Closed picatz closed 1 year ago
At this time, this would be a false negative:
mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { var input map[string]any ←────────╮ ↑ ╭─────────────────│─────────╯ ↓ ↓ json.NewDecoder(r.Body).Decode(&input) ←────╮ │ func() { ↓ userValue := fmt.Sprintf("%s", input["query"]) ←────────╮ business(db, func() *string { │ return &userValue ←─────────────────────────────────╯ }()) }() })
userValue
input
query
(*json.Decoder).Decode
r.Body
This relationship needs to be properly traversed, analyzed, or captured to find this SQL injection.
userValue:string → input:map["query"] → input:map → (*json.Decoder).Decode → json.NewDecoder → (*http.Request).Body → *http.Request
Related test:
https://github.com/picatz/taint/blob/c158d0fd952cad97687c5337360bf64a4dae7ad1/sql/injection/injection_test.go#L39-L42
At this time, this would be a false negative:
userValuecomes from the parent scope'sinputmap object (querykey).inputmap object comes from it's parent's scope. It's used by(*json.Decoder).Decode.r.Body(user input) as its source to populate theinputmap.This relationship needs to be properly traversed, analyzed, or captured to find this SQL injection.
Related test:
https://github.com/picatz/taint/blob/c158d0fd952cad97687c5337360bf64a4dae7ad1/sql/injection/injection_test.go#L39-L42