mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 12:05:52 +00:00
Clarify and add new unit tests for rule G107 (#376)
The existing unit tests for G107 didn't have any comments why a certain code is problematic. Other than that we need more unit tests for rule G107 for the different scenarios. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
This commit is contained in:
parent
f90efff866
commit
e7b3ae9c54
1 changed files with 48 additions and 0 deletions
|
@ -317,6 +317,7 @@ func main() {
|
||||||
|
|
||||||
// SampleCodeG107 - SSRF via http requests with variable url
|
// SampleCodeG107 - SSRF via http requests with variable url
|
||||||
SampleCodeG107 = []CodeSample{{[]string{`
|
SampleCodeG107 = []CodeSample{{[]string{`
|
||||||
|
// Input from the std in is considered insecure
|
||||||
package main
|
package main
|
||||||
import (
|
import (
|
||||||
"net/http"
|
"net/http"
|
||||||
|
@ -342,6 +343,53 @@ func main() {
|
||||||
}
|
}
|
||||||
fmt.Printf("%s", body)
|
fmt.Printf("%s", body)
|
||||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||||
|
// A variable value can easily be changed no matter
|
||||||
|
// if it's a global or a local one
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
|
"net/http"
|
||||||
|
)
|
||||||
|
|
||||||
|
var url string = "https://www.google.com"
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
|
||||||
|
resp, err := http.Get(url)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
body, err := ioutil.ReadAll(resp.Body)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
fmt.Printf("%s", body)
|
||||||
|
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||||
|
// Environmental variables are not considered as secure source
|
||||||
|
package main
|
||||||
|
import (
|
||||||
|
"net/http"
|
||||||
|
"io/ioutil"
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
)
|
||||||
|
func main() {
|
||||||
|
url := os.Getenv("tainted_url")
|
||||||
|
resp, err := http.Get(url)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
body, err := ioutil.ReadAll(resp.Body)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
fmt.Printf("%s", body)
|
||||||
|
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||||
|
// Constant variables or harcoded strings are secure
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
|
Loading…
Reference in a new issue