forked from dgryski/semgrep-go
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hostport.yml
28 lines (27 loc) · 1.05 KB
/
hostport.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# https://github.com/golang/go/issues/28308, from @stapelberg
rules:
- id: sprintf-host-port
pattern-either:
- patterns:
- pattern-either:
- pattern: fmt.Sprintf("%s:%s", $NET, $XX)
- pattern: fmt.Sprintf("%s:%d", $NET, $XX)
- pattern: fmt.Sprintf("%s:%s", $XX, $NET)
- pattern: fmt.Sprintf("%s:%d", $XX, $NET)
- pattern: $NET = fmt.Sprintf("%s:%d", ..., ...)
- pattern: $NET = fmt.Sprintf("%s:%s", ..., ...)
- metavariable-regex:
metavariable: '$NET'
regex: '((?i).*(port|addr|host|listen|bind))|((?i)^ip$)|(ip[A-Z0-9].*|.*(Ip)$|.*(Ip)[A-Z0-9].*)'
- patterns:
- pattern: fmt.Sprintf($XX, $NET)
- metavariable-regex:
metavariable: '$XX'
regex: '"%s:[0-9]+"'
- metavariable-regex:
metavariable: '$NET'
regex: '((?i).*(port|addr|host|listen|bind))|((?i)^ip$)|(ip[A-Z0-9].*|.*(Ip)$|.*(Ip)[A-Z0-9].*)'
message: |
use net.JoinHostPort instead of fmt.Sprintf($XX, $NET)
languages: [go]
severity: ERROR