ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create rule S5527: Server hostnames should be verified during SSL/TLS connections for go (#4656)

Browse Source 
* Add go to rule S5527

* Add text

* Fix wording

* Fix wording++

* Update rules/S5527/go/how-to-fix-it/std.adoc

Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>

* Move fix it section into the main adoc

* Fix non-compliant->noncompliant

---------

Co-authored-by: teemu-rytilahti-sonarsource <teemu-rytilahti-sonarsource@users.noreply.github.com>
Co-authored-by: Teemu Rytilahti <teemu.rytilahti@sonarsource.com>
Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
This commit is contained in:
github-actions[bot] 2025-02-12 18:31:46 +01:00 committed by GitHub
parent 4903879d09
commit 2619fbcace
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 70 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/S5527/go/metadata.json Normal file
View File

@ -0,0 +1,3 @@
{
}

67
rules/S5527/go/rule.adoc Normal file
View File

@ -0,0 +1,67 @@
include::../summary.adoc[]
== Why is this an issue?
include::../rationale.adoc[]
include::../impact.adoc[]
// How to fix it section
== How to fix it
=== Code examples
include::../common/fix/code-rationale.adoc[]
Hostname validation is disabled if ``++InsecureSkipVerify++`` is set to `true` for ``++TLSClientConfig++`` used for the transport class.
For HTTPS, it is recommended to use high-level interfaces (like ``++http.Get()++``), which perform the certificate validation instead of using ``++http.Client++`` directly.
==== Noncompliant code example
[source,go,diff-id=1,diff-type=noncompliant]
----
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true, // Noncompliant
},
},
}
client.Get("https://example.com")
----
==== Compliant solution
Usage of high-level interfaces is recommended:
[source,go,diff-id=1,diff-type=compliant]
----
http.Get("https://example.com")
----
=== How does this work?
include::../common/fix/validation.adoc[]
== Resources
include::../common/resources/standards.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]