Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

staticcheck: detect uses of fmt.Sprintf for URL-like values #730

Open
ainar-g opened this issue Apr 14, 2020 · 1 comment
Open

staticcheck: detect uses of fmt.Sprintf for URL-like values #730

ainar-g opened this issue Apr 14, 2020 · 1 comment
Labels
aggressive A set of checks that is more prone to false positives but is helpful during code review needs-decision We have to decide if this check is feasible and desirable new-check
Milestone
Staticcheck 2022.2

Comments

@ainar-g
Copy link
Contributor

ainar-g commented Apr 14, 2020

Not sure about the universality on this one, but filing just in case. Also not sure if it's more of a staticcheck or a stylecheck. 

var requrl = fmt.Sprintf("http://%s/api/v1/users/%s/comments?q=%s", host, userUUID, query)

This is probably not the best way to create a URL. While the host part may be considered “acceptable”, the query part just looks like bad code to me. Best case scenario: this leads to occasional errors because of bad URLs. Worst case scenario: data leakage due to undervalidated parameters.

I think that this would be much better with *url.URL, url.Values, and path.Join.

@ainar-g ainar-g added the needs-triage Newly filed issue that needs triage label Apr 14, 2020
@dominikh dominikh added needs-decision We have to decide if this check is feasible and desirable new-check and removed needs-triage Newly filed issue that needs triage labels May 10, 2020
@dominikh dominikh added the aggressive A set of checks that is more prone to false positives but is helpful during code review label Oct 17, 2021
@dominikh dominikh added this to the Staticcheck 2022.2 milestone Jan 12, 2022
@seiyab seiyab mentioned this issue Apr 19, 2024
Merged
@seiyab
Copy link
Contributor

seiyab commented Apr 19, 2024

Should these be detected?

Maybe test code should be ignored.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
aggressive A set of checks that is more prone to false positives but is helpful during code review needs-decision We have to decide if this check is feasible and desirable new-check
Projects
None yet
Milestone
Staticcheck 2022.2
Development

No branches or pull requests
3 participants
@dominikh @ainar-g @seiyab