checker: go_cgi_import

[Thiru-moorthi]

Description

This PR adds a new Go checker to detect the usage of the deprecated and insecure net/http/cgi package.

Detection Logic

This checker flags instances where:

• The net/http/cgi package is imported in Go source files.

Impact

The net/http/cgi package is deprecated and insecure, posing risks such as:

• Command Injection: CGI-based applications are more susceptible to command injection attacks.
• Performance Issues: CGI introduces additional process creation overhead, making it inefficient compared to modern web frameworks.
• Outdated Architecture: Modern web development favors more secure and scalable alternatives, such as HTTP handlers and middleware.

Recommended Alternative

Instead of net/http/cgi, use the net/http package to build modern, secure HTTP servers.

Insecure Example:

import "net/http/cgi"

Secure Example:

import "net/http"

Exclusions

To reduce noise, this checker does not flag occurrences in:

• Test files (test/**, *_test.go, tests/**, __tests__/**)

References

• [Go net/http package documentation](https://pkg.go.dev/net/http)

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
globstar	⬜️ Ignored (Inspect)	Visit Preview		Feb 25, 2025 4:57pm