Create rule S5527: Server hostnames should be verified during SSL/TLS connections for go (#4656)
* Add go to rule S5527 * Add text * Fix wording * Fix wording++ * Update rules/S5527/go/how-to-fix-it/std.adoc Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> * Move fix it section into the main adoc * Fix non-compliant->noncompliant --------- Co-authored-by: teemu-rytilahti-sonarsource <teemu-rytilahti-sonarsource@users.noreply.github.com> Co-authored-by: Teemu Rytilahti <teemu.rytilahti@sonarsource.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
GitHub
parent
4903879d09
commit
2619fbcace
3
rules/S5527/go/metadata.json
Normal file
3
rules/S5527/go/metadata.json
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
{
|
||||||
|
|
||||||
|
}
|
||||||
67
rules/S5527/go/rule.adoc
Normal file
67
rules/S5527/go/rule.adoc
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
include::../summary.adoc[]
|
||||||
|
|
||||||
|
== Why is this an issue?
|
||||||
|
|
||||||
|
include::../rationale.adoc[]
|
||||||
|
|
||||||
|
include::../impact.adoc[]
|
||||||
|
|
||||||
|
// How to fix it section
|
||||||
|
|
||||||
|
== How to fix it
|
||||||
|
|
||||||
|
=== Code examples
|
||||||
|
|
||||||
|
include::../common/fix/code-rationale.adoc[]
|
||||||
|
|
||||||
|
Hostname validation is disabled if ``++InsecureSkipVerify++`` is set to `true` for ``++TLSClientConfig++`` used for the transport class.
|
||||||
|
|
||||||
|
For HTTPS, it is recommended to use high-level interfaces (like ``++http.Get()++``), which perform the certificate validation instead of using ``++http.Client++`` directly.
|
||||||
|
|
||||||
|
==== Noncompliant code example
|
||||||
|
|
||||||
|
[source,go,diff-id=1,diff-type=noncompliant]
|
||||||
|
----
|
||||||
|
client := &http.Client{
|
||||||
|
Transport: &http.Transport{
|
||||||
|
TLSClientConfig: &tls.Config{
|
||||||
|
InsecureSkipVerify: true, // Noncompliant
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
client.Get("https://example.com")
|
||||||
|
----
|
||||||
|
|
||||||
|
==== Compliant solution
|
||||||
|
|
||||||
|
Usage of high-level interfaces is recommended:
|
||||||
|
[source,go,diff-id=1,diff-type=compliant]
|
||||||
|
----
|
||||||
|
http.Get("https://example.com")
|
||||||
|
----
|
||||||
|
|
||||||
|
=== How does this work?
|
||||||
|
|
||||||
|
include::../common/fix/validation.adoc[]
|
||||||
|
|
||||||
|
== Resources
|
||||||
|
|
||||||
|
include::../common/resources/standards.adoc[]
|
||||||
|
|
||||||
|
ifdef::env-github,rspecator-view[]
|
||||||
|
|
||||||
|
'''
|
||||||
|
== Implementation Specification
|
||||||
|
(visible only on this page)
|
||||||
|
|
||||||
|
include::../message.adoc[]
|
||||||
|
|
||||||
|
'''
|
||||||
|
== Comments And Links
|
||||||
|
(visible only on this page)
|
||||||
|
|
||||||
|
include::../comments-and-links.adoc[]
|
||||||
|
|
||||||
|
endif::env-github,rspecator-view[]
|
||||||
|
|
||||||
Loading…
x
Reference in New Issue
Block a user