Go 1.0 Fixer List

Go 1.0 Fixers

API Usage Issues (8):

  • Canonicalize Call To recover()

    Check that the built-in recover()function is handled properly inside deferred functions.

  • Check Special Method Signature –

    The signatures of functions implementing well-known interfaces should not be different from the original signatures.

  • Detect Context Leak –

    The cancel function returned by some of the context package functions needs to be checked appropriately.

  • Detect Wrong References To Loop Variables From A Defer Statement –

    A deferred function running inside a loop should not access the loop variables since it may observe the wrong value of the loop variables.

  • Use Better API for Case Insensitive String Equality Check –

    Case insensitive String equality check should not be done by converting to lower or upper case due to more overhead. It is better to do the case insensitive equality check using strings.EqualFold function.

  • Use Efficient Regular Expression Matching –

    Using regexp.Match, regexp.MatchReader or regexp.MatchString functions inside a loop is inefficient.

  • Use Pointer Argument –

    Passing a non-pointer or a non-interface argument to certain library functions causes runtime errors.

  • Use Server Timeout –

    Servers should be configured with a timeout mechanism. A server without a timeout may wait indefinitely while serving a request.

Broken Authentication (4):

  • Fix Hard-coded Key –

    Cryptographic keys or other credentials should not be kept hard-coded in the source code. An attacker can extract the strings or byte arrays from an application's source code or binary. Fixes CWE 798, OWASP A7-Identification and Authentication Failures.

  • Fix Hard-coded Password –

    User passwords should not be kept hard-coded in the source code. An attacker can extract the strings or byte arrays from an application's source code or binary. Fixes CWE 259, OWASP A7-Identification and Authentication Failures.

  • Prevent Session Fixation –

    Creating a cookie for a session id from untrusted data may allow an attacker to launch a session fixation attack. Fixes CWE 384, OWASP A7-Identification and Authentication Failures.

  • Validate Certificates Properly –

    X509 certificates should be validated properly during SSL/TLS authentication. Fixes CWE-295, OWASP A2-Cryptographic Failures, OWASP A5-Security Misconfiguration, OWASP A7-Identification and Authentication Failures.

Concurrency Issues (3):

  • Canonicalize Operations For atomic Package –

    Assigning the result to a variable after performing an atomic operation on the same variable violates atomicity. Fixes CWE 362.

  • Detect Detect Empty Critical Section –

    A critical section surrounded by a lock should not be empty.

  • Detect Wrong References To Loop Variables From A Goroutine –

    A goroutine running inside a loop should not access the loop variables since it may observe the wrong value of the loop variables which may lead to a race condition. Fixes CWE 362.

Improper Access Control (5):

  • Fix Hard-coded IP Address –

    IP Addresses should not be kept hard-coded in the source code. Fixes OWASP A1-Broken Access Control.

  • Fix Hard-coded State –

    Avoid using a hard-coded value for the state parameter for the AuthCodeURL function so that it can be validated in the redirect callback during an authentication operation. Fixes CWE-352, OWASP A1-Broken Access Control.

  • Prevent Binding To All Interfaces –

    Sockets should be binding only to a dedicated interface. Fixes CWE-200, OWASP A1-Broken Access Control.

  • Prevent Untrusted File Extraction –

    Attempting to extract an archive file from an untrusted source may lead to a Denial of Service (DoS) attack. The archived file may be very small in size but the uncompressed file is huge. Identifies potential denial of service opportunities through a zip bomb. Fixes CWE 409, OWASP A1-Broken Access Control, OWASP A5-Security Misconfiguration.

  • Prevent URL Redirection –

    Using untrusted user-provided data to perform an HTTP redirect leads to an Open Redirection attack. This allows an attacker to redirect a user to a malicious website and steal the user's credentials by phishing. Identifies potential Open Redirection opportunities. Fixes CWE 601, OWASP A1-Broken Access Control.

Improper Method Call (1):

  • Fix Nil Context –

    A nil context.Context should not be passed to a function.

Inappropriate Logic (6):

  • Avoid Self Assignment –

    Useless self assignment does not have any effect. Rather, it indicates an unintentional mistake from a developer. This should be avoided.

  • Avoid Silly Equality Checks –

    A logical operation with identical operands on both sides is probably wrong.

  • Avoid Useless Length Or Capacity Comparison –

    The length or capacity of a string, array, slice or channel is always greater than or equal to zero and never less than zero. Checking if a length or a capacity value is greater than or equal to zero or less than zero is unnecessary.

  • Avoid Useless Nil Check –

    Checking if the function is nil is unnecessary.

  • Avoid Useless Unsigned Integer Comparison –

    Checking if the value of an unsigned integer is greater than or equal to zero or less than zero is unnecessary.

  • Fix Equality Check For reflect.Value

    Comparison of values in the reflect package should be done in a canonical way.

Injection (9):

  • Prevent Cross-Site Scripting –

    When endpoints reflect back tainted, user-provided data such as POST content, URL parameters, etc., it may allow attackers to inject code that will eventually be executed on the user's browser. Identifies potential Cross-Site Scripting (XSS) opportunities. Fixes CWE 79, CWE 80, CWE 81, CWE 82, CWE 83, CWE 84, CWE 85, CWE 86, CWE 87, OWASP A3-Injection.

  • Prevent Email Content Injection –

    User generated content should not be used directly to constitute an email message.

  • Prevent Log Injection –

    User-provided, untrusted data should not be injected into logs directly. This allows an attacker to corrupt the log file structure. Fixes CWE 117, OWASP A3-Injection, OWASP A9-Security Logging and Monitoring Failures.

  • Prevent OS Command Injection –

    Applications that execute operating system calls should not use untrusted user-provided data to create the command or command parameters. Identifies potential OS command injection opportunities. Fixes CWE 77, CWE 78, CWE 88, OWASP A3-Injection.

  • Prevent Path Manipulation –

    Constructing file system paths from untrusted user-provided data such as POST content, URL parameters, etc., enables attackers to inject specific path browsing symbols, such as '..', to manipulate the file path and to access files that they are not allowed to access otherwise. Identifies potential path manipulation opportunities. Fixes CWE 22, CWE 23, CWE 36, CWE 99, CWE 641, OWASP A3-Injection, OWASP A1-Broken Access Control.

  • Prevent Server-Side Request Forgery –

    User-provided, untrusted data should not be used to fetch remote resources. This allows an attacker to send a crafted request to an unexpected destination. Fixes CWE 20, CWE 641, CWE 918, OWASP A10-Server-Side Request Forgery (SSRF).

  • Prevent SQL Injection –

    Constructing SQL queries with untrusted user-provided data, e.g., URL parameters, enables attackers to inject code in place of data that changes the meaning of the SQL query. Identifies potential SQL injection opportunities. Fixes CWE 20, CWE 89, CWE 943, OWASP A3-Injection.

  • Prevent Untrusted Deserialization –

    Deserializing untrusted user-provided data may allow an attacker to insert malicious objects which may lead to remote code execution, denial of service and so on. Checks that the deserialization is done on trusted data only. Fixes CWE 502, OWASP A8-Software and Data Integrity Failures.

  • Prevent XPath Injection –

    Constructing XPath expressions using untrusted user-provided data such as POST content, URL parameters, etc., enables attackers to inject specially crafted values that change the way the expression is supposed to be interpreted under normal circumstances. Identifies potential XPath injection opportunities. Fixes CWE 643, OWASP A3-Injection.

Security Misconfiguration Issues (2):

  • Avoid Permissive Cross-Origin Resource Sharing (CORS) Policy –

    Cross-Origin Resource Sharing (CORS) is an HTTP header-based mechanism that allows a server to specify that it can support loading resources from some whitelisted domains other than its own. A loose CORS policy should not be set. Fixes CWE 346, CWE 942, OWASP A5-Security Misconfiguration, OWASP A7-Identification and Authentication Failures.

  • Check Insecure JSON Web Token (JWT) –

    A JSON Web Token (JWT) should not be signed with the none algorithm. Fixes CWE-327, OWASP A2-Cryptographic Failures.

Sensitive Data Exposure (2):

  • Prevent Sensitive Data Exposure Through Stack Trace –

    A stack trace should not be directly attached to an error message since it exposes sensitive internal details. Fixes CWE 209, CWE 497, OWASP A4-Insecure Design.

  • Prevent Sensitive Data Leakage –

    Data leakage happens when sensitive information is shared with an outside user, whether inside or outside of an organization. Any sensitive data in the sinks can be a threat. Fixes CWE 200, CWE 201, CWE 319, OWASP A1-Broken Access Control, OWASP A2-Cryptographic Failures.

Weak Cryptography Issues (7):

  • Check Insecure SSH –

    Before an SSH connection is established, the client's configuration should be set to validate the host key returned by the server. The client should not be trusting the key sent by the server blindly. Fixes CWE-322, OWASP A2-Cryptographic Failures.

  • Generate Robust Keys –

    Generate cryptographic keys with more bits such that the keys withstand brute-force cryptanalysis attacks. Fixes CWE-326, OWASP A2-Cryptographic Failures, OWASP A5-Security Misconfiguration.

  • Protect Session Cookies –

    A cookie should be constructed keeping the HttpOnly and the Secure flags to be true. The HttpOnly flag prevents the cookie from being read by any client-side scripts and the Secure flag ensures that the cookie will be transmitted via a secure connection. Fixes CWE-79, CWE-311, CWE-315, CWE-614, CWE-1004, OWASP A2-Cryptographic Failures, OWASP A3-Injection.

  • Replace Random Generator –

    A weak random number generator should be replaced with a strong random number generator. Fixes CWE 330, CWE 332, CWE 336, CWE 337, OWASP A2-Cryptographic Failures, OWASP A5-Security Misconfiguration Issue.

  • Use Secure Socket Protocol –

    SSL context objects should use a secure socket protocol such as TLS v1.2 or TLS 1.3. Fixes CWE-326, CWE-327, OWASP A2-Cryptographic Failures, OWASP A5-Security Misconfiguration Issue.

  • Use Strong Cipher Algorithms –

    Data transfer protocols should use strong cipher algorithms. If a weak algorithm is used, the data is vulnerable to brute-force cryptanalysis attacks. Fixes CWE-327, OWASP A2-Cryptographic Failures.

  • Use Strong Hash Function –

    Hashing should be done using strong hashing algorithms such as SHA-256 or SHA-3. Fixes CWE 327, CWE 328, OWASP A2-Cryptographic Failures, OWASP A5-Security Misconfiguration Issue.

PreviousiCR for Go Supported Fixers

Last updated