英文:
GoLang untaint URL variable to fix gosec warning G107
问题
如果我在下面的代码片段上运行 gosec,我会得到一个有关污染的 URL 的警告:G107 (CWE-88): Potential HTTP request made with variable url (Confidence: MEDIUM, Severity: MEDIUM)。
我想我应该使用 'url' 包,但它似乎只提供了 ParseQuery() 来检测这个问题,但尽管它会报错,gosec 仍然报告它作为一个潜在的漏洞。
我该如何消除这个警告,最好只使用标准库?
func Run() {
MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}
func MakeGetRequest(uri string) {
res, _ := http.Get(uri)
fmt.Println(res)
}
英文:
If I run gosec on the below fragment I get a tainted URL warning: G107 (CWE-88): Potential HTTP request made with variable url (Confidence: MEDIUM, Severity: MEDIUM)
I figured I should use the 'url' package but it doesn't seem to offer more than ParseQuery() to detect this, but although it gives an error, gosec still reports as a potential vulnerability.
How to I write remove the warning, ideally using just the standard library?
func Run() {
MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}
func MakeGetRequest(uri string) {
res, _ := http.Get(uri)
fmt.Println(res)
}
答案1
得分: 2
如果你正在使用golangci-lint,并且希望它忽略这个警告,因为你无法将URL设置为常量,你可以使用//nolint指令,像这样:
func Run() {
MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}
func MakeGetRequest(uri string) {
res, _ := http.Get(uri) //nolint
fmt.Println(res)
}
英文:
If you are using golangci-lint, and want it to simply ignore this warning since you cannot set the url as a constant, you can use //nolint directive like this:
func Run() {
MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}
func MakeGetRequest(uri string) {
res, _ := http.Get(uri) //nolint
fmt.Println(res)
}
答案2
得分: 1
解决这个问题的一种方法是通过更改执行请求的函数。不再使用http.Get(url),而是使用http.NewRequest(method, url, body)来封装请求,这样请求就不会立即执行。所以你的最终代码可以是:
func MakeGetRequest(uri string) error {
req, err := http.NewRequest(http.MethodGet, uri, nil)
if err != nil {
return err
}
res, err := http.DefaultClient.Do(req)
if err != nil {
return err
}
}
通过这个更新,http.NewRequest验证了方法和URL,为请求设置了上下文,并且在需要时提供了更多的灵活性进行更改。
英文:
A way to solve this is by changing the function that executes the request. Instead of using http.Get(url) it is possible to encapsulate the request with http.NewRequest(method, url, body), so the request is not performed right away. So your final code could be:
func MakeGetRequest(uri string) error{
req, err := http.NewRequest(http.MethodGet, uri, nil)
if err != nil {
return err
}
res, err := http.DefaultClient.Do(req)
if err != nil {
return err
}
}
With this update, the http.NewRequest validates the method and the URL, sets a context for the request and also gives more flexibility for changes if necessary.
答案3
得分: 0
根据G107的指南,你应该在const中提及url。
package main
import (
"fmt"
"net/http"
)
const url = "url"
func main() {
resp, err := http.Get(url)
if err != nil {
fmt.Println(err)
}
fmt.Println(resp.Status)
}
为了更好地理解,你可以参考这里:https://securego.io/docs/rules/g107.html
或者
如果你想要移除G107警告,你应该明确地排除它。
# 运行一组特定的规则
$ gosec -include=G101,G203,G401 ./...
# 运行除了规则G303之外的所有规则
$ gosec -exclude=G303 ./...
# 也可以排除文件夹和文件
为了更好地理解,请参考gosec文档:https://github.com/securego/gosec
英文:
As per guidelines mentioned for G107 you should mentioned the url in const.
package main
import (
"fmt"
"net/http"
)
const url = "url"
func main() {
resp, err := http.Get(url)
if err != nil {
fmt.Println(err)
}
fmt.Println(resp.Status)
}
For better understanding you can refer here : https://securego.io/docs/rules/g107.html
OR
If you want to remove G107 warning then you should explicitly exclude it.
# Run a specific set of rules
$ gosec -include=G101,G203,G401 ./...
# Run everything except for rule G303
$ gosec -exclude=G303 ./...
# folders and files also can be excluded.
For more understanding please refer gosec docs : https://github.com/securego/gosec
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论