Mar 23, 2023
[[analyzers]] name = "go" [analyzers.meta] import_root = "github.com/deepsourcelabs/webapp"
gin.LoadHTMLGlobwith ill-formed pattern would panic GO-E1000
gin.LoadHTMLGlob loads HTML files identified by glob pattern and associates the
result with HTML renderer, but if the pattern passed is ill-formed, it would
result in panic. Hence, one should check pattern before using it as an argument
Some functions in
go-redis/redis package are variadic functions, i.e., they
accept any number of trailing arguments like
fmt.Println. A few of them accept
any number of trailing arguments, but there could be a runtime panic because of
their undocumented behavior. If we look at the implementation of those functions,
we will find calls to panic. Following functions are variadic, and if the number
of trailing arguments are not correct, it might result in panic:
Use of headers like "Server", "X-Powered-By" and "X-AspNet-Version" can leak sensitive information of your application and server. If not necessary, usage of these headers should be avoided.
XML specification allows the use of entities that can be internal or external
(file system/network access, etc.) which could lead to vulnerabilities such as
SSRF or confidential file disclosures. XML package (Go binding to
might be vulnerable to XXE attacks. When dealing with external entities, one
must be very careful when using the package, allowing an attacker to access
sensitive data on the filesystem.
gRPC is designed to work with various authentication mechanisms, making it easy to use gRPC to talk to other systems. It is recommended to use the supported authentication mechanisms to shield against multiple types of attacks (e.g., MITM - Man in the Middle Attack).