core/lint
8
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions
lint/catalog/go-security.yaml
Snider bc159163e8 feat: seed catalog with 18 patterns from ecosystem sweep 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 10:59:33 +00:00

88 lines
3.2 KiB
YAML
Raw Permalink Blame History

- id: go-sec-001
title: "SQL wildcard injection in LIKE clauses"
severity: high
languages: [go]
tags: [security, injection]
pattern: 'LIKE\s+\?.*["%].*\+'
fix: "Use parameterised LIKE with EscapeLike() helper to sanitise wildcard characters"
found_in: [go-store]
example_bad: 'db.Query("SELECT * FROM users WHERE name LIKE ?", "%"+input+"%")'
example_good: 'db.Query("SELECT * FROM users WHERE name LIKE ?", "%"+store.EscapeLike(input)+"%")'
first_seen: "2026-03-09"
detection: regex
auto_fixable: false
- id: go-sec-002
title: "Path traversal via filepath.Join"
severity: high
languages: [go]
tags: [security, path-traversal]
pattern: 'filepath\.Join\(.*,\s*\w+\)'
exclude_pattern: 'filepath\.Clean|securejoin|ValidatePath'
fix: "Validate the path component or use securejoin to prevent directory traversal"
found_in: [go-io]
example_bad: 'path := filepath.Join(baseDir, userInput)'
example_good: 'path, err := securejoin.SecureJoin(baseDir, userInput)'
first_seen: "2026-03-09"
detection: regex
auto_fixable: false
- id: go-sec-003
title: "XSS via unescaped HTML in fmt.Sprintf"
severity: high
languages: [go]
tags: [security, xss]
pattern: 'fmt\.Sprintf\(.*<.*>.*%s'
exclude_pattern: 'html\.EscapeString|template\.HTMLEscapeString'
fix: "Use html.EscapeString() on user-controlled values before interpolating into HTML"
found_in: [go-html]
example_bad: 'out := fmt.Sprintf("<div>%s</div>", userInput)'
example_good: 'out := fmt.Sprintf("<div>%s</div>", html.EscapeString(userInput))'
first_seen: "2026-03-09"
detection: regex
auto_fixable: true
- id: go-sec-004
title: "Non-constant-time authentication comparison"
severity: critical
languages: [go]
tags: [security, timing-attack]
pattern: '==\s*\w*(token|key|secret|password|hash|digest|hmac|mac|sig)'
exclude_pattern: 'subtle\.ConstantTimeCompare|hmac\.Equal'
fix: "Use subtle.ConstantTimeCompare() or hmac.Equal() for timing-safe comparison"
found_in: [go-crypt]
example_bad: 'if token == expectedToken {'
example_good: 'if subtle.ConstantTimeCompare([]byte(token), []byte(expectedToken)) == 1 {'
first_seen: "2026-03-09"
detection: regex
auto_fixable: false
- id: go-sec-005
title: "Log injection via string concatenation"
severity: medium
languages: [go]
tags: [security, injection]
pattern: 'log\.\w+\(.*\+.*\)'
exclude_pattern: 'strings\.ReplaceAll.*\\n|slog\.'
fix: "Use structured logging (slog) with named fields instead of string concatenation"
found_in: [go-log]
example_bad: 'log.Info("user logged in: " + username)'
example_good: 'slog.Info("user logged in", "username", username)'
first_seen: "2026-03-09"
detection: regex
auto_fixable: true
- id: go-sec-006
title: "Secrets leaked in log output"
severity: critical
languages: [go]
tags: [security, secrets]
pattern: 'log\.\w+\(.*(?i)(password|secret|token|apikey|private.?key|credential)'
exclude_pattern: 'REDACTED|\*\*\*|redact'
fix: "Redact sensitive values before logging, or use a structured logger with field redaction"
found_in: [go-config]
example_bad: 'log.Debug("auth token: " + token)'
example_good: 'log.Debug("auth token: [REDACTED]")'
first_seen: "2026-03-09"
detection: regex
auto_fixable: false
Reference in a new issue View git blame Copy permalink