rspec/rules/S5332/go/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

[source,go,diff-id=1,diff-type=noncompliant]
----
import "net/http"

response, err := http.Get("http://www.example.com/") // Sensitive
----

[source,go,diff-id=2,diff-type=noncompliant]
----
import "net/smtp"

connection, err := smtp.Dial("mail.example.com:25") // Sensitive
connection.Hello("my-sending-server.example.com")
// authenticate and send email
connection.Quit()
----

== Compliant Solution

[source,go,diff-id=1,diff-type=compliant]
----
import "net/http"

response, err := http.Get("https://www.example.com/") // Compliant
----

[source,go,diff-id=2,diff-type=compliant]
----
import (
    "crypto/tls"
    "net/smtp"
)

tlsConfig := &tls.Config{}

connection, err := smtp.Dial("mail.example.com:25") // Compliant
connection.Hello("my-sending-server.example.com")
err = connection.StartTLS(tlsConfig)
if err == nil {
    // authenticate and send email
}
connection.Quit()
----

include::../exceptions.adoc[]

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

== Message

* Make sure allowing clear-text traffic is safe here.
* Using http protocol is insecure. Use https instead.

== Highlighting

Highlight the function call that sets the URL or hostname/port.

endif::env-github,rspecator-view[]
Create rule S5332: Using clear-text protocols is security-sensitive (Go support) (#2874) You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S5332/go) (updated a few minutes after each push). Related tickets: * Research ticket: [APPSEC-898](https://sonarsource.atlassian.net/browse/APPSEC-898) * Implementation ticket (HTTP): [SONARSLANG-605](https://sonarsource.atlassian.net/browse/SONARSLANG-605) * Implementation ticket (FTP): [SONARSLANG-604](https://sonarsource.atlassian.net/browse/SONARSLANG-604) * Implementation ticket (SMTP): [SONARSLANG-603](https://sonarsource.atlassian.net/browse/SONARSLANG-603) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-08-15 17:11:21 +01:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`[source,go,diff-id=1,diff-type=noncompliant]`
			`----`
			`import "net/http"`

			`response, err := http.Get("http://www.example.com/") // Sensitive`
			`----`

			`[source,go,diff-id=2,diff-type=noncompliant]`
			`----`
			`import "net/smtp"`

			`connection, err := smtp.Dial("mail.example.com:25") // Sensitive`
			`connection.Hello("my-sending-server.example.com")`
			`// authenticate and send email`
			`connection.Quit()`
			`----`

			`== Compliant Solution`

			`[source,go,diff-id=1,diff-type=compliant]`
			`----`
			`import "net/http"`

			`response, err := http.Get("https://www.example.com/") // Compliant`
			`----`

			`[source,go,diff-id=2,diff-type=compliant]`
			`----`
			`import (`
			`"crypto/tls"`
			`"net/smtp"`
			`)`

			`tlsConfig := &tls.Config{}`

			`connection, err := smtp.Dial("mail.example.com:25") // Compliant`
			`connection.Hello("my-sending-server.example.com")`
			`err = connection.StartTLS(tlsConfig)`
			`if err == nil {`
			`// authenticate and send email`
			`}`
			`connection.Quit()`
			`----`

			`include::../exceptions.adoc[]`

			`include::../see.adoc[]`

			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`== Message`

			`* Make sure allowing clear-text traffic is safe here.`
			`* Using http protocol is insecure. Use https instead.`

			`== Highlighting`

			`Highlight the function call that sets the URL or hostname/port.`

			`endif::env-github,rspecator-view[]`