sdk/golang/Standard Library/GoIO

GoIO

The io standard library package. ReadAll and Copy move data from readers — sources when the underlying reader is user-controlled (e.g. an http.Request.Body). WriteString writes to a writer and is a sink when the writer is an HTTP response.

2 sources1 sink

Taint flow2 sources → 1 sink

Sources — untrusted input

.ReadAll()Reads from r until EOF and returns the result

.ReadFull()Reads exactly len(buf) bytes from r

→

taint

Sinks — dangerous call

.WriteString()Writes s to w

Sources

— user-controlled input enters here

.ReadAll()Source

Signature

ReadAll(r Reader) ([]byte, error)

Reads from r until EOF and returns the result. Source when r wraps user input.

tracks:return

.ReadFull()Source

Signature

ReadFull(r Reader, buf []byte) (n int, err error)

Reads exactly len(buf) bytes from r. Buffer becomes tainted if r is user-controlled.

tracks:1

Sinks

— dangerous functions taint must not reach

.WriteString()Sink

Signature

WriteString(w Writer, s string) (n int, err error)

Writes s to w. Sink when w is a response writer and s is user-controlled (XSS).

tracks:1

Other Methods

.Copy()Neutral

Signature

Copy(dst Writer, src Reader) (written int64, err error)

Copies from src to dst. Neutral data-transfer primitive; taint transits src → dst.

.CopyN()Neutral

Signature

CopyN(dst Writer, src Reader, n int64) (written int64, err error)

Copies exactly n bytes from src to dst. Same as Copy.

.NopCloser()Neutral

Signature

NopCloser(r Reader) ReadCloser

Wraps r in a no-op ReadCloser. Neutral transformation.

Fully-Qualified Names

FQN	Field
io	fqns[0]
io.*	patterns

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

go.mod

// standard library — no go.mod entry required

rule.py

from codepathfinder.go_rule import GoIO

← PreviousGoHtml

Next →GoIOFS