dominikh / go-tools

Staticcheck - The advanced Go linter
https://staticcheck.dev
MIT License
6.23k stars 377 forks source link

staticcheck: detect uses of fmt.Sprintf for URL-like values #730

Open ainar-g opened 4 years ago

ainar-g commented 4 years ago

Not sure about the universality on this one, but filing just in case. Also not sure if it's more of a staticcheck or a stylecheck.

var requrl = fmt.Sprintf("http://%s/api/v1/users/%s/comments?q=%s", host, userUUID, query)

This is probably not the best way to create a URL. While the host part may be considered “acceptable”, the query part just looks like bad code to me. Best case scenario: this leads to occasional errors because of bad URLs. Worst case scenario: data leakage due to undervalidated parameters.

I think that this would be much better with *url.URL, url.Values, and path.Join.

seiyab commented 7 months ago

Should these be detected?

Maybe test code should be ignored.