Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Modify rule S3330: Add Go language #2770

Merged
merged 6 commits into from
Jan 24, 2025
+158 −0
Merged

Modify rule S3330: Add Go language #2770

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d144987
Modify rule S2092: Add Go language
sebastien-andrivet-sonarsource Aug 3, 2023
ff28a18
Fixes following review of S2092
sebastien-andrivet-sonarsource Aug 4, 2023
7745d14
Remove Compliant
sebastien-andrivet-sonarsource Aug 4, 2023
14c0a00
Fix tabs vs spaces
sebastien-andrivet-sonarsource Aug 4, 2023
52487d8
Use 4 spaces
sebastien-andrivet-sonarsource Aug 4, 2023
2845f61
To trigger the build
mstachniuk Jan 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions rules/S3330/go/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"quickfix": "unknown"
}
155 changes: 155 additions & 0 deletions rules/S3330/go/rule.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://pkg.go.dev/std[Go Standard Library]:

[source,go,diff-id=1,diff-type=noncompliant]
----
import "net/http"

func handler(w http.ResponseWriter, req *http.Request) {
cookie := http.Cookie{}
cookie.Name = "cookiename"
cookie.Value = "cookievalue"
http.SetCookie(w, &cookie) // Sensitive: HttpOnly is false by default
}
----

For https://pkg.go.dev/github.com/beego/beego/v2/server/web[Beego]:

[source,go,diff-id=2,diff-type=noncompliant]
----
import "github.com/beego/beego/v2/server/web"

func (ctrl *MainController) handler() {
ctrl.Ctx.SetCookie("name1", "value1", 200, "/", "example.com", false, false) // Sensitive
}
----

For https://pkg.go.dev/github.com/gofiber/fiber/v2[Fiber]:

[source,go,diff-id=3,diff-type=noncompliant]
----
import "github.com/gofiber/fiber/v2"

func handler(c *fiber.Ctx) error {
cookie := new(fiber.Cookie)
cookie.Name = "name"
cookie.Value = "value"
c.Cookie(cookie) // Sensitive: HttpOnly is false by default
return c.SendString("")
}
----

For https://pkg.go.dev/github.com/gin-gonic/gin[Gin]:

[source,go,diff-id=4,diff-type=noncompliant]
----
import "github.com/gin-gonic/gin"

func handler(c *gin.Context) {
c.SetCookie("name", "value", 200, "/", "example.com", false, false) // Sensitive
c.JSON(http.StatusOK, gin.H{"message": ""})
}
----

== Compliant Solution

For https://pkg.go.dev/std[Go Standard Library]:

[source,go,diff-id=1,diff-type=compliant]
----
import "net/http"

func handler(w http.ResponseWriter, req *http.Request) {
cookie := http.Cookie{}
cookie.Name = "cookiename"
cookie.Value = "cookievalue"
cookie.HttpOnly = true
http.SetCookie(w, &cookie)
}
----

For https://pkg.go.dev/github.com/beego/beego/v2/server/web[Beego]:

[source,go,diff-id=2,diff-type=compliant]
----
import "github.com/beego/beego/v2/server/web"

func (ctrl *MainController) handler() {
ctrl.Ctx.SetCookie("name1", "value1", 200, "/", "example.com", false, true)
}
----

For https://pkg.go.dev/github.com/gofiber/fiber/v2[Fiber]:

[source,go,diff-id=3,diff-type=compliant]
----
import "github.com/gofiber/fiber/v2"

func handler(c *fiber.Ctx) error {
cookie := new(fiber.Cookie)
cookie.Name = "name"
cookie.Value = "value"
cookie.HTTPOnly = true
c.Cookie(cookie)
return c.SendString("")
}
----

For https://pkg.go.dev/github.com/gin-gonic/gin[Gin]:

[source,go,diff-id=4,diff-type=compliant]
----
import "github.com/gin-gonic/gin"

func handler(c *gin.Context) {
c.SetCookie("name", "value", 200, "/", "example.com", false, true)
c.JSON(http.StatusOK, gin.H{"message": ""})
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

=== Highlighting

For Go Standard Library:

* Highlight `SetCookie` if it is assigned an `http.Cookie` that has not `HttpOnly` field specified.
* Highlight `HttpOnly` field of `http.Cookie` if it is set to `false`.

For Beego:

* Highlight the 7th argument of `web.Controller.Context.SetCookie` if it is set to `false`.
* Highlight the 7th argument of `web.Controller.Context.Output.Cookie` if it is set to `false`.
* Highlight the 7th argument of `web.Controller.Context.SetSecureCookie` if it is set to `false`.

For Fiber:

* Highlight `Cookie` if it is assigned a `fiber.Cookie` that has not `HTTPOnly` field specified.
* Highlight `HTTPOnly` field of `fiber.Cookie` if it is set to `false`.

For Gin:

* Highlight the 7th argument of `gin.Context.SetCookie` if it is set to `false`.

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Loading