mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-30 20:39:39 +02:00
25 lines
795 B
Go
25 lines
795 B
Go
|
|
// URL encoding at SQL sink — wrong-type sanitizer (Go).
|
||
|
|
//
|
||
|
|
// url.QueryEscape is registered as Sanitizer(URL_ENCODE) in the Go label
|
||
|
|
// rules, but db.Query is a Sink(SQL_QUERY). URL encoding does NOT
|
||
|
|
// neutralise SQL injection, so the engine still emits a finding.
|
||
|
|
//
|
||
|
|
// Symex should classify url.QueryEscape as TransformKind::UrlEncode and
|
||
|
|
// produce a renderable witness that names the transform — confirming the
|
||
|
|
// new Go transform classifier is wired through to witness rendering.
|
||
|
|
|
||
|
|
package main
|
||
|
|
|
||
|
|
import (
|
||
|
|
"database/sql"
|
||
|
|
"net/http"
|
||
|
|
"net/url"
|
||
|
|
)
|
||
|
|
|
||
|
|
func handler(w http.ResponseWriter, r *http.Request) {
|
||
|
|
userInput := r.URL.Query().Get("q")
|
||
|
|
encoded := url.QueryEscape(userInput)
|
||
|
|
db, _ := sql.Open("sqlite3", "test.db")
|
||
|
|
db.Query("SELECT * FROM items WHERE name = '" + encoded + "'")
|
||
|
|
}
|