GoLang untaint URL 变量修复 gosec 警告 G107

Question

If I run gosec on the below fragment I get a tainted URL warning: G107 (CWE-88): Potential HTTP request made with variable url (Confidence: MEDIUM, Severity: MEDIUM)

I figured I should use the 'url' package but it doesn't seem to offer more than ParseQuery() to detect this, but although it gives an error, gosec still reports as a potential vulnerability.

How to I write remove the warning, ideally using just the standard library?

func Run() {
    MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}

func MakeGetRequest(uri string) {
    res, _ := http.Get(uri)
    fmt.Println(res)
}

Answer 1

As per guidelines mentioned for G107 you should mentioned the url in const .

package main

import (
    "fmt"
    "net/http"
)

const url = "url"

func main() {
    resp, err := http.Get(url)
    if err != nil {
        fmt.Println(err)
    }
    fmt.Println(resp.Status)
}

For better understanding you can refer here: https://securego.io/docs/rules/g107.html

OR

If you want to remove G107 warning then you should explicitly exclude it.

# Run a specific set of rules
$ gosec -include=G101,G203,G401 ./...

# Run everything except for rule G303
$ gosec -exclude=G303 ./...

# folders and files also can be excluded.

For more understanding please refer gosec docs: https://github.com/securego/gosec

Answer 2

If you are using golangci-lint, and want it to simply ignore this warning since you cannot set the url as a constant, you can use //nolint directive like this:

func Run() {
    MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}

func MakeGetRequest(uri string) {
    res, _ := http.Get(uri) //nolint
    fmt.Println(res)
}