GoLang untaint URL variable to fix gosec warning G107
Question
If I run gosec on the below fragment I get a tainted URL warning: G107 (CWE-88): Potential HTTP request made with variable url (Confidence: MEDIUM, Severity: MEDIUM)
I figured I should use the 'url' package but it doesn't seem to offer more than ParseQuery() to detect this, but although it gives an error, gosec still reports as a potential vulnerability.
How to I write remove the warning, ideally using just the standard library?
func Run() {
MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}
func MakeGetRequest(uri string) {
res, _ := http.Get(uri)
fmt.Println(res)
}
2 answers
solution1
0 2021-12-09 07:54:21
As per guidelines mentioned for G107 you should mentioned the url in const .
package main
import (
"fmt"
"net/http"
)
const url = "url"
func main() {
resp, err := http.Get(url)
if err != nil {
fmt.Println(err)
}
fmt.Println(resp.Status)
}
For better understanding you can refer here: https://securego.io/docs/rules/g107.html
OR
If you want to remove G107 warning then you should explicitly exclude it.
# Run a specific set of rules
$ gosec -include=G101,G203,G401 ./...
# Run everything except for rule G303
$ gosec -exclude=G303 ./...
# folders and files also can be excluded.
For more understanding please refer gosec docs: https://github.com/securego/gosec
solution2
0 2022-07-29 07:25:29
If you are using golangci-lint, and want it to simply ignore this warning since you cannot set the url as a constant, you can use //nolint directive like this:
func Run() {
MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}
func MakeGetRequest(uri string) {
res, _ := http.Get(uri) //nolint
fmt.Println(res)
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.