Secure Go

Secure Go

  • Guidelines
  • Tools
  • Help
  • Blog

›Guidelines

Guidelines

  • About gosec's security rules
  • G101: Hardcoded credentials
  • G102: Bind to all interfaces
  • G103: Use of unsafe block
  • G104: Audit errors not checked
  • G107: Url provided to HTTP request as taint input
  • G201/G202: SQL query construction using format string/string concatenation
  • G304: File path provided as taint input

G102: Bind to all interfaces

Binding to all network interfaces can potentially open up a service to traffic on unintended interfaces, that may not be properly documented or secured. This plugin test looks for a string pattern “0.0.0.0” that may indicate a hardcoded binding to all network interfaces.

Example code:

package main
import (
    "log"
    "net"
)
func main() {
    l, err := net.Listen("tcp", "0.0.0.0:2000")
    if err != nil {
        log.Fatal(err)
    }
    defer l.Close()
}

Gosec command line output

[examples/main.go:9] - G102: Binds to all network interfaces (Confidence: HIGH, Severity: MEDIUM)
  > net.Listen("tcp", "0.0.0.0:2000")

See also

  • https://nvd.nist.gov/vuln/detail/CVE-2018-1281
← G101: Hardcoded credentialsG103: Use of unsafe block →
  • Example code:
  • Gosec command line output
  • See also
Secure Go
Docs
Secure development guidelinesAPI Reference
Community
Stack OverflowSlack
More
BlogGitHub
Facebook Open Source
Copyright © 2020 Grant Murphy