sdk/golang/Auth & Config/GoViperConfig
Auth & Config

GoViperConfig

github.com/spf13/viper is the de-facto Go configuration library. Values returned from Get* methods are sources when the config file itself contains untrusted fields (environment, remote KV stores). Write methods that persist config back are typically neutral.

4 sources2 sanitizers
Taint flow4 sources 2 sanitizers → 0 sinks
Sources — untrusted input
.Get()
.GetString()
.GetStringSlice()
.Unmarshal()
Sanitizers — blocks taint
.GetInt().GetBool()

Sources

.Get()Source
#
Signature
Get(key string) any

Returns the raw value for key. Source when the backing config contains user input.

tracks:return
.GetString()Source
#
Signature
GetString(key string) string

Returns the config value coerced to string. Source for user-supplied config.

tracks:return
.GetStringSlice()Source
#
Signature
GetStringSlice(key string) []string

Returns the config value as a string slice. Elements are sources.

tracks:return
.Unmarshal()Source
#
Signature
Unmarshal(rawVal any, opts ...DecoderConfigOption) error

Hydrates a Go struct from the config. rawVal becomes tainted if the config contains user input.

tracks:0

Sanitizers

.GetInt()Sanitizer
#
Signature
GetInt(key string) int

Returns the config value coerced to int. Numeric coercion acts as a sanitizer for SQL / path injection.

tracks:return
.GetBool()Sanitizer
#
Signature
GetBool(key string) bool

Returns the config value coerced to bool. Sanitizer via type coercion.

tracks:return

Other Methods

.ReadConfig()Neutral
#
Signature
ReadConfig(in io.Reader) error

Reads config from a reader. Subsequent Get* values become sources if the reader is user-controlled.

Fully-Qualified Names

FQNField
github.com/spf13/viper.Viperfqns[0]
*.Viperpatterns

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

go.mod
require github.com/spf13/viper v1.18.2
rule.py
from codepathfinder.go_rule import GoViperConfig
Next →GoYAMLDecoder