4a31d0ec22
Specification ticket: https://sonarsource.atlassian.net/browse/APPSEC-911 You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S2077/go) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
56 lines
1.1 KiB
Plaintext
56 lines
1.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
[source,go,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
func getName(db *sql.DB, id string) (string, error) {
|
|
var name string
|
|
row := db.QueryRow("SELECT name FROM users WHERE id = " + id) // Sensitive
|
|
|
|
if err := row.Scan(&name); err != nil {
|
|
if err == sql.ErrNoRows {
|
|
return name, fmt.Errorf("No name found for id %s", id)
|
|
}
|
|
}
|
|
|
|
return name, nil
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,go,diff-id=1,diff-type=compliant]
|
|
----
|
|
func getName(db *sql.DB, id string) (string, error) {
|
|
var name string
|
|
row := db.QueryRow("SELECT name FROM users WHERE id = ?", id)
|
|
|
|
if err := row.Scan(&name); err != nil {
|
|
if err == sql.ErrNoRows {
|
|
return name, fmt.Errorf("No name found for id %s", id)
|
|
}
|
|
}
|
|
|
|
return name, nil
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|