GoLang解除URL变量的污染以修复gosec警告G107。

huangapple go评论117阅读模式
英文:

GoLang untaint URL variable to fix gosec warning G107

问题

如果我在下面的代码片段上运行 gosec,我会得到一个有关污染的 URL 的警告:G107 (CWE-88): Potential HTTP request made with variable url (Confidence: MEDIUM, Severity: MEDIUM)

我想我应该使用 'url' 包,但它似乎只提供了 ParseQuery() 来检测这个问题,但尽管它会报错,gosec 仍然报告它作为一个潜在的漏洞。

我该如何消除这个警告,最好只使用标准库?

func Run() {
    MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}

func MakeGetRequest(uri string) {
    res, _ := http.Get(uri)
    fmt.Println(res)
}
英文:

If I run gosec on the below fragment I get a tainted URL warning: G107 (CWE-88): Potential HTTP request made with variable url (Confidence: MEDIUM, Severity: MEDIUM)

I figured I should use the 'url' package but it doesn't seem to offer more than ParseQuery() to detect this, but although it gives an error, gosec still reports as a potential vulnerability.

How to I write remove the warning, ideally using just the standard library?

func Run() {
	MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}

func MakeGetRequest(uri string) {
	res, _ := http.Get(uri)
	fmt.Println(res)
}

答案1

得分: 2

如果你正在使用golangci-lint,并且希望它忽略这个警告,因为你无法将URL设置为常量,你可以使用//nolint指令,像这样:

func Run() {
    MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}

func MakeGetRequest(uri string) {
    res, _ := http.Get(uri) //nolint
    fmt.Println(res)
}
英文:

If you are using golangci-lint, and want it to simply ignore this warning since you cannot set the url as a constant, you can use //nolint directive like this:

func Run() {
    MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}

func MakeGetRequest(uri string) {
    res, _ := http.Get(uri) //nolint
    fmt.Println(res)
}

答案2

得分: 1

解决这个问题的一种方法是通过更改执行请求的函数。不再使用http.Get(url),而是使用http.NewRequest(method, url, body)来封装请求,这样请求就不会立即执行。所以你的最终代码可以是:

func MakeGetRequest(uri string) error {
  req, err := http.NewRequest(http.MethodGet, uri, nil)
  if err != nil {
    return err
  }

  res, err := http.DefaultClient.Do(req)
  if err != nil {
    return err
  }
}

通过这个更新,http.NewRequest验证了方法和URL,为请求设置了上下文,并且在需要时提供了更多的灵活性进行更改。

英文:

A way to solve this is by changing the function that executes the request. Instead of using http.Get(url) it is possible to encapsulate the request with http.NewRequest(method, url, body), so the request is not performed right away. So your final code could be:

func MakeGetRequest(uri string) error{
  req, err := http.NewRequest(http.MethodGet, uri, nil) 
  if err != nil {
    return err
  }

  res, err := http.DefaultClient.Do(req) 
  if err != nil {
   return err
  }
 }

With this update, the http.NewRequest validates the method and the URL, sets a context for the request and also gives more flexibility for changes if necessary.

答案3

得分: 0

根据G107的指南,你应该在const中提及url

package main

import (
    "fmt"
    "net/http"
)

const url = "url"

func main() {
    resp, err := http.Get(url)
    if err != nil {
        fmt.Println(err)
    }
    fmt.Println(resp.Status)
}

为了更好地理解,你可以参考这里:https://securego.io/docs/rules/g107.html

或者

如果你想要移除G107警告,你应该明确地排除它。

# 运行一组特定的规则
$ gosec -include=G101,G203,G401 ./...

# 运行除了规则G303之外的所有规则
$ gosec -exclude=G303 ./...

# 也可以排除文件夹和文件

为了更好地理解,请参考gosec文档:https://github.com/securego/gosec
英文:

As per guidelines mentioned for G107 you should mentioned the url in const.

package main

import (
    "fmt"
    "net/http"
)

const url = "url"

func main() {
    resp, err := http.Get(url)
    if err != nil {
        fmt.Println(err)
    }
    fmt.Println(resp.Status)
}

For better understanding you can refer here : https://securego.io/docs/rules/g107.html

OR

If you want to remove G107 warning then you should explicitly exclude it.

# Run a specific set of rules
$ gosec -include=G101,G203,G401 ./...

# Run everything except for rule G303
$ gosec -exclude=G303 ./...

# folders and files also can be excluded.

For more understanding please refer gosec docs : https://github.com/securego/gosec

huangapple
  • 本文由 发表于 2021年12月9日 05:22:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/70281883.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定