct { SQL string } func handler(db *sql.DB, r *http.Request) { q := &Query{SQL: r.FormValue("input")} db.Query(q.SQL) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type Config struct { Value string } func newConfig(v string) *Config { return &Config{Value: v} } func handler(db *sql.DB, r *http.Request) { cfg := newConfig(r.FormValue("input")) db.Query(cfg.Value) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type Query struct { SQL string } func handler(db *sql.DB, r *http.Request) { q := &Query{SQL: r.FormValue("input")} ptr := q db.Query((*ptr).SQL) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { userID := r.FormValue("id") execute := func() { query := "DELETE FROM users WHERE id = " + userID db.Exec(query) } execute() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type Config struct { Value string } func newConfig(v string) (*Config, error) { return &Config{Value: v}, nil } func handler(db *sql.DB, r *http.Request) { cfg, _ := newConfig(r.FormValue("input")) db.Query(cfg.Value) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type Query struct { SQL string } type Request struct { Query *Query } func handler(db *sql.DB, r *http.Request) { req := &Request{Query: &Query{SQL: r.FormValue("input")}} db.Query(req.Query.SQL) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type Query struct { SQL string } func handler(db *sql.DB, r *http.Request) { var q *Query if r.FormValue("type") == "admin" { q = &Query{SQL: r.FormValue("admin_query")} } else { q = &Query{SQL: r.FormValue("user_query")} } db.Query(q.SQL) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { name := r.FormValue("name") age := r.FormValue("age") query := "SELECT * FROM users WHERE name = '" + name + "' AND age = " + age db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { params := []string{r.FormValue("p1"), r.FormValue("p2")} query := "SELECT * FROM users WHERE id = " + params[0] db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { ids := [3]string{r.FormValue("id1"), r.FormValue("id2"), r.FormValue("id3")} query := "DELETE FROM users WHERE id = " + ids[1] db.Exec(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { input := r.FormValue("data") bytes := []byte(input) query := "INSERT INTO logs VALUES ('" + string(bytes) + "')" db.Exec(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "fmt" ) func handler(db *sql.DB, r *http.Request) { var val interface{} = r.FormValue("value") query := fmt.Sprintf("SELECT * FROM data WHERE value = '%v'", val) db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "strconv" ) func handler(db *sql.DB, r *http.Request) { userID, err := strconv.Atoi(r.FormValue("id")) if err == nil { query := "SELECT * FROM users WHERE id = " + strconv.Itoa(userID) db.Query(query) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { input := r.FormValue("input") var result string for i := 0; i < 10; i++ { result = input + result } db.Query("SELECT * FROM data WHERE value = '" + result + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { input := r.FormValue("id") ptr := &input query := "DELETE FROM users WHERE id = " + *ptr db.Exec(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "unsafe" ) func handler(db *sql.DB, r *http.Request) { input := r.FormValue("data") bytes := []byte(input) ptr := unsafe.Pointer(&bytes[0]) _ = ptr query := "INSERT INTO logs VALUES ('" + input + "')" db.Exec(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type Data struct { Value string } func handler(db *sql.DB, r *http.Request) { d := &Data{} d.Value = r.FormValue("input") db.Query("SELECT * FROM items WHERE name = '" + d.Value + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func buildQuery(userInput string) string { return "SELECT * FROM users WHERE name = '" + userInput + "'" } func handler(db *sql.DB, r *http.Request) { name := r.FormValue("name") query := buildQuery(name) db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func processInput(input string) string { result := input return result } func handler(db *sql.DB, r *http.Request) { data := r.FormValue("data") processed := processInput(data) db.Query("DELETE FROM logs WHERE data = '" + processed + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func formatQuery(table string, id string) string { return "SELECT * FROM " + table + " WHERE id = " + id } func handler(db *sql.DB, r *http.Request) { userID := r.FormValue("id") query := formatQuery("users", userID) db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func selectTable(isAdmin bool, userID string) string { var table string if isAdmin { table = "admin_" + userID } else { table = "user_" + userID } return table } func handler(db *sql.DB, r *http.Request) { id := r.FormValue("id") table := selectTable(false, id) db.Query("SELECT * FROM " + table) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type QueryBuilder struct { table string } func newQueryBuilder(tableName string) *QueryBuilder { return &QueryBuilder{table: tableName} } func handler(db *sql.DB, r *http.Request) { userTable := r.FormValue("table") qb := newQueryBuilder(userTable) db.Query("SELECT * FROM " + qb.table) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func getFirst(items []string) string { if len(items) > 0 { return items[0] } return "" } func handler(db *sql.DB, r *http.Request) { ids := []string{r.FormValue("id1"), r.FormValue("id2")} firstID := getFirst(ids) db.Query("DELETE FROM users WHERE id = " + firstID) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func convertToString(data []byte) string { return string(data) } func handler(db *sql.DB, r *http.Request) { input := r.FormValue("data") bytes := []byte(input) str := convertToString(bytes) db.Query("INSERT INTO logs VALUES ('" + str + "')") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func parseInput(input string) (string, error) { return input, nil } func handler(db *sql.DB, r *http.Request) { data := r.FormValue("data") parsed, _ := parseInput(data) db.Query("SELECT * FROM data WHERE value = '" + parsed + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func innerProcess(s string) string { return s + "_processed" } func outerProcess(input string) string { return innerProcess(input) } func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("input") result := outerProcess(userInput) db.Query("SELECT * FROM data WHERE value = '" + result + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func derefString(ptr *string) string { return *ptr } func handler(db *sql.DB, r *http.Request) { input := r.FormValue("id") value := derefString(&input) db.Query("DELETE FROM users WHERE id = " + value) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "fmt" ) func toInterface(s string) interface{} { return s } func handler(db *sql.DB, r *http.Request) { input := r.FormValue("value") iface := toInterface(input) query := fmt.Sprintf("SELECT * FROM data WHERE value = '%v'", iface) db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type Config struct { Value string } func createConfig(val string) *Config { c := &Config{} c.Value = val return c } func handler(db *sql.DB, r *http.Request) { userVal := r.FormValue("value") cfg := createConfig(userVal) db.Query("SELECT * FROM data WHERE value = '" + cfg.Value + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "strings" ) func wrapWithQuotes(s string) string { return strings.ToLower(s) } func handler(db *sql.DB, r *http.Request) { input := r.FormValue("name") wrapped := wrapWithQuotes(input) db.Query("SELECT * FROM users WHERE name = '" + wrapped + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func extractString(val interface{}) string { if str, ok := val.(string); ok { return str } return "" } func handler(db *sql.DB, r *http.Request) { var data interface{} = r.FormValue("data") extracted := extractString(data) db.Query("SELECT * FROM data WHERE value = '" + extracted + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func lookupValue(m map[string]string, key string) string { return m[key] } func handler(db *sql.DB, r *http.Request) { userKey := r.FormValue("key") data := map[string]string{"user": userKey, "admin": "admin_value"} value := lookupValue(data, "user") db.Query("SELECT * FROM users WHERE id = '" + value + "'") } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type ComplexData struct { Field1 string Field2 string } func buildComplexData(input string) *ComplexData { d := &ComplexData{} d.Field1 = input d.Field2 = "safe" return d } func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("input") data := buildComplexData(userInput) db.Query("SELECT * FROM data WHERE value = '" + data.Field1 + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func sliceData(items []string) []string { if len(items) > 1 { return items[1:] } return items } func handler(db *sql.DB, r *http.Request) { inputs := []string{"safe", r.FormValue("data"), r.FormValue("data2")} sliced := sliceData(inputs) if len(sliced) > 0 { db.Query("SELECT * FROM data WHERE value = '" + sliced[0] + "'") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func getArrayElement(arr [3]string, idx int) string { return arr[idx] } func handler(db *sql.DB, r *http.Request) { userArray := [3]string{r.FormValue("a"), r.FormValue("b"), r.FormValue("c")} element := getArrayElement(userArray, 1) db.Query("DELETE FROM users WHERE id = '" + element + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func accumulateData(base string, count int) string { result := base for i := 0; i < count; i++ { if i%2 == 0 { result = result + "_even" } else { result = result + "_odd" } } return result } func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("data") accumulated := accumulateData(userInput, 3) db.Query("SELECT * FROM data WHERE value = '" + accumulated + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func doubleDeref(s string) string { ptr1 := &s ptr2 := &ptr1 return **ptr2 } func