Secure Go

Secure Go

  • Guidelines
  • Tools
  • Help
  • Blog

›Guidelines

Guidelines

  • About gosec's security rules
  • G101: Hardcoded credentials
  • G102: Bind to all interfaces
  • G103: Use of unsafe block
  • G104: Audit errors not checked
  • G107: Url provided to HTTP request as taint input
  • G201/G202: SQL query construction using format string/string concatenation
  • G304: File path provided as taint input

G104: Audit errors not checked

A really useful feature of Golang is the ability to return a tuple of a result and an error value from a function. There is an unspoken rule in Golang that the result of a function is unsafe until you make check the error value. Many security exploits can be performed when the error value is not checked.

Example code:

package main
import "fmt"
func test() (int,error) {
    return 0, nil
}
func main() {
    v, _ := test()
    fmt.Println(v)
}

other example:

package main

import (
    "fmt"
    "io/ioutil"
    "os"
)

func a() error {
    return fmt.Errorf("This is an error")
}

func b() {
    fmt.Println("b")
    ioutil.WriteFile("foo.txt", []byte("bar"), os.ModeExclusive)
}

func c() string {
    return fmt.Sprintf("This isn't anything")
}

func main() {
    _ = a()
    a()
    b()
    c()
}

Gosec command line output

The Gosec output from the first example:

[examples/main.go:9] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW)
  > v, _ := test()

The output from the second example:

[examples/main.go:14] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW)
  > ioutil.WriteFile("foo.txt", []byte("bar"), os.ModeExclusive)

[examples/main.go:20] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW)
  > _ = a()

[examples/main.go:21] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW)
  > a()

See also:

  • https://blog.golang.org/error-handling-and-go
  • https://blog.golang.org/errors-are-values
← G103: Use of unsafe blockG107: Url provided to HTTP request as taint input →
  • Example code:
  • Gosec command line output
  • See also:
Secure Go
Docs
Secure development guidelinesAPI Reference
Community
Stack OverflowSlack
More
BlogGitHub
Facebook Open Source
Copyright © 2020 Grant Murphy