The fmt standard library package. Sprintf, Fprintf, Sscanf are sources of formatted string data. Fprintf to http.ResponseWriter is an XSS sink.
.Sscanf().Fprintf().Sscanf()SourceSscanf(str string, format string, a ...any) (n int, err error)
Parses str. a arguments become tainted with str contents.
.Fprintf()SinkFprintf(w io.Writer, format string, a ...any) (n int, err error)
Writes to w. XSS sink when w is http.ResponseWriter and a contains user input.
1.Sprintf()NeutralSprintf(format string, a ...any) string
Formats string. Propagates taint from arguments into the return value.
| FQN | Field | |
|---|---|---|
| fmt | fqns[0] | |
| fmt.* | patterns |
Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.
// standard library — no go.mod entry required
from codepathfinder.go_rule import GoFmt