Potential use of variable for URL detected in http.Redirect

Question

When I do a SAST scan of my go code, a vulnerability is detected in the following line http.Redirect(w, r, "/", http.StatusSeeOther)

Vulnerability Description: Potential use of variable for URL detected

Cause: Whenever a URL is constructed from the data provided by the user, an attacker may be able to exploit security vulnerabilities such as Phishing and Trojan Horse attacks, by manipulating the URL using user-defined values. User-provided data can come from a variety of sources, including URL-based parameters, ActionForm properties, HTTP headers or cookies.

Fix Recommendation: Avoid using user-provided data in the URL. Validate all user-provided data before constructing the URL.

In Redirect method, the URL mentioned in hardcoded. No variable is used for URL. How can this vulnerability be fixed?

That looks like a false positive. Which static-analysis tool are you using? — jub0bs, Jan 25 '23 at 09:37
Are you sure it's that line that's causing the warning, and not another similar line? — Jonathan Hall, Jan 25 '23 at 09:58
@JonathanHall I am sure about it. It is throwing issue in the mentioned line. — Poojana V, Jan 25 '23 at 10:25
The important information here is the word "Potential" in "Potential use of variable for URL detected". It's potential, not actual. There's a potential problem with vacuum stability; it's potential. "How can this vulnerability be fixed?" Two strategies: a) don't run that SAS product. b) disable that vulnerability check on that line. — Volker, Jan 25 '23 at 10:40
I agree that this is a false positive. Sometimes you just have to believe your own eyes. If you're a paying customer of HCL AppScan, I would open an issue with them and ask them to fix their go support. But I wouldn't lose sleep over this beyond that, and I'd look into how to disable the check (in case this is e.g. blocking your pipeline). — Sandy Cash, Jan 25 '23 at 15:40

Potential use of variable for URL detected in http.Redirect

0 Answers0