mirror of
https://github.com/securego/gosec.git
synced 2024-12-24 03:25:53 +00:00
Add more types to templates rule
Add additional types such as CSS, JSStr and Srcset to the template rule. These types are marked as a security risk in the godoc https://pkg.go.dev/html/template. Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
This commit is contained in:
parent
c3209fcaac
commit
ed3f51e663
1 changed files with 3 additions and 0 deletions
|
@ -45,9 +45,12 @@ func (t *templateCheck) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error
|
|||
// find use of templates where HTML/JS escaping is not being used
|
||||
func NewTemplateCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
|
||||
calls := gosec.NewCallList()
|
||||
calls.Add("html/template", "CSS")
|
||||
calls.Add("html/template", "HTML")
|
||||
calls.Add("html/template", "HTMLAttr")
|
||||
calls.Add("html/template", "JS")
|
||||
calls.Add("html/template", "JSStr")
|
||||
calls.Add("html/template", "Srcset")
|
||||
calls.Add("html/template", "URL")
|
||||
return &templateCheck{
|
||||
calls: calls,
|
||||
|
|
Loading…
Reference in a new issue