英文:
GoLang untaint URL variable to fix gosec warning G107
问题
如果我在下面的代码片段上运行 gosec,我会得到一个有关污染的 URL 的警告:G107 (CWE-88): Potential HTTP request made with variable url (Confidence: MEDIUM, Severity: MEDIUM)
。
我想我应该使用 'url' 包,但它似乎只提供了 ParseQuery() 来检测这个问题,但尽管它会报错,gosec 仍然报告它作为一个潜在的漏洞。
我该如何消除这个警告,最好只使用标准库?
func Run() {
MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}
func MakeGetRequest(uri string) {
res, _ := http.Get(uri)
fmt.Println(res)
}
英文:
If I run gosec on the below fragment I get a tainted URL warning: G107 (CWE-88): Potential HTTP request made with variable url (Confidence: MEDIUM, Severity: MEDIUM)
I figured I should use the 'url' package but it doesn't seem to offer more than ParseQuery() to detect this, but although it gives an error, gosec still reports as a potential vulnerability.
How to I write remove the warning, ideally using just the standard library?
func Run() {
MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}
func MakeGetRequest(uri string) {
res, _ := http.Get(uri)
fmt.Println(res)
}
答案1
得分: 2
如果你正在使用golangci-lint,并且希望它忽略这个警告,因为你无法将URL设置为常量,你可以使用//nolint
指令,像这样:
func Run() {
MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}
func MakeGetRequest(uri string) {
res, _ := http.Get(uri) //nolint
fmt.Println(res)
}
英文:
If you are using golangci-lint, and want it to simply ignore this warning since you cannot set the url as a constant, you can use //nolint
directive like this:
func Run() {
MakeGetRequest("https://www.google.com/hi?a=7; rm /* -rf")
}
func MakeGetRequest(uri string) {
res, _ := http.Get(uri) //nolint
fmt.Println(res)
}
答案2
得分: 1
解决这个问题的一种方法是通过更改执行请求的函数。不再使用http.Get(url)
,而是使用http.NewRequest(method, url, body)
来封装请求,这样请求就不会立即执行。所以你的最终代码可以是:
func MakeGetRequest(uri string) error {
req, err := http.NewRequest(http.MethodGet, uri, nil)
if err != nil {
return err
}
res, err := http.DefaultClient.Do(req)
if err != nil {
return err
}
}
通过这个更新,http.NewRequest
验证了方法和URL,为请求设置了上下文,并且在需要时提供了更多的灵活性进行更改。
英文:
A way to solve this is by changing the function that executes the request. Instead of using http.Get(url)
it is possible to encapsulate the request with http.NewRequest(method, url, body)
, so the request is not performed right away. So your final code could be:
func MakeGetRequest(uri string) error{
req, err := http.NewRequest(http.MethodGet, uri, nil)
if err != nil {
return err
}
res, err := http.DefaultClient.Do(req)
if err != nil {
return err
}
}
With this update, the http.NewRequest
validates the method and the URL, sets a context for the request and also gives more flexibility for changes if necessary.
答案3
得分: 0
根据G107
的指南,你应该在const
中提及url
。
package main
import (
"fmt"
"net/http"
)
const url = "url"
func main() {
resp, err := http.Get(url)
if err != nil {
fmt.Println(err)
}
fmt.Println(resp.Status)
}
为了更好地理解,你可以参考这里:https://securego.io/docs/rules/g107.html
或者
如果你想要移除G107
警告,你应该明确地排除它。
# 运行一组特定的规则
$ gosec -include=G101,G203,G401 ./...
# 运行除了规则G303之外的所有规则
$ gosec -exclude=G303 ./...
# 也可以排除文件夹和文件
为了更好地理解,请参考gosec文档:https://github.com/securego/gosec
英文:
As per guidelines mentioned for G107
you should mentioned the url
in const
.
package main
import (
"fmt"
"net/http"
)
const url = "url"
func main() {
resp, err := http.Get(url)
if err != nil {
fmt.Println(err)
}
fmt.Println(resp.Status)
}
For better understanding you can refer here : https://securego.io/docs/rules/g107.html
OR
If you want to remove G107
warning then you should explicitly exclude it.
# Run a specific set of rules
$ gosec -include=G101,G203,G401 ./...
# Run everything except for rule G303
$ gosec -exclude=G303 ./...
# folders and files also can be excluded.
For more understanding please refer gosec docs : https://github.com/securego/gosec
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论