handler(db *sql.DB, r *http.Request) { input := r.FormValue("id") result := doubleDeref(input) db.Query("DELETE FROM users WHERE id = '" + result + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "unsafe" ) func unsafeConvert(s string) string { bytes := []byte(s) ptr := unsafe.Pointer(&bytes[0]) _ = ptr return s } func handler(db *sql.DB, r *http.Request) { input := r.FormValue("data") converted := unsafeConvert(input) db.Query("INSERT INTO logs VALUES ('" + converted + "')") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func combineInputs(a string, b string, c string) string { return a + b + c } func handler(db *sql.DB, r *http.Request) { p1 := r.FormValue("p1") p2 := r.FormValue("p2") p3 := r.FormValue("p3") result := combineInputs(p1, p2, p3) db.Query("SELECT * FROM data WHERE value = '" + result + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type Inner struct { Value string } type Outer struct { Inner *Inner } func buildNested(val string) *Outer { inner := &Inner{} inner.Value = val return &Outer{Inner: inner} } func handler(db *sql.DB, r *http.Request) { input := r.FormValue("input") outer := buildNested(input) db.Query("SELECT * FROM data WHERE value = '" + outer.Inner.Value + "'") } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func processSlice(items []string) string { result := "" for _, item := range items { result = result + item } return result } func handler(db *sql.DB, r *http.Request) { data := []string{r.FormValue("a"), "safe", r.FormValue("b")} processed := processSlice(data) db.Query("SELECT * FROM data WHERE value = '" + processed + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func multiReturn(input string) (string, string, error) { return input, "safe", nil } func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("data") result1, result2, _ := multiReturn(userInput) db.Query("SELECT * FROM data WHERE v1 = '" + result1 + "' AND v2 = '" + result2 + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func conditionalProcess(input string, mode int) string { var result string switch mode { case 1: result = input + "_mode1" case 2: result = input + "_mode2" default: result = input + "_default" } return result } func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("input") processed := conditionalProcess(userInput, 1) db.Query("SELECT * FROM data WHERE value = '" + processed + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "fmt" ) func formatMultiple(template string, args ...interface{}) string { return fmt.Sprintf(template, args...) } func handler(db *sql.DB, r *http.Request) { userVal := r.FormValue("value") formatted := formatMultiple("data=%s", userVal) db.Query("SELECT * FROM logs WHERE entry = '" + formatted + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "strings" ) func processStep1(s string) string { return strings.TrimSpace(s) } func processStep2(s string) string { return strings.ToLower(processStep1(s)) } func processStep3(s string) string { return strings.ToUpper(processStep2(s)) } func handler(db *sql.DB, r *http.Request) { input := r.FormValue("data") result := processStep3(input) db.Query("SELECT * FROM data WHERE value = '" + result + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func getElement(arr []string, idx int) string { if idx >= 0 && idx < len(arr) { return arr[idx] } return "" } func handler(db *sql.DB, r *http.Request) { data := []string{r.FormValue("a"), r.FormValue("b"), r.FormValue("c")} element := getElement(data, 2) db.Query("DELETE FROM users WHERE id = '" + element + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "fmt" ) func convertToAny(s string) interface{} { var result interface{} = s return result } func handler(db *sql.DB, r *http.Request) { input := r.FormValue("value") anyVal := convertToAny(input) query := fmt.Sprintf("SELECT * FROM data WHERE value = '%v'", anyVal) db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type Container struct { Data string } func createAndUpdate(initial string, update string) *Container { c := &Container{Data: initial} c.Data = update return c } func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("input") container := createAndUpdate("safe", userInput) db.Query("SELECT * FROM data WHERE value = '" + container.Data + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "net/url" ) func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("data") sanitized := url.QueryEscape(userInput) db.Query("SELECT * FROM data WHERE value = '" + sanitized + "'") } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { query := "" if r != nil { query = "SELECT * FROM users WHERE id = " + r.FormValue("id") } db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "os" ) func handler(db *sql.DB) { userInput := os.Getenv("USER_ID") db.Query("DELETE FROM users WHERE id = " + userInput) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type Getter interface { Get(string) string } func query(db *sql.DB, g Getter) { id := g.Get("id") db.Query("SELECT * FROM users WHERE id = " + id) } func handler(db *sql.DB, r *http.Request) { query(db, r.URL.Query()) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "database/sql" func handler(db *sql.DB) { const userID = "safe123" db.Query("SELECT * FROM users WHERE id = " + userID) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { parts := []string{"SELECT * FROM users WHERE id = "} parts = append(parts, r.FormValue("id")) db.Query(parts[0] + parts[1]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func makeQuery() func(*sql.DB) { const id = "123" return func(db *sql.DB) { db.Query("SELECT * FROM users WHERE id = " + id) } } func handler(db *sql.DB, r *http.Request) { q := makeQuery() q(db) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { userInputs := map[string]string{ "query": r.FormValue("q"), } query := "SELECT * FROM users WHERE name = '" + userInputs["query"] + "'" db.Query(query) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { var data interface{} = r.FormValue("data") str := data.(string) query := "SELECT * FROM users WHERE id = '" + str + "'" db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { inputs := []string{r.FormValue("a"), r.FormValue("b")} subset := inputs[0:1] query := "SELECT * FROM users WHERE id = '" + subset[0] + "'" db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("id") ptr := &userInput query := "SELECT * FROM users WHERE id = '" + *ptr + "'" db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "unsafe" ) func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("data") bytes := []byte(userInput) ptr := unsafe.Pointer(&bytes[0]) str := *(*string)(ptr) query := "SELECT * FROM users WHERE data = '" + str + "'" db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func getData(r *http.Request) (string, error) { return r.FormValue("id"), nil } func handler(db *sql.DB, r *http.Request) { var id string if true { id, _ = getData(r) } else { id = "default" } query := "SELECT * FROM users WHERE id = '" + id + "'" db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { var inputs [3]string inputs[0] = r.FormValue("id") query := "SELECT * FROM users WHERE id = '" + inputs[0] + "'" db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("data") var iface interface{} = userInput str, _ := iface.(string) query := "SELECT * FROM users WHERE data = '" + str + "'" db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type CustomString string func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("id") custom := CustomString(userInput) str := string(custom) query := "SELECT * FROM users WHERE id = '" + str + "'" db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { var data string if r.Method == "POST" { data = r.FormValue("data") } if data != "" { query := "SELECT * FROM users WHERE data = '" + data + "'" db.Query(query) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) var globalQuery string func handler(db *sql.DB, r *http.Request) { globalQuery = r.FormValue("query") executeQuery(db) } func executeQuery(db *sql.DB) { db.Query(globalQuery) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { var id string switch r.Method { case "GET": id = r.URL.Query().Get("id") case "POST": id = r.FormValue("id") case "PUT": id = r.Header.Get("X-ID") default: id = "default" } query := "SELECT * FROM users WHERE id = '" + id + "'" db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("name") result := processLevel1(userInput) executeQuery(db, result) } func processLevel1(input string) string { return processLevel2(input) } func processLevel2(input string) string { return processLevel3(input) } func processLevel3(input string) string { return "SELECT * FROM users WHERE name = '" + input + "'" } func executeQuery(db *sql.DB, query string) { db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type QueryBuilder struct { Filter string } func handler(db *sql.DB, r *http.Request) { qb := &QueryBuilder{} setFilter(qb, r) executeQueryBuilder(db, qb) } func setFilter(qb *QueryBuilder, r *http.Request) { qb.Filter = r.FormValue("filter") } func executeQueryBuilder(db *sql.DB, qb *QueryBuilder) { query := "SELECT * FROM users WHERE " + qb.Filter db.Query(query) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type Config struct { SearchTerm string } var appConfig Config func handler(db *sql.DB, r *http.Request) { appConfig.SearchTerm = r.FormValue("search") search(db) } func search(db *sql.DB) { query := "SELECT * FROM products WHERE name LIKE '%" + appConfig.SearchTerm + "%'" db.Query(query) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { var query string if r.Method == "POST" { if r.Header.Get("Content-Type") == "application/json" { query = r.FormValue("json_query") } else { query = r.FormValue("form_query") } } else { if r.URL.Query().Get("type") == "advanced" { query = r.URL.Query().Get("advanced_query") } else { query = r.URL.Query().Get("simple_query") } } sql := "SELECT * FROM data WHERE condition = '" + query + "'" db.Query(sql) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { name := r.FormValue("name") email := r.FormValue("email") query := buildUserQuery(name, email) db.Query(query) } func buildUserQuery(name, email string) string { return combineFields("users", name, email) } func combineFields(table, field1, field2 string) string { return "SELECT * FROM " + table + " WHERE name = '" + field1 + "' OR email = '" + field2 + "'" } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "strings" ) func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("search") sanitized := attemptSanitize(userInput) query := "SELECT * FROM users WHERE name = '" + sanitized + "'" db.Query(query) } func attemptSanitize(input string) string { // Ineffective sanitization - still tainted return strings.TrimSpace(input) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { var result string items := r.URL.Query()["items"] for i, item := range items { if i == 0 { result = item } else { result = result + "," + item } } query := "SELECT * FROM users WHERE id IN (" + result + ")" db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("id") queryFunc := func(db *sql.DB) { query := "SELECT * FROM users WHERE id = '" + userInput + "'" db.Query(query) } queryFunc(db) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) var ( globalFilter string globalTable string ) func handler(db *sql.DB, r *http.Request) { globalFilter = r.FormValue("filter") globalTable = "users" executeGlobalQuery(db) } func executeGlobalQuery(db *sql.DB) { query := "SELECT * FROM " + globalTable + " WHERE " + globalFilter db.Query(query) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "strings" ) func handler(db *sql.DB, r *http.Request) { id1 := r.FormValue("id1") id2 := r.FormValue("id2") query := buildQuery("users", id1, id2) db.Query(query) } func buildQuery(table string, ids ...string) string { return "SELECT * FROM " + table + " WHERE id IN ('" + strings.Join(ids, "','") + "')" } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("query") var query string admin := r.Header.Get("X-Admin") == "true" if admin { query = "SELECT * FROM admin WHERE " + userInput } else { query = "SELECT * FROM users WHERE " + userInput } db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type Database struct { db *sql.DB } func (d *Database) Search(filter string) { query := "SELECT * FROM users WHERE " + filter d.db.Query(query) } func handler(db *sql.DB, r *http.Request) { database := &Database{db: db} userFilter := r.FormValue("filter") database.Search(userFilter) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) var queryBuilder func(string) string func init() { queryBuilder = func(input string) string { return "SELECT * FROM users WHERE name = '" + input + "'" } } func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("name") query := queryBuilder(userInput) db.Query(query) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" "strings" ) func handler(db *sql.DB, r *http.Request) { conditions := []string{} if name := r.FormValue("name"); name != "" { conditions = append(conditions, "name='"+name+"'") } if email := r.FormValue("email"); email != "" { conditions = append(conditions, "email='"+email+"'") } query := "SELECT * FROM users WHERE " + strings.Join(conditions, " AND ") db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { var query string if r.Method == "GET" { query = r.URL.Query().Get("q") goto execute } query = r.FormValue("q") execute: sql := "SELECT * FROM users WHERE search = '" + query + "'" db.Query(sql) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) type QueryExecutor interface { Execute(db *sql.DB, query string) } type SimpleExecutor struct{} func (e *SimpleExecutor) Execute(db *sql.DB, query string) { db.Query(query) } func handler(db *sql.DB, r *http.Request) { userInput := r.FormValue("query") query := "SELECT * FROM users WHERE " + userInput var executor QueryExecutor = &SimpleExecutor{} executor.Execute(db, query) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { var table, filter string authLevel := r.Header.Get("Auth-Level") switch authLevel { case "admin": table = "admin_users" filter = r.FormValue("admin_filter") case "user": table = "users" filter = r.FormValue("user_filter") default: table = "public_users" filter = r.FormValue("public_filter") } var orderBy string if r.URL.Query().Get("sort") == "name" { orderBy = "name ASC" } else { orderBy = "created_at DESC" } query := "SELECT * FROM " + table + " WHERE " + filter + " ORDER BY " + orderBy db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func getUserInput(r *http.Request) string { return r.FormValue("input") } func handler(db *sql.DB, r *http.Request) { userInput := getUserInput(r) query := "SELECT * FROM users WHERE name = '" + userInput + "'" db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func handler(db *sql.DB, r *http.Request) { filters := []string{r.FormValue("filter")} query := "SELECT * FROM users WHERE status = '" + filters[0] + "'" db.Query(query) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "net/http" ) func getInput(r *http.Request) string { return r.FormValue("input") } func processInput(r *http.Request) string { return getInput(r) } func handler(db *sql.DB, r *http.Request) { userInput := processInput(r) query := "SELECT * FROM users WHERE name = '" + userInput + "'" db.Query(query) } `}, 1, gosec.NewConfig()}, }
