Skip to content

Commit

Permalink
Add more types to templates rule
Browse files Browse the repository at this point in the history
Add additional types such as CSS, JSStr and Srcset to the template rule.
These types are marked as a security risk in the godoc
https://pkg.go.dev/html/template.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
  • Loading branch information
ccojocar committed May 28, 2024
1 parent c3209fc commit ed3f51e
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions rules/templates.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,12 @@ func (t *templateCheck) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error
// find use of templates where HTML/JS escaping is not being used
func NewTemplateCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
calls := gosec.NewCallList()
calls.Add("html/template", "CSS")
calls.Add("html/template", "HTML")
calls.Add("html/template", "HTMLAttr")
calls.Add("html/template", "JS")
calls.Add("html/template", "JSStr")
calls.Add("html/template", "Srcset")
calls.Add("html/template", "URL")
return &templateCheck{
calls: calls,
Expand Down

0 comments on commit ed3f51e

Please sign in to comment.