go-tools icon indicating copy to clipboard operation
go-tools copied to clipboard
verified publisher icon dominikh

staticcheck: detect unlikely encoding field names

Open FiloSottile opened this issue 6 months ago • 2 comments

https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/ reports that they found a number of mistakes like

type User struct {
    Username string `json:"username,omitempty"`
    Password string `json:"password,omitempty"`
    IsAdmin  bool   `json:"-,omitempty"`
}

and

type User struct {
    Username string `json:"omitempty"`
}

where the field name is respectively - and omitempty but was not intended to be.

FiloSottile avatar Jun 21 '25 19:06 FiloSottile

Ugh, that's annoying, because they fall into the "probably wrong, but who knows?" category. Maybe someone does want their field to be called - and to be omitted when empty, and maybe someone does want to name their field omitempty.

But I'm hopeful that this is rare enough (and ~doesn't occur intentionally in my corpus) that we can flag this as part of SA9--Dubious code constructs that have a high probability of being wrong.

dominikh avatar Jun 22 '25 13:06 dominikh

https://go-review.googlesource.com/c/go/+/683175 makes encoding/json/v2 reject unquoted -.

FiloSottile avatar Jun 24 '25 17:06 FiloSottile