SampleCodeG701 - SQL injection via taint analysis
View Source
var SampleCodeG702 = []CodeSample{ {[]string{` package main import ( "net/http" "os/exec" ) func handler(r *http.Request) { filename := r.URL.Query().Get("file") cmd := exec.Command("cat", filename) cmd.Run() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "os" "os/exec" ) func dynamicCommand() { userInput := os.Args[1] exec.Command("sh", "-c", userInput).Run() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "os/exec" ) func safeCommand() { // Safe - no user input exec.Command("ls", "-la").Run() } `}, 0, gosec.NewConfig()}, }
SampleCodeG702 - Command injection via taint analysis
View Source
var SampleCodeG703 = []CodeSample{ {[]string{` package main import ( "net/http" "os" ) func handler(r *http.Request) { path := r.URL.Query().Get("file") os.Open(path) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "net/http" "os" ) func writeHandler(r *http.Request) { filename := r.FormValue("name") os.WriteFile(filename, []byte("data"), 0644) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "os" ) func safeOpen() { // Safe - no user input os.Open("/var/log/app.log") } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "io/fs" "os" "path/filepath" ) func Foo() { var docName string err := filepath.WalkDir(".", func(fpath string, d fs.DirEntry, err error) error { if err == nil { if d.Type().IsRegular() { docName = d.Name() } } return nil }) if err == nil && docName != "" { var f *os.File if f, err = os.Open(docName); err == nil { defer f.Close() } } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "os" ) func openFromArgs() { if len(os.Args) > 1 { os.Open(os.Args[1]) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "net/http" "os" "path/filepath" ) func safeHandler(r *http.Request) { raw := r.URL.Query().Get("file") cleaned := filepath.Clean(raw) os.Open(cleaned) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "net/http" "os" "path" ) func handler(r *http.Request) { userFile := r.FormValue("file") safe := path.Base(userFile) os.Open(safe) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "net/http" "os" "strconv" ) func handler(r *http.Request) { id := r.FormValue("id") num, _ := strconv.Atoi(id) os.Open("/tmp/file" + strconv.Itoa(num)) } `}, 0, gosec.NewConfig()}, }
SampleCodeG703 - Path traversal via taint analysis
View Source
var SampleCodeG704 = []CodeSample{ {[]string{` package main import ( "net/http" ) func handler(r *http.Request) { url := r.URL.Query().Get("url") http.Get(url) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "net/http" "os" ) func fetchFromEnv() { target := os.Getenv("TARGET_URL") http.Post(target, "text/plain", nil) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "net/http" ) func safeRequest() { // Safe - hardcoded URL http.Get("https://api.example.com/data") } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" "time" ) func GetPublicIP() (string, error) { ctx, cancel := context.WithTimeout(context.Background(), time.Second*10) defer cancel() req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://am.i.mullvad.net/ip", nil) if err != nil { return "", err } resp, err := http.DefaultClient.Do(req) if err != nil { return "", err } defer resp.Body.Close() return "", nil } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" ) const url = "https://go.dev/" func main() { ctx := context.Background() req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, http.NoBody) if err != nil { panic(err) } _, err = new(http.Client).Do(req) if err != nil { panic(err) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "net/http" ) func handler(r *http.Request) { target := r.URL.Query().Get("url") http.Get(target) //nolint:errcheck } `}, 1, gosec.NewConfig()}, }
SampleCodeG704 - SSRF via taint analysis
View Source
