Add a rule to catch the usage of insecure template.HTML/CSS... #496
Labels
Comments
ccojocar
changed the title
|
@ccojocar I could try giving this a shot, any ideas on how I could get started. Thanks 👍 |
|
There is this basic rule which needs to be improved in order to catch the assignment to all the types mentioned above. https://github.com/securego/gosec/blob/master/rules/templates.go. Something like: needs to be flagged as warning. You can add additional test samples to verify the changes to the rule in Line 1104 in 6bcd89a |
|
To be fair assigning a string literal to template.JS and template.CSS might be acceptable. This is not true for template.HTML and it is definitely not true for any string that is not a literal. You can read more about this in a package that implements this pattern or in my more detailed explanation of it |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
Create a rule to detect the usage of insecure tmplate.HTML, CSS, HTMLAttr, JS, JSStr, Sercset types. They are documented as a security risk. See https://golang.org/pkg/html/template/#HTML.
Also see this discussion https://twitter.com/empijei/status/1275177219011350528
Steps to reproduce the behavior
gosec version
Go version (output of 'go version')
Operating system / Environment
Expected behavior
Actual behavior
The text was updated successfully, but these errors were encountered: