use super::{RuleConfigurability, RuleDefaultSeverity, RuleDefinition, RuleLanguage, RuleStatus};
pub(crate) const RULE_DEFINITIONS: &[RuleDefinition] = &[
RuleDefinition {
id: "bcrypt_cost_too_low",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`bcrypt.GenerateFromPassword(pw, cost)` where `cost` is literally `< 10` or `bcrypt.MinCost`",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "cgo_string_lifetime",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`C.CString(goString)` without a corresponding `C.free` in the same function, or deferred `C.free`",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "constant_encryption_key",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Error,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`[]byte(\"...\")` used directly as arguments to `cipher.NewGCM`, `aes.NewCipher`, or similar encryption constructor calls",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "constant_iv_or_nonce",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Error,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "constant or zero-valued byte slices used as IV/nonce arguments to `cipher.NewCBCEncrypter`, `gcm.Seal`, or similar",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "cookie_without_httponly",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`http.Cookie{...}` for session/auth cookies without `HttpOnly: true`",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "cookie_without_samesite",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`http.Cookie{...}` without `SameSite` set, particularly for auth/session cookies",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "cookie_without_secure_flag",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`http.Cookie{...}` literals without `Secure: true` for session or authentication cookies",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "cors_allow_all_origins",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`Access-Control-Allow-Origin: *` combined with `Access-Control-Allow-Credentials: true`, or CORS middleware configured with `AllowAllOrigins: true` in Gin/Echo/Chi",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "debug_endpoint_in_production",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`net/http/pprof` import or `http.Handle(\"/debug/pprof/\", ...)` registration without access control",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "dns_lookup_for_access_control",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`net.LookupHost` or `net.LookupAddr` results used in access control decisions",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "ecb_mode_cipher",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "direct use of `cipher.Block.Encrypt` / `cipher.Block.Decrypt` without a block mode wrapper (CBC, CTR, GCM)",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "env_var_in_error_message",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`fmt.Errorf(\"... %s\", os.Getenv(\"SECRET_KEY\"))` or similar patterns that embed environment variable values in errors",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "error_detail_leaked_to_client",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`c.JSON(500, gin.H{\"error\": err.Error()})` or `http.Error(w, err.Error(), 500)` returning internal error details to the client",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "filepath_join_with_user_path",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`filepath.Join(baseDir, userInput)` without subsequent `filepath.Rel` or path-containment validation",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "fmt_print_of_sensitive_struct",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`fmt.Sprintf(\"%+v\", user)` or `fmt.Printf(\"%v\", config)` on structs that contain password/secret/token fields",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "global_rand_source_contention",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Info,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`math/rand.Intn()`, `rand.Float64()`, etc. (global source) in hot handler or goroutine paths",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "goroutine_captures_loop_variable",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`for _, v := range items { go func() { use(v) }() }` without rebinding `v` inside the loop body (pre-Go 1.22)",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "grpc_without_tls_credentials",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`grpc.Dial(addr, grpc.WithInsecure())` or `grpc.WithTransportCredentials(insecure.NewCredentials())` in non-test code",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "hardcoded_tls_min_version_too_low",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`tls.Config{MinVersion: tls.VersionTLS10}` or `tls.VersionTLS11` or `tls.VersionSSL30`",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "hardcoded_tls_skip_verify",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Error,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`tls.Config{InsecureSkipVerify: true}` in non-test code",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "header_injection_via_user_input",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`w.Header().Set(name, userInput)` or `w.Header().Add(name, userInput)` where the value contains unvalidated user input that could contain `\\r\\n`",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "http_handler_missing_security_headers",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "HTTP handler functions that write responses without setting `X-Content-Type-Options`, `X-Frame-Options`, or `Content-Security-Policy` headers (or without security header middleware)",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "http_handler_without_csrf_protection",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "POST/PUT/DELETE handler registration without evidence of CSRF token middleware",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "http_listen_non_tls",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`http.ListenAndServe` (non-TLS) usage in production-like code (not test files, not localhost bindings)",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "insecure_random_for_security",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Error,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`math/rand` usage (any of `rand.Int`, `rand.Intn`, `rand.Read`, `rand.New`) in functions whose names suggest security use (token generation, key generation, password, nonce, salt, session)",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "jwt_none_algorithm_risk",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Error,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "JWT verification code that accepts `\"none\"` or `alg: \"\"` as valid signing methods, or uses `jwt.Parse` without `WithValidMethods`",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "jwt_secret_in_source",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Error,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString([]byte(\"hardcoded\"))` where the signing key is a string