var SampleCodeG705 = []CodeSample{ {[]string{` package main import ( "fmt" "net/http" ) func handler(w http.ResponseWriter, r *http.Request) { name := r.URL.Query().Get("name") fmt.Fprintf(w, "<h1>Hello %s</h1>", name) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "net/http" ) func writeHandler(w http.ResponseWriter, r *http.Request) { data := r.FormValue("data") w.Write([]byte(data)) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "net/http" "html" ) func safeHandler(w http.ResponseWriter, r *http.Request) { // Safe - escaped output name := r.URL.Query().Get("name") fmt.Fprintf(w, "<h1>Hello %s</h1>", html.EscapeString(name)) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "net/http" ) func staticHandler(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "<h1>Hello World</h1>") } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "encoding/json" "net/http" ) func handler(w http.ResponseWriter, r *http.Request) { data := r.FormValue("data") jsonData, _ := json.Marshal(data) w.Write(jsonData) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "net/http" "strconv" ) func handler(w http.ResponseWriter, r *http.Request) { id := r.FormValue("id") num, _ := strconv.Atoi(id) w.Write([]byte(strconv.Itoa(num))) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "context" "net/http" ) type service struct{} func (s *service) GetData(ctx context.Context, id string) ([]byte, error) { return []byte("safe data"), nil } func handler(w http.ResponseWriter, r *http.Request) { svc := &service{} data, _ := svc.GetData(r.Context(), "static-id") w.Write(data) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "bufio" "fmt" "io" "os" "os/exec" "strings" "sync" ) type Masker struct{} func (m *Masker) MaskSecrets(in string) string { return in } func streamOutput(pipe io.Reader, outW io.Writer, wg *sync.WaitGroup) { defer wg.Done() masker := &Masker{} reader := bufio.NewReader(pipe) for { line, err := reader.ReadString('\n') if err != nil { break } line = strings.TrimSuffix(line, "\r") if _, writeErr := fmt.Fprint(outW, masker.MaskSecrets(line)); writeErr != nil { break } } } func main() { cmd := exec.Command("echo", "hello world") stdoutPipe, _ := cmd.StdoutPipe() stderrPipe, _ := cmd.StderrPipe() _ = cmd.Start() var wg sync.WaitGroup wg.Add(2) go streamOutput(stdoutPipe, os.Stdout, &wg) go streamOutput(stderrPipe, os.Stderr, &wg) wg.Wait() } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func main() { fmt.Fprint(os.Stdout, os.Args[1]) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "net/http" "os/exec" ) func handler(w http.ResponseWriter, r *http.Request) { param := r.URL.Query().Get("cmd") out, _ := exec.Command("sh", "-c", param).Output() fmt.Fprint(w, string(out)) } func main() { http.HandleFunc("/run", handler) _ = http.ListenAndServe(":8080", nil) } `}, 1, gosec.NewConfig()}, }
SampleCodeG705 - XSS via taint analysis
View Source
var SampleCodeG706 = []CodeSample{ {[]string{` package main import ( "log" "net/http" ) func handler(r *http.Request) { username := r.URL.Query().Get("user") log.Printf("User logged in: %s", username) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "os" ) func logArgs() { input := os.Args[1] log.Println("Processing:", input) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" ) func safeLog() { // Safe - no user input log.Println("Application started") } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "encoding/json" "log" "net/http" ) func handler(r *http.Request) { data := r.FormValue("data") jsonData, _ := json.Marshal(data) log.Printf("Received: %s", jsonData) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "log" "net/http" "strconv" ) func handler(r *http.Request) { id := r.FormValue("id") num, _ := strconv.Atoi(id) log.Printf("Processing ID: %d", num) } `}, 0, gosec.NewConfig()}, }
SampleCodeG706 - Log injection via taint analysis
View Source
var SampleCodeG707 = []CodeSample{ {[]string{` package main import ( "net/http" "net/smtp" ) func handler(r *http.Request) { from := r.FormValue("from") to := []string{r.FormValue("to")} _ = smtp.SendMail("127.0.0.1:25", nil, from, to, []byte("Subject: Hi\r\n\r\nbody")) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "net/http" "net/smtp" ) func handler(r *http.Request, c *smtp.Client) { from := r.URL.Query().Get("from") to := r.URL.Query().Get("to") _ = c.Mail(from) _ = c.Rcpt(to) } `}, 2, gosec.NewConfig()}, {[]string{` package main import ( "net/http" "net/mail" "net/smtp" ) func handler(r *http.Request) { parsed, err := mail.ParseAddress(r.FormValue("from")) if err != nil { return } _ = smtp.SendMail("127.0.0.1:25", nil, parsed.Address, []string{"[email protected]"}, []byte("Subject: Hi\r\n\r\nbody")) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "net/http" "net/mail" "net/smtp" ) func handler(r *http.Request) { addresses, err := mail.ParseAddressList(r.FormValue("to")) if err != nil { return } recipients := make([]string, 0, len(addresses)) for _, addr := range addresses { recipients = append(recipients, addr.Address) } _ = smtp.SendMail("127.0.0.1:25", nil, "[email protected]", recipients, []byte("Subject: Hi\r\n\r\nbody")) } `}, 0, gosec.NewConfig()}, }
SampleCodeG707 - SMTP command/header injection via taint analysis
Functions ¶
Types ¶
type CodeSample ¶
CodeSample encapsulates a snippet of source code that compiles, and how many errors should be detected
type MockVisitor ¶
type MockVisitor struct {
Context *gosec.Context
Callback func(n ast.Node, ctx *gosec.Context) bool
}
MockVisitor is useful for stubbing out ast.Visitor with callback and looking for specific conditions to exist.
func NewMockVisitor ¶
func NewMockVisitor() *MockVisitor
NewMockVisitor creates a new empty struct, the Context and Callback must be set manually. See call_list_test.go for an example.
type Option ¶ added in v2.22.11
Option provides a way to adjust the package config depending on testing requirements
func WithBuildTags ¶ added in v2.22.11
WithBuildTags enables injecting build tags into the package config on build.
type TestPackage ¶
type TestPackage struct {
Path string
Files map[string]string
// contains filtered or unexported fields
}
TestPackage is a mock package for testing purposes
func NewTestPackage ¶
func NewTestPackage() *TestPackage
NewTestPackage will create a new and empty package. Must call Close() to cleanup auxiliary files
func (*TestPackage) AddFile ¶
func (p *TestPackage) AddFile(filename, content string)
AddFile inserts the filename and contents into the package contents
func (*TestPackage) Build ¶
func (p *TestPackage) Build(opts ...Option) error
Build ensures all files are persisted to disk and built
func (*TestPackage) Close ¶
func (p *TestPackage) Close()
Close will delete the package and all files in that directory
func (*TestPackage) CreateContext ¶
func (p *TestPackage) CreateContext(filename string, opts ...Option) *gosec.Context
CreateContext builds a context out of supplied package context
func (*TestPackage) Pkgs ¶
func (p *TestPackage) Pkgs() []*packages.Package
Pkgs returns the current built packages
func (*TestPackage) PrintErrors ¶ added in v2.6.0
func (p *TestPackage) PrintErrors() int
PrintErrors prints to os.Stderr the accumulated errors of built packages
Source Files
¶
- build_samples.go
- cgo_samples.go
- g101_samples.go
- g102_samples.go
- g103_samples.go
- g104_samples.go
- g106_samples.go
- g107_samples.go
- g108_samples.go
- g109_samples.go
- g110_samples.go
- g111_samples.go
- g112_samples.go
- g113_samples.go
- g114_samples.go
- g115_samples.go
- g116_samples.go
- g117_samples.go
- g118_samples.go
- g119_samples.go
- g120_samples.go
- g121_samples.go
- g122_samples.go
- g123_samples.go
- g201_samples.go
- g202_samples.go
- g203_samples.go
- g204_samples.go
- g301_samples.go
- g302_samples.go
- g303_samples.go
- g304_samples.go
- g305_samples.go
- g306_samples.go
- g307_samples.go
- g401_samples.go
- g402_samples.go
- g403_samples.go
- g404_samples.go
- g405_samples.go
- g406_samples.go
- g407_samples.go
- g408_samples.go
- g501_samples.go
- g502_samples.go
- g503_samples.go
- g504_samples.go
- g505_samples.go
- g506_samples.go
- g507_samples.go
- g601_samples.go
- g602_samples.go
- g701_samples.go
- g702_samples.go
- g703_samples.go
- g704_samples.go
- g705_samples.go
- g706_samples.go
- g707_samples.go
- log.go
- pkg.go
- sample_types.go
- visitor.go
Click to show internal directories.
Click to hide internal directories.