sdk/golang/Standard Library/GoHTTPRequest

GoHTTPRequest

Represents *http.Request from the net/http standard library. Used in standard http.HandlerFunc handlers. FormValue, URL.Query(), Header.Get(), and Body are all taint sources.

4 sources

Taint flow4 sources → 0 sinks

Sources — untrusted input

.FormValue()Returns the first value for the named POST or query-string field

.PostFormValue()Returns the first value for the named POST body field only

.Header()Returns the HTTP header value

.URL()URL query string accessor

Sources

— user-controlled input enters here

.FormValue()Source

Signature

FormValue(key string) string

Returns the first value for the named POST or query-string field.

tracks:return

.PostFormValue()Source

Signature

PostFormValue(key string) string

Returns the first value for the named POST body field only.

tracks:return

.Header()Source

Signature

Header.Get(key string) string

Returns the HTTP header value. User-controlled headers like X-Forwarded-For.

tracks:return

.URL()Source

Signature

URL.Query().Get(key string) string

URL query string accessor. Equivalent to FormValue for GET params.

tracks:return

Fully-Qualified Names

FQN	Field
net/http.Request	fqns[0]
*.Request	patterns

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

go.mod

// standard library — no go.mod entry required

rule.py

from codepathfinder.go_rule import GoHTTPRequest

Rules Using This Class

GO-SEC-001 GO-SEC-002 GO-XSS-001 GO-SSRF-002

← PreviousGoHTTPMux

Next →GoHTTPResponseWriter