DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Go

Go

Made by DeepSource
Use Analyzer

Email content injection GO-S1014

Security
Major
 a03 cwe-640 owasp top 10

Using untrusted input to construct an email's body can result in multiple security vulnerabilities. For instance, including untrusted input in an email body may allow an attacker to perform cross-site scripting (XSS) attacks. In contrast, the inclusion of an HTTP header may even allow a complete account compromise. It is recommended to avoid trusting untrusted data without careful scrutiny and avoid HTTP headers inclusion in the email's body.

Bad practice

func mail(w http.ResponseWriter, r *http.Request) {
    host := r.Header.Get("Host")
    token := os.Getenv("TOKEN")

    // NOTE: Directly using host from r.Header i.e., from the Host header.
    // Should be avoided.
    body := "Reset password? Try: " + host + "/" + token
    err := smtp.SendMail("addr", nil, "[email protected]", nil, []byte(body))
    if err != nil {
        // ...
    }
}

Recommended

func mail(w http.ResponseWriter, r *http.Request) {
    host := config.Get("Host")
    token := os.Getenv("TOKEN")

    // NOTE: Instead of directly taking the host from the request's
    // Host Header, it is taken from "config" which is a much safer
    // option.
    body := "Reset password? Try: " + host + "/" + token
    err := smtp.SendMail("addr", nil, "[email protected]", nil, []byte(body))
    if err != nil {
        // ...
    }
}

References