use super::{RuleConfigurability, RuleDefaultSeverity, RuleDefinition, RuleLanguage, RuleStatus};
pub(crate) const RULE_DEFINITIONS: &[RuleDefinition] = &[
RuleDefinition {
id: "bindjson_into_map_any_hot_endpoint",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Gin handlers that bind JSON into map[string]any or map[string]interface{} on hot request paths.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "bindquery_into_map_any_hot_endpoint",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Gin handlers that bind query parameters into map[string]any or map[string]interface{} on hot request paths.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "dumprequest_or_dumpresponse_in_hot_path",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Request-path handlers that dump full HTTP requests or responses with httputil.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "duplicate_upstream_calls_same_url_same_handler",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Same upstream URL called multiple times in one handler.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "env_or_config_lookup_per_request",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Environment variable reads observed on request paths instead of cached configuration.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "errgroup_fanout_without_limit_in_handler",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "errgroup goroutine fanout without a visible concurrency limit in handlers.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "file_or_template_read_per_request",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Request-path handlers that read files directly instead of using startup caching or dedicated file-serving paths.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "formfile_open_readall_whole_upload",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Gin handlers that open uploaded form files and then materialize them with io.ReadAll(...).",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "get_raw_data_then_should_bindjson_duplicate_body",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Gin handlers that read GetRawData() and later bind JSON from the same request body.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "gin_context_copy_for_each_item_fanout",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Gin handlers that call c.Copy() once per loop iteration before goroutine fanout.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "gin_logger_debug_body_logging_on_hot_routes",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Verbose body or payload logging observed on likely high-volume Gin routes.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "gzip_or_zip_writer_created_per_chunk",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Gzip or zip writers recreated per chunk inside handler loops instead of reusing per stream.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "indentedjson_in_hot_path",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "IndentedJSON(...) used on a request path instead of compact JSON rendering.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "json_marshaled_manually_then_c_data",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Handlers that manually marshal JSON and then write it through gin.Context.Data(...).",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "large_csv_or_json_export_without_bufio",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Export data written in loops without visible buffering in handlers.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "large_h_payload_built_only_for_json_response",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Large gin.H payloads built as transient dynamic maps right before JSON rendering.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "loadhtmlglob_or_loadhtmlfiles_in_request_path",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "LoadHTMLGlob or LoadHTMLFiles called on request paths instead of startup initialization.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "middleware_allocates_db_or_gorm_handle_per_request",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Database or GORM connections opened inside handlers or middleware instead of process-level setup.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "middleware_allocates_http_client_per_request",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "HTTP client allocated inside Gin handlers or middleware instead of being shared.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "middleware_allocates_regex_or_template_per_request",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Regexp compilation inside Gin handlers instead of using precompiled patterns.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "middleware_rebinds_body_after_handler_bind",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Middleware or helper chains that parse the request body after the main handler has already bound it.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "multiple_shouldbind_calls_same_handler",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Gin handlers that bind the request body multiple times in one function.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "no_batching_on_handler_driven_db_write_loop",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Request handlers that drive row-by-row DB writes with no batch path.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "no_streaming_for_large_export_handler",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Large list or export handlers that materialize everything before writing rather than using chunked or streaming output.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "parsemultipartform_large_default_memory",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Gin handlers that call ParseMultipartForm(...) with large in-memory thresholds on request paths.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "readall_body_then_bind_duplicate_deserialize",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Gin handlers that materialize c.Request.Body with io.ReadAll(...) and then bind the same body again.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "repeated_body_rewind_for_multiple_decoders",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Gin handlers that read, rewind, and decode the same request body multiple times.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "repeated_c_json_inside_stream_loop",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Gin handlers that call c.JSON(...) or c.PureJSON(...) from inside loops.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "repeated_large_map_literal_response_construction",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Large map-literal response assembly on hot routes where a stable typed response would be cheaper.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "servefile_via_readfile_then_c_data",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Handlers that load files into memory and then write them through gin.Context.Data(...) instead of using file helpers or streaming.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "shouldbindbodywith_when_single_bind_is_enough",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Gin handlers that use ShouldBindBodyWith(...) even though only one body bind is observed.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "template_parse_in_handler",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Template construction or parsing inside Gin handlers instead of startup-time caching.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "upstream_http_call_per_item_in_handler_loop",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Upstream HTTP calls made per item inside handler loops.",
binding_location: super::bindings::GO_GIN,
},
RuleDefinition {
id: "upstream_json_decode_same_response_multiple_times",
language: RuleLanguage::Go,
family: "gin",
default_severity: RuleDefaultSeverity::Contextual,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "One upstream HTTP response body decoded into multiple targets in the same handler.",
binding_location: super::bindings::GO_GIN,
},
];