GoFmt

The fmt standard library package. Sprintf, Fprintf, Sscanf are sources of formatted string data. Fprintf to http.ResponseWriter is an XSS sink.

1 source1 sink

Taint flow1 source → 1 sink

Sources — untrusted input

.Sscanf()Parses str

→

taint

Sinks — dangerous call

.Fprintf()Writes to w

Sources

— user-controlled input enters here

.Sscanf()Source

Signature

Sscanf(str string, format string, a ...any) (n int, err error)

Parses str. a arguments become tainted with str contents.

— dangerous functions taint must not reach

.Fprintf()Sink

Signature

Fprintf(w io.Writer, format string, a ...any) (n int, err error)

Writes to w. XSS sink when w is http.ResponseWriter and a contains user input.

tracks:1

.Sprintf()Neutral

Signature

Sprintf(format string, a ...any) string

Formats string. Propagates taint from arguments into the return value.

FQN	Field
fmt	fqns[0]
fmt.*	patterns

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

go.mod

// standard library — no go.mod entry required

rule.py

from codepathfinder.go_rule import GoFmt