rules:
  - id: handler-assignment-from-multiple-sources
    metadata:
      cwe: "CWE-289: Authentication Bypass by Alternate Name"
      owasp: "A2: Broken Authentication"
      owaspapi: "API1: Broken Object Level Authorization"
      category: security
      technology:
        - gorilla
      confidence: MEDIUM
    patterns:
      - pattern-inside: |
          func $HANDLER(..., $R *http.Request, ...) {
            ...
          }
      - pattern-not: |
          $VAR = true
          ...
          $VAR = false
      - pattern-not: |
          $VAR = false
          ...
          $VAR = true
      - pattern-not: |
          $VAR = $X
          ...
          $VAR = $X
      - pattern-not: |
          $VAR = $X
          ...
          $VAR = $Z(..., $VAR, ...)
      - pattern-not: |
          $VAR = $X
          ...
          $VAR = $Z($W(..., $VAR, ...))
      - pattern-not: |
          $VAR = $X
          ...
          $VAR = $VAR[:$Z(..., $VAR, ...)]
      - pattern-not: |
          $VAR = $X
          ...
          $VAR = $VAR[$Z(..., $VAR, ...):]
      - pattern-not: |
          $VAR = $X
          ...
          $VAR = $VAR[$Z(..., $VAR, ...)]
      - pattern: |
          $VAR = $X
          ...
          $VAR = $Y
    message:
      "Variable $VAR is assigned from two different sources: '$X' and '$Y'. Make\
      \ sure this is intended, as this could cause logic bugs if they are treated as\
      \ they are the same object."
    languages: [go]
    severity: WARNING