Skip to content

staticcheck: flag strings.HasSuffix with a RequestURI #877

New issue
New issue
Open
Open
staticcheck: flag strings.HasSuffix with a RequestURI#877
Labels
aggressiveA set of checks that is more prone to false positives but is helpful during code reviewneeds-decisionWe have to decide if this check is feasible and desirablenew-check
Milestone
Staticcheck 2022.2
@ainar-g

Description

@ainar-g
ainar-g
opened on Nov 19, 2020

Using strings.HasSuffix with http.Request.RequestURI probably doesn't do what the programmer thinks it does and can be unsafe. For example, this code:

if strings.HasSuffix(r.RequestURI, "/admin") {
	http.Error(w, "forbidden", http.StatusForbidden)

	return
}

Will do nothing, if the user makes a request for /admin?unsafe=1.

There is some potential here for false positives, but I don't think it's that high, and the code in question should probably be rewritten either way. At the very least, looking for pathlike patterns in the RequestURI field is very likely an error.

Metadata

Metadata

Assignees

No one assigned

    Labels

    aggressiveA set of checks that is more prone to false positives but is helpful during code reviewneeds-decisionWe have to decide if this check is feasible and desirablenew-check

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions