Detect use of net/http functions that have no support for setting timeouts (#842)

https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/ https://blog.cloudflare.com/exposing-go-on-the-internet/ Closes https://github.com/securego/gosec/issues/833
2025-06-14 23:45:03 +02:00 · 2022-08-02 18:16:44 +03:00
parent 6a26c231fc
commit 0c8e63ed86
5 changed files with 122 additions and 0 deletions
--- a/testutils/source.go
+++ b/testutils/source.go
@ -1110,6 +1110,84 @@ func main() {
 		}, 1, gosec.NewConfig()},
 	}

+	// SampleCodeG114 - Use of net/http serve functions that have no support for setting timeouts
+	SampleCodeG114 = []CodeSample{
+		{[]string{
+			`
+package main
+
+import (
+	"log"
+	"net/http"
+)
+
+func main() {
+	err := http.ListenAndServe(":8080", nil)
+	log.Fatal(err)
+}`,
+		}, 1, gosec.NewConfig()},
+		{
+			[]string{
+				`
+package main
+
+import (
+	"log"
+	"net/http"
+)
+
+func main() {
+	err := http.ListenAndServeTLS(":8443", "cert.pem", "key.pem", nil)
+	log.Fatal(err)
+}`,
+			}, 1, gosec.NewConfig(),
+		},
+		{
+			[]string{
+				`
+package main
+
+import (
+	"log"
+	"net"
+	"net/http"
+)
+
+func main() {
+	l, err := net.Listen("tcp", ":8080")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer l.Close()
+	err = http.Serve(l, nil)
+	log.Fatal(err)
+}`,
+			}, 1, gosec.NewConfig(),
+		},
+		{
+			[]string{
+				`
+package main
+
+import (
+	"log"
+	"net"
+	"net/http"
+)
+
+func main() {
+	l, err := net.Listen("tcp", ":8443")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer l.Close()
+	err = http.ServeTLS(l, nil, "cert.pem", "key.pem")
+	log.Fatal(err)
+}`,
+			}, 1, gosec.NewConfig(),
+		},
+	}
+
 	// SampleCodeG201 - SQL injection via format string
 	SampleCodeG201 = []CodeSample{
 		{[]string{`