net/url: (CWE-532) Check if Unredacted URLs are Printed/Logged

[adambkaplan]

Summary

CWE-532 is a general class of weakness where sensitive information is logged to a file - typically user or system credentials. These leaks can risk potential compromise of a system - see CVE-2017-9615 (CVSS Critical) and CVE-2018-1999036 (CVSS Medium)

net/url URL is a sometimes overlooked source of user credentials. The URL spec supports adding username/passwords directly into the URL for HTTP basic authentication. Since go 1.15, url.Redacted() can be used instead of passing a URL object directly to printing/logging functions.

Steps to reproduce the behavior

Sample main.go:

package main

import (
	"fmt"
	"net/url"
)

func main() {
	sensitiveURL := &url.URL{
		Scheme: "https",
		User:   url.UserPassword("hello", "worldwithlongpass"),
		Host:   "example.net",
		Path:   "login",
	}
	fmt.Println("sample url:", sensitiveURL)
}

gosec version

2.18.2

Go version (output of 'go version')

1.20.10

Operating system / Environment

GOOS=linux (Fedora 38)
GOARCH=amd64

Expected behavior

gosec reports an issue if a net/url.URL object is passed directly into a function that is commonly used to either:

1. Print to stdout
2. Log to a file

A short (but not exhaustive) list:

1. fmt.Print
2. fmt.Println
3. log.Print
4. log.Println
5. log/slog (all functions with ...any args)

Actual behavior

No issues found.

[ccojocar]

@adambkaplan It looks like an interesting suggestion. I am happy to accept any contribution if you can put a rule together. if you need any help, we can guide you. Thanks