/
formatted-template-string.yaml
55 lines (55 loc) · 1.48 KB
/
formatted-template-string.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
rules:
- id: formatted-template-string
message: >-
Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape
contents. Be absolutely sure there is no user-controlled data in this template. If user data can
reach this template, you may have a XSS vulnerability.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://golang.org/pkg/html/template/#HTML
category: security
technology:
- go
confidence: MEDIUM
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
languages: [go]
severity: WARNING
patterns:
- pattern-not: template.HTML("..." + "...")
- pattern-either:
- pattern: template.HTML($T + $X, ...)
- pattern: template.HTML(fmt.$P("...", ...), ...)
- pattern: |
$T = "..."
...
$T = $FXN(..., $T, ...)
...
template.HTML($T, ...)
- pattern: |
$T = fmt.$P("...", ...)
...
template.HTML($T, ...)
- pattern: |
$T, $ERR = fmt.$P("...", ...)
...
template.HTML($T, ...)
- pattern: |
$T = $X + $Y
...
template.HTML($T, ...)
- pattern: |-
$T = "..."
...
$OTHER, $ERR = fmt.$P(..., $T, ...)
...
template.HTML($OTHER, ...)