sdk/golang/Standard Library/GoJSON

GoJSON

encoding/json for JSON encode/decode. Unmarshal and Decoder.Decode deserialize JSON into Go values — the destination struct becomes tainted if the input bytes are user-controlled. Encoder.Encode writes JSON to a writer, a sink when the writer is an HTTP response.

2 sources1 sink

Taint flow2 sources → 1 sink

Sources — untrusted input

.Unmarshal()Parses JSON bytes into v

.Decode()Reads the next JSON-encoded value from the stream into v

→

taint

Sinks — dangerous call

.Encode()Writes v as JSON to the underlying writer

Sources

— user-controlled input enters here

.Unmarshal()Source

Signature

Unmarshal(data []byte, v any) error

Parses JSON bytes into v. v becomes tainted if data comes from user input.

tracks:1

.Decode()Source

Signature

Decode(v any) error

Reads the next JSON-encoded value from the stream into v. Source when stream is user input.

tracks:0

Sinks

— dangerous functions taint must not reach

.Encode()Sink

Signature

Encode(v any) error

Writes v as JSON to the underlying writer. Sink when writer is a response and v contains raw HTML.

tracks:0

Other Methods

.Marshal()Neutral

Signature

Marshal(v any) ([]byte, error)

Serializes v to JSON bytes. Generally neutral.

.NewDecoder()Neutral

Signature

NewDecoder(r io.Reader) *Decoder

Creates a streaming decoder bound to r. Decoder.Decode is the actual source.

.NewEncoder()Neutral

Signature

NewEncoder(w io.Writer) *Encoder

Creates a streaming encoder bound to w. Encoder.Encode is the actual sink.

Fully-Qualified Names

FQN	Field
encoding/json	fqns[0]
encoding/json.Decoder	fqns[1]
json.*	patterns

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

go.mod

// standard library — no go.mod entry required

rule.py

from codepathfinder.go_rule import GoJSON

← PreviousGoIoIoutil

Next →GoLog