actions/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2024-11-05 11:35:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add more types to templates rule

Browse source 
Add additional types such as CSS, JSStr and Srcset to the template rule.
These types are marked as a security risk in the godoc
https://pkg.go.dev/html/template.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
This commit is contained in:
Cosmin Cojocar 2024-05-28 09:34:40 +01:00
parent c3209fcaac
commit ed3f51e663
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
rules/templates.go
View file

@ -45,9 +45,12 @@ func (t *templateCheck) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error
// find use of templates where HTML/JS escaping is not being used
func NewTemplateCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
calls := gosec.NewCallList()
calls.Add("html/template", "CSS")
calls.Add("html/template", "HTML")
calls.Add("html/template", "HTMLAttr")
calls.Add("html/template", "JS")
calls.Add("html/template", "JSStr")
calls.Add("html/template", "Srcset")
calls.Add("html/template", "URL")
return &templateCheck{
calls: calls,