You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
u, err := url.Parse(URL)
if err != nil || u.Host == "" {
return errors.New("an invalid URL is provided")
}
if u.Scheme != "" {
u.Scheme = "https"
}
resp, err := http.Get(u.String())
does not throw G107
gosec version
latest(master)
Go version (output of 'go version')
1.12.4
Operating system / Environment
linux/amd64
Expected behavior
both should at least behave the same(I assume passing since that's the inlined behavior)
Actual behavior
different behavior depending on if it is inlined
The text was updated successfully, but these errors were encountered:
JAicewizard
changed the title
G107 fails if behind sanitize function, but not if function i smanually outlined
G107 fails if behind sanitize function, but not if manually outlined
May 26, 2019
I think what is happening here is G107 is trying to resolve the url variable to a known constant or basic literal. This mechanism is currently pretty basic and unable to ascertain the return value of sanitizeURL. As such it is treated as untrusted / tainted input.
Summary
G107 fails if behind sanitize function, but not if function i smanually outlined
Steps to reproduce the behavior
does result in G107 being thrown
does not throw G107
gosec version
latest(master)
Go version (output of 'go version')
1.12.4
Operating system / Environment
linux/amd64
Expected behavior
both should at least behave the same(I assume passing since that's the inlined behavior)
Actual behavior
different behavior depending on if it is inlined
The text was updated successfully, but these errors were encountered: