Modify rule S3330: Add Go language (#2770)
* Modify rule S2092: Add Go language * Fixes following review of S2092 * Remove Compliant * Fix tabs vs spaces * Use 4 spaces * To trigger the build --------- Co-authored-by: Marcin Stachniuk <marcin.stachniuk@sonarsource.com>
This commit is contained in:
Sebastien Andrivet
GitHub
parent
74ed1fa393
commit
9a672e7951
3
rules/S3330/go/metadata.json
Normal file
3
rules/S3330/go/metadata.json
Normal file
@ -0,0 +1,3 @@
|
||||
{
|
||||
"quickfix": "unknown"
|
||||
}
|
||||
155
rules/S3330/go/rule.adoc
Normal file
155
rules/S3330/go/rule.adoc
Normal file
@ -0,0 +1,155 @@
|
||||
include::../description.adoc[]
|
||||
|
||||
include::../ask-yourself.adoc[]
|
||||
|
||||
include::../recommended.adoc[]
|
||||
|
||||
== Sensitive Code Example
|
||||
|
||||
For https://pkg.go.dev/std[Go Standard Library]:
|
||||
|
||||
[source,go,diff-id=1,diff-type=noncompliant]
|
||||
----
|
||||
import "net/http"
|
||||
|
||||
func handler(w http.ResponseWriter, req *http.Request) {
|
||||
cookie := http.Cookie{}
|
||||
cookie.Name = "cookiename"
|
||||
cookie.Value = "cookievalue"
|
||||
http.SetCookie(w, &cookie) // Sensitive: HttpOnly is false by default
|
||||
}
|
||||
----
|
||||
|
||||
For https://pkg.go.dev/github.com/beego/beego/v2/server/web[Beego]:
|
||||
|
||||
[source,go,diff-id=2,diff-type=noncompliant]
|
||||
----
|
||||
import "github.com/beego/beego/v2/server/web"
|
||||
|
||||
func (ctrl *MainController) handler() {
|
||||
ctrl.Ctx.SetCookie("name1", "value1", 200, "/", "example.com", false, false) // Sensitive
|
||||
}
|
||||
----
|
||||
|
||||
For https://pkg.go.dev/github.com/gofiber/fiber/v2[Fiber]:
|
||||
|
||||
[source,go,diff-id=3,diff-type=noncompliant]
|
||||
----
|
||||
import "github.com/gofiber/fiber/v2"
|
||||
|
||||
func handler(c *fiber.Ctx) error {
|
||||
cookie := new(fiber.Cookie)
|
||||
cookie.Name = "name"
|
||||
cookie.Value = "value"
|
||||
c.Cookie(cookie) // Sensitive: HttpOnly is false by default
|
||||
return c.SendString("")
|
||||
}
|
||||
----
|
||||
|
||||
For https://pkg.go.dev/github.com/gin-gonic/gin[Gin]:
|
||||
|
||||
[source,go,diff-id=4,diff-type=noncompliant]
|
||||
----
|
||||
import "github.com/gin-gonic/gin"
|
||||
|
||||
func handler(c *gin.Context) {
|
||||
c.SetCookie("name", "value", 200, "/", "example.com", false, false) // Sensitive
|
||||
c.JSON(http.StatusOK, gin.H{"message": ""})
|
||||
}
|
||||
----
|
||||
|
||||
== Compliant Solution
|
||||
|
||||
For https://pkg.go.dev/std[Go Standard Library]:
|
||||
|
||||
[source,go,diff-id=1,diff-type=compliant]
|
||||
----
|
||||
import "net/http"
|
||||
|
||||
func handler(w http.ResponseWriter, req *http.Request) {
|
||||
cookie := http.Cookie{}
|
||||
cookie.Name = "cookiename"
|
||||
cookie.Value = "cookievalue"
|
||||
cookie.HttpOnly = true
|
||||
http.SetCookie(w, &cookie)
|
||||
}
|
||||
----
|
||||
|
||||
For https://pkg.go.dev/github.com/beego/beego/v2/server/web[Beego]:
|
||||
|
||||
[source,go,diff-id=2,diff-type=compliant]
|
||||
----
|
||||
import "github.com/beego/beego/v2/server/web"
|
||||
|
||||
func (ctrl *MainController) handler() {
|
||||
ctrl.Ctx.SetCookie("name1", "value1", 200, "/", "example.com", false, true)
|
||||
}
|
||||
----
|
||||
|
||||
For https://pkg.go.dev/github.com/gofiber/fiber/v2[Fiber]:
|
||||
|
||||
[source,go,diff-id=3,diff-type=compliant]
|
||||
----
|
||||
import "github.com/gofiber/fiber/v2"
|
||||
|
||||
func handler(c *fiber.Ctx) error {
|
||||
cookie := new(fiber.Cookie)
|
||||
cookie.Name = "name"
|
||||
cookie.Value = "value"
|
||||
cookie.HTTPOnly = true
|
||||
c.Cookie(cookie)
|
||||
return c.SendString("")
|
||||
}
|
||||
----
|
||||
|
||||
For https://pkg.go.dev/github.com/gin-gonic/gin[Gin]:
|
||||
|
||||
[source,go,diff-id=4,diff-type=compliant]
|
||||
----
|
||||
import "github.com/gin-gonic/gin"
|
||||
|
||||
func handler(c *gin.Context) {
|
||||
c.SetCookie("name", "value", 200, "/", "example.com", false, true)
|
||||
c.JSON(http.StatusOK, gin.H{"message": ""})
|
||||
}
|
||||
----
|
||||
|
||||
include::../see.adoc[]
|
||||
|
||||
ifdef::env-github,rspecator-view[]
|
||||
|
||||
'''
|
||||
== Implementation Specification
|
||||
(visible only on this page)
|
||||
|
||||
include::../message.adoc[]
|
||||
|
||||
=== Highlighting
|
||||
|
||||
For Go Standard Library:
|
||||
|
||||
* Highlight `SetCookie` if it is assigned an `http.Cookie` that has not `HttpOnly` field specified.
|
||||
* Highlight `HttpOnly` field of `http.Cookie` if it is set to `false`.
|
||||
|
||||
For Beego:
|
||||
|
||||
* Highlight the 7th argument of `web.Controller.Context.SetCookie` if it is set to `false`.
|
||||
* Highlight the 7th argument of `web.Controller.Context.Output.Cookie` if it is set to `false`.
|
||||
* Highlight the 7th argument of `web.Controller.Context.SetSecureCookie` if it is set to `false`.
|
||||
|
||||
For Fiber:
|
||||
|
||||
* Highlight `Cookie` if it is assigned a `fiber.Cookie` that has not `HTTPOnly` field specified.
|
||||
* Highlight `HTTPOnly` field of `fiber.Cookie` if it is set to `false`.
|
||||
|
||||
For Gin:
|
||||
|
||||
* Highlight the 7th argument of `gin.Context.SetCookie` if it is set to `false`.
|
||||
|
||||
'''
|
||||
== Comments And Links
|
||||
(visible only on this page)
|
||||
|
||||
include::../comments-and-links.adoc[]
|
||||
|
||||
endif::env-github,rspecator-view[]
|
||||
Loading…
x
Reference in New Issue
Block a user