go-directequality-checker is a small tool that performs static analysis of a Go package to identify places where direct equality comparisons of fields are done when it isn't appropriate to do so. This is particularly useful if you're wanting to ensure that certain fields are only compared using constant-time comparison for security reasons.
Installing it is as simple as running
go get github.com/1password/go-directequality-checker
In order to use this tool, you'll first need to annotate a struct field that you want to designate as not being allowed to do direct equality comparisons with a tag: security:"nodirectequality"
Example:
type User struct {
VerificationToken string `db:"verification_token" security:"nodirectequality"`
}
Once you've annotated your field, you can run the tool via
go-directequality-checker path/to/go/package
If the tool finds any direct equality comparisons, it will output information about what it has found and recommend using a constant time comparison function (i.e. crypto/subtle's ConstantTimeCompare):
[SECURITY] Found raw comparison of field 'VerificationToken'. Use constant time comparison function.
/Users/rfillion/go/src/go.1password.io/b5/server/src/logic/action/transfer.go:106
user.VerificationToken == token {