Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

G201 G202 is not check #1260

Closed
onepiece-dz opened this issue Dec 5, 2024 · 1 comment
Closed

G201 G202 is not check #1260

onepiece-dz opened this issue Dec 5, 2024 · 1 comment

Comments

@onepiece-dz
Copy link

Summary

G201 G202 is not check. risk code:
func GetUserByID(id string) ([]User, error) {
var users []User
// 直接拼接字符串生成 SQL 查询,存在注入风险
db2.Raw(fmt.Sprintf("SELECT * FROM users WHERE id = '%s'", id)).Find(&users)

_, _ = GetUserByID2(db2, id)
return users, nil

}

func GetUserByID2(db *gorm.DB, id string) ([]User, error) {
var users []User
// 直接拼接查询字符串,存在注入风险
db.Raw("SELECT * FROM users WHERE id = " + id + "").Find(&users)
return users, nil
}

Steps to reproduce the behavior

gosec version

v2

Go version (output of 'go version')

Operating system / Environment

Expected behavior

Actual behavior
@ccojocar
Copy link
Member

ccojocar commented Dec 5, 2024

This rule only supports the standard library. Not sure from which module/package the db2.Raw is originating.

@ccojocar ccojocar closed this as completed Dec 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ccojocar @onepiece-dz