DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Go

Go

Made by DeepSource
Use Analyzer

Missing regular expression anchor GO-S1009

Security
Major
 a03 cwe-20 sans top 25 owasp top 10

It is unsafe to match untrusted input against regular expressions without ^ anchor. URLs with missing anchors can prove fatal as malicious inputs bypass the system's security checks.

Bad practice

func validateURL(req *http.Request, via []*http.Request) error {
    // NOTE: The host of `req.URL` may be controlled by an attacker
    // and give the vulnerable regular expression with no anchor, it
    // is easy to bypass the check.
    // Example:
    // http://<unsafe-site>.com/?x=http://deepsource.com/
    // also gets matched (embedded in query string component)
    // as no anchor `^` is there.
    re := "https?://www\.deepsource\.com/"
    if matched, _ := regexp.MatchString(re, req.URL.String()); matched {
        return nil
    }
    return errors.New("invalid URL")
}

Here, the check with the regular expression match (regexp.MatchString) is easy to bypass. For example, the string http://deepsource.com/ can be embedded in the query string component: http://<any>/?x=http://deepsource.com/ where (other parts are configurable as well) could be any malicious site that attacker chooses.

Recommended

func validateURL(req *http.Request, via []*http.Request) error {
    re := "^https?://www\.deepsource\.com/"
    if matched, _ := regexp.MatchString(re, req.URL.String()); matched {
        return nil
    }
    return errors.New("invalid URL")
}

References