mirror of
https://github.com/pushbits/server.git
synced 2025-06-12 15:42:14 +02:00
57 lines
1.5 KiB
YAML
57 lines
1.5 KiB
YAML
rules:
|
|
- id: handler-assignment-from-multiple-sources
|
|
metadata:
|
|
cwe: "CWE-289: Authentication Bypass by Alternate Name"
|
|
owasp: "A2: Broken Authentication"
|
|
owaspapi: "API1: Broken Object Level Authorization"
|
|
category: security
|
|
technology:
|
|
- gorilla
|
|
confidence: MEDIUM
|
|
patterns:
|
|
- pattern-inside: |
|
|
func $HANDLER(..., $R *http.Request, ...) {
|
|
...
|
|
}
|
|
- pattern-not: |
|
|
$VAR = true
|
|
...
|
|
$VAR = false
|
|
- pattern-not: |
|
|
$VAR = false
|
|
...
|
|
$VAR = true
|
|
- pattern-not: |
|
|
$VAR = $X
|
|
...
|
|
$VAR = $X
|
|
- pattern-not: |
|
|
$VAR = $X
|
|
...
|
|
$VAR = $Z(..., $VAR, ...)
|
|
- pattern-not: |
|
|
$VAR = $X
|
|
...
|
|
$VAR = $Z($W(..., $VAR, ...))
|
|
- pattern-not: |
|
|
$VAR = $X
|
|
...
|
|
$VAR = $VAR[:$Z(..., $VAR, ...)]
|
|
- pattern-not: |
|
|
$VAR = $X
|
|
...
|
|
$VAR = $VAR[$Z(..., $VAR, ...):]
|
|
- pattern-not: |
|
|
$VAR = $X
|
|
...
|
|
$VAR = $VAR[$Z(..., $VAR, ...)]
|
|
- pattern: |
|
|
$VAR = $X
|
|
...
|
|
$VAR = $Y
|
|
message:
|
|
"Variable $VAR is assigned from two different sources: '$X' and '$Y'. Make\
|
|
\ sure this is intended, as this could cause logic bugs if they are treated as\
|
|
\ they are the same object."
|
|
languages: [go]
|
|
severity: WARNING
|