gosec icon indicating copy to clipboard operation
gosec copied to clipboard
verified publisher icon securego

net/url: (CWE-532) Check if Unredacted URLs are Printed/Logged

Open adambkaplan opened this issue 2 years ago • 1 comments

Summary

CWE-532 is a general class of weakness where sensitive information is logged to a file - typically user or system credentials. These leaks can risk potential compromise of a system - see CVE-2017-9615 (CVSS Critical) and CVE-2018-1999036 (CVSS Medium)

net/url URL is a sometimes overlooked source of user credentials. The URL spec supports adding username/passwords directly into the URL for HTTP basic authentication. Since go 1.15, url.Redacted() can be used instead of passing a URL object directly to printing/logging functions.

Steps to reproduce the behavior

Sample main.go:

package main

import (
	"fmt"
	"net/url"
)

func main() {
	sensitiveURL := &url.URL{
		Scheme: "https",
		User:   url.UserPassword("hello", "worldwithlongpass"),
		Host:   "example.net",
		Path:   "login",
	}
	fmt.Println("sample url:", sensitiveURL)
}

gosec version

2.18.2

Go version (output of 'go version')

1.20.10

Operating system / Environment

GOOS=linux (Fedora 38) GOARCH=amd64

Expected behavior

gosec reports an issue if a net/url.URL object is passed directly into a function that is commonly used to either:

  1. Print to stdout
  2. Log to a file

A short (but not exhaustive) list:

  1. fmt.Print
  2. fmt.Println
  3. log.Print
  4. log.Println
  5. log/slog (all functions with ...any args)

Actual behavior

No issues found.

adambkaplan avatar Nov 24 '23 21:11 adambkaplan

@adambkaplan It looks like an interesting suggestion. I am happy to accept any contribution if you can put a rule together. if you need any help, we can guide you. Thanks

ccojocar avatar Nov 27 '23 08:11 ccojocar