sdk/golang/Standard Library/GoEncodingXML

GoEncodingXML

encoding/xml package. Unmarshal and Decoder.Decode() are sources. Can also be an XXE sink if xml.Decoder is used without disabling external entity processing.

1 source1 sink

Taint flow1 source → 1 sink

Sources — untrusted input

.Unmarshal()Decodes XML into v

→

taint

Sinks — dangerous call

.NewDecoder()Creates XML decoder

Sources

— user-controlled input enters here

.Unmarshal()Source

Signature

Unmarshal(data []byte, v any) error

Decodes XML into v. v becomes tainted. Potential XXE if data contains external entities.

tracks:1

Sinks

— dangerous functions taint must not reach

.NewDecoder()Sink

Signature

NewDecoder(r io.Reader) *Decoder

Creates XML decoder. XXE risk when r is user-controlled and entity expansion not limited.

tracks:0

Fully-Qualified Names

FQN	Field
encoding/xml	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

go.mod

// standard library — no go.mod entry required

rule.py

from codepathfinder.go_rule import GoEncodingXML

← PreviousGoEncodingPem

Next →GoErrors