Hack me. #1009
Open
Hack me. #1009
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![smithy-cloud-plexor[bot]](https://avatars.githubusercontent.com/in/1013480?s=60&v=4){kind=small}
Comment on lines
+1
to
+192
| } | ||
| query += id // No quotes or sanitization! | ||
| } | ||
| query += ")" | ||
|
|
||
| _, err := db.Exec(query) | ||
| return err | ||
| } | ||
|
|
||
| // VULNERABLE: Complex query with multiple injection points | ||
| func getFilteredUsers(minAge, maxAge, city, profession string) ([]User, error) { | ||
| var users []User | ||
|
|
||
| // This is vulnerable to SQL injection in multiple places! | ||
| query := "SELECT id, username, email FROM users WHERE 1=1" | ||
|
|
||
| if minAge != "" { | ||
| query += " AND age >= " + minAge | ||
| } | ||
| if maxAge != "" { | ||
| query += " AND age <= " + maxAge | ||
| } | ||
| if city != "" { | ||
| query += " AND city = '" + city + "'" | ||
| } | ||
| if profession != "" { | ||
| query += " AND profession = '" + profession + "'" | ||
| } | ||
|
|
||
| rows, err := db.Query(query) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| defer rows.Close() | ||
|
|
||
| for rows.Next() { | ||
| var user User | ||
| err := rows.Scan(&user.ID, &user.Username, &user.Email) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| users = append(users, user) | ||
| } | ||
| return users, nil | ||
| } | ||
|
|
||
| // VULNERABLE: Raw SQL execution from user input | ||
| func executeCustomQuery(customSQL string) ([]map[string]interface{}, error) { | ||
| // This is extremely dangerous - allows arbitrary SQL execution! | ||
| rows, err := db.Query(customSQL) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| defer rows.Close() | ||
|
|
||
| columns, err := rows.Columns() | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| var results []map[string]interface{} | ||
| for rows.Next() { | ||
| values := make([]interface{}, len(columns)) | ||
| valuePtrs := make([]interface{}, len(columns)) | ||
| for i := range values { | ||
| valuePtrs[i] = &values[i] | ||
| } | ||
|
|
||
| if err := rows.Scan(valuePtrs...); err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| result := make(map[string]interface{}) | ||
| for i, col := range columns { | ||
| result[col] = values[i] | ||
| } | ||
| results = append(results, result) | ||
| } | ||
|
|
||
| return results, nil | ||
| } | ||
|
|
||
| type User struct { | ||
| ID int `json:"id"` | ||
| Username string `json:"username"` | ||
| Email string `json:"email"` | ||
| } | ||
|
|
||
| func main() { | ||
| var err error | ||
| db, err = sql.Open("mysql", "user:password@tcp(localhost:3306)/testdb") | ||
| if err != nil { | ||
| log.Fatal(err) | ||
| } | ||
| defer db.Close() | ||
|
|
||
| http.HandleFunc("/user", getUserHandler) | ||
|
|
||
| fmt.Println("Server starting on :8080") | ||
| log.Fatal(http.ListenAndServe(":8080", nil)) |
There was a problem hiding this comment.
|
Use of net/http serve function that has no support for setting timeouts |
|---|---|
| Original Description: Use of net/http serve function that has no support for setting timeouts Help: Use of net/http serve function that has no support for setting timeouts Severity: MEDIUM Confidence: HIGH | |
| Finding | Link |
| Instance | dogfooding-smithy-code-fed5d9 |
| Tool | gosec |
Comment on lines
+1
to
+31
| package main | ||
|
|
||
| import ( | ||
| "database/sql" | ||
| "fmt" | ||
| "log" | ||
| "net/http" | ||
|
|
||
| _ "github.com/go-sql-driver/mysql" | ||
| ) | ||
|
|
||
| var db *sql.DB | ||
|
|
||
| // VULNERABLE: Direct string concatenation in SQL query | ||
| func getUserByID(userID string) (*User, error) { | ||
| // This is vulnerable to SQL injection! | ||
| query := "SELECT id, username, email FROM users WHERE id = " + userID | ||
|
|
||
| row := db.QueryRow(query) | ||
| var user User | ||
| err := row.Scan(&user.ID, &user.Username, &user.Email) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| return &user, nil | ||
| } | ||
|
|
||
| // VULNERABLE: String formatting in SQL query | ||
| func loginUser(username, password string) bool { | ||
| // This is vulnerable to SQL injection! | ||
| query := fmt.Sprintf("SELECT id FROM users WHERE username = '%s' AND password = '%s'", username, password) |
There was a problem hiding this comment.
|
|
SQL string formatting |
|---|---|
| Original Description: SQL string formatting Help: SQL string formatting Severity: MEDIUM Confidence: HIGH | |
| Finding | Link |
| Instance | dogfooding-smithy-code-fed5d9 |
| Tool | gosec |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| // This is vulnerable to SQL injection! | ||
| query := "SELECT id, username, email, role FROM users WHERE id = " + userID | ||
|
|
||
| row := db.QueryRow(query) |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
To fix the issue, the code should use prepared statements with placeholder parameters to safely embed user-provided values into SQL queries. Prepared statements ensure that user input is treated as data rather than executable code, mitigating SQL injection risks.
For the getUserHandler function:
- Replace the direct string concatenation with a prepared statement using
?placeholders for user-provided values. - Use the
db.QueryRowmethod with the prepared query and pass the user-provideduserIDas a parameter.
This change requires no additional imports or definitions, as the database/sql package already supports prepared statements.
Suggested changeset
1
hack/main.go
| @@ -66,5 +66,5 @@ | ||
| // This is vulnerable to SQL injection! | ||
| query := "SELECT id, username, email, role FROM users WHERE id = " + userID | ||
| query := "SELECT id, username, email, role FROM users WHERE id = ?" | ||
|
|
||
| row := db.QueryRow(query) | ||
| row := db.QueryRow(query, userID) | ||
| var id int |
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.