CODEWITHSUNDEEP
gogosec
user1016765
user1016765

Reputation: 3063

GoLang untaint URL variable to fix gosec warning G107

If I run gosec on the below fragment I get a tainted URL warning: G107 (CWE-88): Potential HTTP request made with variable url (Confidence: MEDIUM, Severity: MEDIUM)

I figured I should use the 'url' package but it doesn't seem to offer more than ParseQuery() to detect this, but although it gives an error, gosec still reports as a potential vulnerability.

How to I write remove the warning, ideally using just the standard library?

func Run() {
    MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}

func MakeGetRequest(uri string) {
    res, _ := http.Get(uri)
    fmt.Println(res)
}

Upvotes: 4

Views: 5703

Answers (3)

Adilsitos
Adilsitos

Reputation: 61

A way to solve this is by changing the function that executes the request. Instead of using http.Get(url) it is possible to encapsulate the request with http.NewRequest(method, url, body), so the request is not performed right away. So your final code could be:

func MakeGetRequest(uri string) error{
  req, err := http.NewRequest(http.MethodGet, uri, nil) 
  if err != nil {
    return err
  }

  res, err := http.DefaultClient.Do(req) 
  if err != nil {
   return err
  }
 }

With this update, the http.NewRequest validates the method and the URL, sets a context for the request and also gives more flexibility for changes if necessary.

Upvotes: 5

manjinder randhawa
manjinder randhawa

Reputation: 46

If you are using golangci-lint, and want it to simply ignore this warning since you cannot set the url as a constant, you can use //nolint directive like this:

func Run() {
    MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}

func MakeGetRequest(uri string) {
    res, _ := http.Get(uri) //nolint
    fmt.Println(res)
}

Upvotes: 3

Ashutosh Singh
Ashutosh Singh

Reputation: 1047

As per guidelines mentioned for G107 you should mentioned the url in const.

package main

import (
    "fmt"
    "net/http"
)

const url = "url"

func main() {
    resp, err := http.Get(url)
    if err != nil {
        fmt.Println(err)
    }
    fmt.Println(resp.Status)
}

For better understanding you can refer here : https://securego.io/docs/rules/g107.html

OR

If you want to remove G107 warning then you should explicitly exclude it.

# Run a specific set of rules
$ gosec -include=G101,G203,G401 ./...

# Run everything except for rule G303
$ gosec -exclude=G303 ./...

# folders and files also can be excluded.

For more understanding please refer gosec docs : https://github.com/securego/gosec

Upvotes: 0

Related Questions