From 6102fd1315cae2ba3648116fc63b437f78b57c2e Mon Sep 17 00:00:00 2001 From: elsapet Date: Mon, 22 Jul 2024 17:08:06 +0200 Subject: [PATCH] fix(golang): deserialization pattern for gob --- .../go/lang/deserialization_of_user_input.yml | 18 ++++++++++-------- .../testdata/main.go | 4 ++-- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/rules/go/lang/deserialization_of_user_input.yml b/rules/go/lang/deserialization_of_user_input.yml index 066d2e0a..f433c3ad 100644 --- a/rules/go/lang/deserialization_of_user_input.yml +++ b/rules/go/lang/deserialization_of_user_input.yml @@ -1,25 +1,27 @@ imports: - go_shared_lang_dynamic_input_combined patterns: - - pattern: $.Decode($); + - pattern: $.Decode($<...>); filters: - variable: DECODER detection: go_lang_deserialization_of_user_input_decoder - - variable: USER_INPUT - detection: go_shared_lang_dynamic_input_combined - - pattern: $.Encode($<...>$$<...>); + - pattern: $.Encode($<...>); filters: - variable: ENCODER detection: go_lang_deserialization_of_user_input_encoder - - variable: USER_INPUT - detection: go_shared_lang_dynamic_input_combined auxiliary: - id: go_lang_deserialization_of_user_input_decoder patterns: - - gob.NewDecoder(); + - pattern: gob.NewDecoder($); + filters: + - variable: USER_INPUT + detection: go_shared_lang_dynamic_input_combined - id: go_lang_deserialization_of_user_input_encoder patterns: - - gob.NewEncoder(); + - pattern: gob.NewEncoder($); + filters: + - variable: USER_INPUT + detection: go_shared_lang_dynamic_input_combined languages: - go metadata: diff --git a/tests/go/lang/deserialization_of_user_input/testdata/main.go b/tests/go/lang/deserialization_of_user_input/testdata/main.go index 07dbd063..f6820ded 100644 --- a/tests/go/lang/deserialization_of_user_input/testdata/main.go +++ b/tests/go/lang/deserialization_of_user_input/testdata/main.go @@ -15,10 +15,10 @@ type Employee struct { func bad() { - dec := gob.NewDecoder(&os.Args[0]) + dec := gob.NewDecoder(bytes.NewReader([]byte(os.Args[0]))) var v Vector - err = dec.Decode(&v) // bearer:expected go_lang_deserialization_of_user_input + err = dec.Decode(&v) } func ok() {