GoSec 扫描问题记录
GoSec 扫描问题记录
G304 Potential file inclusion via variable
路径从何而来?如果您不确定它永远不会有用户输入,最好在使用前清理它并使用已知前缀,例如:
1
2
filePath = filepath.Join(basePath,filepath.Clean(filePath))
f, err := os.Open(filePath)
G107 Potential HTTP request made with variable url
需要url是常量
G601 Implicit memory aliasing in for loop
for循环内临时变量不要用指针,而是用列表索引:
1
2
3
for i := range a {
_ = b.Add(&a[i])
}
G305 File traversal when extracting zip/tar archive
遍历压缩文件时,解压需要生成路径,内部文件名称可能进行文件路径穿透,需要使用filepath.clean
G301 Expect directory permissions to be 0750 or less
非特殊情况,目录最高权限只给0750
This post is licensed under CC BY 4.0 by the author.