gosec icon indicating copy to clipboard operation
gosec copied to clipboard
verified publisher icon securego

Add a rule to catch the usage of insecure template.HTML/CSS...

Open ccojocar opened this issue 5 years ago • 3 comments

Summary

Create a rule to detect the usage of insecure tmplate.HTML, CSS, HTMLAttr, JS, JSStr, Sercset types. They are documented as a security risk. See https://golang.org/pkg/html/template/#HTML.

Also see this discussion https://twitter.com/empijei/status/1275177219011350528

Steps to reproduce the behavior

gosec version

Go version (output of 'go version')

Operating system / Environment

Expected behavior

Actual behavior

ccojocar avatar Jun 25 '20 14:06 ccojocar

@ccojocar I could try giving this a shot, any ideas on how I could get started. Thanks :+1:

sladyn98 avatar Jul 28 '20 07:07 sladyn98

There is this basic rule which needs to be improved in order to catch the assignment to all the types mentioned above. https://github.com/securego/gosec/blob/master/rules/templates.go.

Something like:

var myHtml template.HTML := "some text"

needs to be flagged as warning.

You can add additional test samples to verify the changes to the rule in https://github.com/securego/gosec/blob/6bcd89aa6b1cc8a448f99d51886ac29703eb1804/testutils/source.go#L1104.

ccojocar avatar Jul 28 '20 07:07 ccojocar

To be fair assigning a string literal to template.JS and template.CSS might be acceptable. This is not true for template.HTML and it is definitely not true for any string that is not a literal.

You can read more about this in a package that implements this pattern or in my more detailed explanation of it

empijei avatar Aug 04 '20 14:08 empijei