From ed3f51e66358b0b4beea512a4edabc6116e972ff Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Tue, 28 May 2024 09:34:40 +0100 Subject: [PATCH] Add more types to templates rule Add additional types such as CSS, JSStr and Srcset to the template rule. These types are marked as a security risk in the godoc https://pkg.go.dev/html/template. Signed-off-by: Cosmin Cojocar --- rules/templates.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/templates.go b/rules/templates.go index 728766f457..3d5f9a977a 100644 --- a/rules/templates.go +++ b/rules/templates.go @@ -45,9 +45,12 @@ func (t *templateCheck) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error // find use of templates where HTML/JS escaping is not being used func NewTemplateCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := gosec.NewCallList() + calls.Add("html/template", "CSS") calls.Add("html/template", "HTML") calls.Add("html/template", "HTMLAttr") calls.Add("html/template", "JS") + calls.Add("html/template", "JSStr") + calls.Add("html/template", "Srcset") calls.Add("html/template", "URL") return &templateCheck{ calls: calls,