mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Add more types to templates rule
Add additional types such as CSS, JSStr and Srcset to the template rule. These types are marked as a security risk in the godoc https://pkg.go.dev/html/template. Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
This commit is contained in:
parent
c3209fcaac
commit
ed3f51e663
1 changed files with 3 additions and 0 deletions
|
@ -45,9 +45,12 @@ func (t *templateCheck) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error
|
||||||
// find use of templates where HTML/JS escaping is not being used
|
// find use of templates where HTML/JS escaping is not being used
|
||||||
func NewTemplateCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
|
func NewTemplateCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
|
||||||
calls := gosec.NewCallList()
|
calls := gosec.NewCallList()
|
||||||
|
calls.Add("html/template", "CSS")
|
||||||
calls.Add("html/template", "HTML")
|
calls.Add("html/template", "HTML")
|
||||||
calls.Add("html/template", "HTMLAttr")
|
calls.Add("html/template", "HTMLAttr")
|
||||||
calls.Add("html/template", "JS")
|
calls.Add("html/template", "JS")
|
||||||
|
calls.Add("html/template", "JSStr")
|
||||||
|
calls.Add("html/template", "Srcset")
|
||||||
calls.Add("html/template", "URL")
|
calls.Add("html/template", "URL")
|
||||||
return &templateCheck{
|
return &templateCheck{
|
||||||
calls: calls,
|
calls: calls,
|
||||||
|
|
Loading…
Reference in a new issue