New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a rule to catch the usage of insecure template.HTML/CSS... #496
Comments
@ccojocar I could try giving this a shot, any ideas on how I could get started. Thanks 👍 |
There is this basic rule which needs to be improved in order to catch the assignment to all the types mentioned above. https://github.com/securego/gosec/blob/master/rules/templates.go. Something like:
needs to be flagged as warning. You can add additional test samples to verify the changes to the rule in Line 1104 in 6bcd89a
|
To be fair assigning a string literal to template.JS and template.CSS might be acceptable. This is not true for template.HTML and it is definitely not true for any string that is not a literal. You can read more about this in a package that implements this pattern or in my more detailed explanation of it |
Summary
Create a rule to detect the usage of insecure tmplate.HTML, CSS, HTMLAttr, JS, JSStr, Sercset types. They are documented as a security risk. See https://golang.org/pkg/html/template/#HTML.
Also see this discussion https://twitter.com/empijei/status/1275177219011350528
Steps to reproduce the behavior
gosec version
Go version (output of 'go version')
Operating system / Environment
Expected behavior
Actual behavior
The text was updated successfully, but these errors were encountered: