From 7f40bb3768b0290c02ea0967ca4a22e6b4ae1d80 Mon Sep 17 00:00:00 2001
From: Philip Hayton <gotbadger@users.noreply.github.com>
Date: Mon, 22 Jul 2024 15:04:31 +0100
Subject: [PATCH] fix: remove golang patterns for deserialization that generate
 FP (#459)

---
 .../go/lang/deserialization_of_user_input.yml | 16 +--------
 .../testdata/main.go                          | 35 ++++++-------------
 2 files changed, 12 insertions(+), 39 deletions(-)

diff --git a/rules/go/lang/deserialization_of_user_input.yml b/rules/go/lang/deserialization_of_user_input.yml
index a9a38e151..066d2e0a7 100644
--- a/rules/go/lang/deserialization_of_user_input.yml
+++ b/rules/go/lang/deserialization_of_user_input.yml
@@ -13,28 +13,13 @@ patterns:
         detection: go_lang_deserialization_of_user_input_encoder
       - variable: USER_INPUT
         detection: go_shared_lang_dynamic_input_combined
-  - pattern: $<CALLER>.$<METHOD>($<...>$<USER_INPUT>$<...>);
-    filters:
-      - variable: CALLER
-        values:
-          - yaml
-          - json
-          - proto
-      - variable: METHOD
-        values:
-          - Unmarshal
-          - Marshal
-      - variable: USER_INPUT
-        detection: go_shared_lang_dynamic_input_combined
 auxiliary:
   - id: go_lang_deserialization_of_user_input_decoder
     patterns:
       - gob.NewDecoder();
-      - json.NewDecoder();
   - id: go_lang_deserialization_of_user_input_encoder
     patterns:
       - gob.NewEncoder();
-      - json.NewEncoder();
 languages:
   - go
 metadata:
@@ -51,6 +36,7 @@ metadata:
 
     ## References
 
+    - [Gob Security Documentation](https://pkg.go.dev/encoding/gob#hdr-Security)
     - [OWASP Deserialization cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)
   cwe_id:
     - 502
diff --git a/tests/go/lang/deserialization_of_user_input/testdata/main.go b/tests/go/lang/deserialization_of_user_input/testdata/main.go
index 5cd19dd9c..07dbd0632 100644
--- a/tests/go/lang/deserialization_of_user_input/testdata/main.go
+++ b/tests/go/lang/deserialization_of_user_input/testdata/main.go
@@ -8,34 +8,21 @@ import (
 	"fmt"
 )
 
-func bad() {
-	decoder := gob.NewDecoder(os.Args[0])
-	// bearer:expected go_lang_deserialization_of_user_input
-	decoder.Decode(os.Args[0])
-	// ...
+type Employee struct {
+	Name string
+	Role string
 }
 
-func bad2() {
-	// bearer:expected go_lang_deserialization_of_user_input
-	yaml.Unmarshal(os.Args[0])
-	// bearer:expected go_lang_deserialization_of_user_input
-	yaml.Marshal(os.Args[0])
-	// ...
-}
+func bad() {
 
-func bad3() {
-	// bearer:expected go_lang_deserialization_of_user_input
-	json.Unmarshal(os.Args[0])
+	dec := gob.NewDecoder(&os.Args[0])
+	var v Vector
+	err = dec.Decode(&v)
 	// bearer:expected go_lang_deserialization_of_user_input
-	json.Marshal(os.Args[0])
-	// ...
 }
 
-func bad4() {
-	newMessage := &example.Message{}
-	// bearer:expected go_lang_deserialization_of_user_input
-	proto.Unmarshal(os.Args[0], newMessage)
-	// bearer:expected go_lang_deserialization_of_user_input
-	proto.Marshal(os.Args[0])
-	// ...
+func ok() {
+	data = &Employee{}
+	json.Unmarshal(os.Args[0], data)
+	json.Marshal(data)
 }
\ No newline at end of file