Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a rule which warns when xml encoding is used without sanitisation #552

Open
ccojocar opened this issue Dec 31, 2020 · 0 comments
Open

Add a rule which warns when xml encoding is used without sanitisation #552

ccojocar opened this issue Dec 31, 2020 · 0 comments
Labels
help wanted rule

Comments

@ccojocar
Copy link
Member

Summary

There is a recent vulnerability which was reported in encoding/xml package. See https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ and https://github.com/mattermost/xml-roundtrip-validator/tree/master/advisories for more details.

It doesn't seem to be entirely mitigated in the upcoming Go release, therefore it would be nice to have a rule which warns people when they are using the xml encoding without sanitisation.

See also this xml input validator https://github.com/mattermost/xml-roundtrip-validator

Steps to reproduce the behavior

gosec version

Go version (output of 'go version')

Operating system / Environment

Expected behavior

Actual behavior
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted rule
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ccojocar