G107 - SSRF #236
Merged
G107 - SSRF #236
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ccojocar
requested changes
Sep 3, 2018
|
@cschoenduve-splunk Please could you have a look at the unit tests? It seems that there are some tests which are failing. |
ccojocar
approved these changes
Sep 3, 2018
Closed
|
@ccojocar The error appears because I am using the go-resty library in one of the unit tests but I forgot that I already had the package on my local machine. I will remove that test because I do not think there is a way to add the package dependency through dep. |
|
@cschoenduve-splunk If you want to add |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is implementing the SSRF rule from PR 189. I have many small changes and added the ability to look at the last selector in a Call expression and compare that to the selectors passed in from net/http. This will catch wrapped clients as well as other libraries exposing GET/POST/HEAD/PUT methods. One downside is that it cannot resolve that selector's originating type and therefore may flag false positives. The current way of resolving the url variable also leads to some false positives but I have some ideas to fix this later.
Please let me know what you think.