literal",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "ldap_injection_via_string_concat",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Error,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "string concatenation or `fmt.Sprintf` building LDAP filter strings with user input",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "missing_rate_limiting_on_auth_endpoint",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "login/authentication handler functions (name contains `Login`, `Authenticate`, `SignIn`) that don't reference rate limiting, throttling, or brute-force protection mechanisms",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "os_exec_command_with_user_input",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Error,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`exec.Command(userInput)` or `exec.Command(\"sh\", \"-c\", variable)` where the command string appears to come from a function parameter or request binding",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "panic_stack_trace_to_client",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`recover()` in HTTP middleware that sends the panic message/stack to the response writer",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "password_stored_as_plaintext",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Error,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "struct fields named `Password`, `Passwd`, or `Pwd` stored as `string` in database model structs without evidence of hashing",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "race_on_shared_map",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "map reads/writes from multiple goroutines without mutex or `sync.Map` protection (detect goroutine launches + shared map access patterns)",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "rsa_key_size_too_small",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`rsa.GenerateKey(rand, bits)` where `bits` is literally `< 2048`",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "sensitive_data_in_log",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`log.Printf`, `slog.Info`, `zap.String`, `logrus.WithField` calls that include variables named `password`, `secret`, `token`, `apiKey`, `creditCard`, `ssn`, or similar",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "shared_slice_append_race",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "goroutines appending to a shared slice without synchronization",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "smtp_plaintext_auth",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`smtp.PlainAuth` used without TLS (`smtp.SendMail` to non-TLS endpoints)",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "sql_string_concat",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Query execution calls where SQL is constructed dynamically with concatenation or fmt.Sprintf.",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "ssh_host_key_callback_insecure",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`ssh.ClientConfig{HostKeyCallback: ssh.InsecureIgnoreHostKey()}` in non-test code",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "ssrf_via_user_controlled_url",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Error,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`http.Get(userInput)` or `http.NewRequest(\"GET\", userInput, nil)` where the URL comes from request parameters",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "struct_field_exposed_in_json",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "exported struct fields containing sensitive data (Password, Secret, Token, APIKey, PrivateKey) without `json:\"-\"` tags in API response structs",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "temp_file_predictable_name",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`os.Create(\"/tmp/myapp-data.txt\")` or `os.OpenFile(\"/tmp/\" + fixedName, ...)` with predictable filenames",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "template_html_unescaped",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`template.HTML(userInput)` or `template.JS(userInput)` type conversions on data from request parameters",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "text_template_for_html",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`text/template` used to generate HTML content (check for HTML tags in template literals or `.html` file extensions in `ParseFiles`)",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "timing_attack_on_token_comparison",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`token == expectedToken` or `bytes.Equal(token, expected)` for comparing authentication tokens, API keys, or HMAC values",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "toctou_file_check_then_open",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`os.Stat(path)` or file existence check followed by `os.Open(path)` or `os.Create(path)` without atomic operations",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "unsafe_pointer_cast",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`unsafe.Pointer` casts between incompatible types, particularly `uintptr` arithmetic followed by cast back to `unsafe.Pointer`",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "url_redirect_without_validation",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`http.Redirect(w, r, r.FormValue(\"redirect_url\"), 302)` or `c.Redirect(302, c.Query(\"url\"))` without URL validation",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "weak_crypto",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "Direct use of weak standard-library crypto packages such as crypto/md5, crypto/sha1, crypto/des, and crypto/rc4.",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "weak_hash_for_integrity",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`md5.New()`, `sha1.New()`, `md5.Sum()`, `sha1.Sum()` used for integrity checks, checksums, or MAC operations (not just `weak_crypto` import-level detection)",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "websocket_without_origin_check",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`websocket.Upgrader{CheckOrigin: func(r *http.Request) bool { return true }}` or missing `CheckOrigin`",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "world_readable_file_permissions",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`os.OpenFile(path, flag, 0666)` or `os.WriteFile(path, data, 0777)` with world-readable/writable permissions",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "xml_decoder_without_entity_limit",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`xml.NewDecoder(r)` processing untrusted XML without setting `d.Entity = nil` and without input size limits",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
RuleDefinition {
id: "yaml_unmarshal_untrusted_input",
language: RuleLanguage::Go,
family: "security",
default_severity: RuleDefaultSeverity::Warning,
status: RuleStatus::Stable,
configurability: &[
RuleConfigurability::Disable,
RuleConfigurability::Ignore,
RuleConfigurability::SeverityOverride,
],
description: "`yaml.Unmarshal(untrustedInput, &target)` using `gopkg.in/yaml.v2` without size limits",
binding_location: super::bindings::GO_LIBRARY_SECURITY,
},
];