fix(golang): deserialization pattern for gob

Bearer · Jul 22, 2024 · 6102fd1 · 6102fd1
1 parent 7f40bb3
commit 6102fd1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 10 deletions.
diff --git a/rules/go/lang/deserialization_of_user_input.yml b/rules/go/lang/deserialization_of_user_input.yml
@@ -1,25 +1,27 @@
 imports:
   - go_shared_lang_dynamic_input_combined
 patterns:
-  - pattern: $<DECODER>.Decode($<USER_INPUT>);
+  - pattern: $<DECODER>.Decode($<...>);
     filters:
       - variable: DECODER
         detection: go_lang_deserialization_of_user_input_decoder
-      - variable: USER_INPUT
-        detection: go_shared_lang_dynamic_input_combined
-  - pattern: $<ENCODER>.Encode($<...>$<USER_INPUT>$<...>);
+  - pattern: $<ENCODER>.Encode($<...>);
     filters:
       - variable: ENCODER
         detection: go_lang_deserialization_of_user_input_encoder
-      - variable: USER_INPUT
-        detection: go_shared_lang_dynamic_input_combined
 auxiliary:
   - id: go_lang_deserialization_of_user_input_decoder
     patterns:
-      - gob.NewDecoder();
+      - pattern: gob.NewDecoder($<USER_INPUT>);
+        filters:
+          - variable: USER_INPUT
+            detection: go_shared_lang_dynamic_input_combined
   - id: go_lang_deserialization_of_user_input_encoder
     patterns:
-      - gob.NewEncoder();
+      - pattern: gob.NewEncoder($<USER_INPUT>);
+        filters:
+          - variable: USER_INPUT
+            detection: go_shared_lang_dynamic_input_combined
 languages:
   - go
 metadata:

diff --git a/tests/go/lang/deserialization_of_user_input/testdata/main.go b/tests/go/lang/deserialization_of_user_input/testdata/main.go
@@ -15,10 +15,10 @@ type Employee struct {
 
 func bad() {
 
-	dec := gob.NewDecoder(&os.Args[0])
+	dec := gob.NewDecoder(bytes.NewReader([]byte(os.Args[0])))
 	var v Vector
-	err = dec.Decode(&v)
 	// bearer:expected go_lang_deserialization_of_user_input
+	err = dec.Decode(&v)
 }
 
 func ok() {