Adding check for httpoxy

Go code running under CGI is vulnerable to httpoxy attack. See https://httpoxy.org/ this checks for an import of net/http/cgi that might indicate code may be run under CGI. closes #1
2025-11-27 22:28:20 +02:00 · 2016-07-21 10:40:22 +01:00
parent 4f3d620d37
commit 361593394e
3 changed files with 88 additions and 0 deletions
--- a/rules/httpoxy_test.go
+++ b/rules/httpoxy_test.go
@@ -0,0 +1,37 @@
+// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package rules
+
+import (
+	"testing"
+
+	gas "github.com/HewlettPackard/gas/core"
+)
+
+func TestHttpoxy(t *testing.T) {
+	analyzer := gas.NewAnalyzer(false, nil)
+	analyzer.AddRule(NewHttpoxyTest())
+
+	issues := gasTestRunner(`
+		package main
+	        import (
+                	"log"
+                	"net/http/cgi"
+        	)
+		func main() {
+		}`, analyzer)
+
+	checkTestResults(t, issues, 1, "Go code running under CGI is vulnerable to Httpoxy attack.")
+}