You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CWE-532 is a general class of weakness where sensitive information is logged to a file - typically user or system credentials. These leaks can risk potential compromise of a system - see CVE-2017-9615 (CVSS Critical) and CVE-2018-1999036 (CVSS Medium)
net/url URL is a sometimes overlooked source of user credentials. The URL spec supports adding username/passwords directly into the URL for HTTP basic authentication. Since go 1.15, url.Redacted() can be used instead of passing a URL object directly to printing/logging functions.
@adambkaplan It looks like an interesting suggestion. I am happy to accept any contribution if you can put a rule together. if you need any help, we can guide you. Thanks
Summary
CWE-532 is a general class of weakness where sensitive information is logged to a file - typically user or system credentials. These leaks can risk potential compromise of a system - see CVE-2017-9615 (CVSS Critical) and CVE-2018-1999036 (CVSS Medium)
net/url URL
is a sometimes overlooked source of user credentials. The URL spec supports adding username/passwords directly into the URL for HTTP basic authentication. Since go 1.15,url.Redacted()
can be used instead of passing a URL object directly to printing/logging functions.Steps to reproduce the behavior
Sample
main.go
:gosec version
2.18.2
Go version (output of 'go version')
1.20.10
Operating system / Environment
GOOS=linux (Fedora 38)
GOARCH=amd64
Expected behavior
gosec reports an issue if a
net/url.URL
object is passed directly into a function that is commonly used to either:stdout
A short (but not exhaustive) list:
fmt.Print
fmt.Println
log.Print
log.Println
log/slog
(all functions with...any
args)Actual behavior
No issues found.
The text was updated successfully, but these errors were encountered: