sdk/golang/HTTP Clients/GoRestyClient

GoRestyClient

Represents resty.Client and resty.Request from go-resty/resty v2. SetURL, Execute, Get, Post etc. are SSRF sinks when the URL comes from user-controlled input.

4 sinks

Taint flow0 sources → 4 sinks

Sinks — dangerous call

.SetURL()Sets the request URL

.Get()Makes GET request to url

.Post()Makes POST request to url

.Execute()Makes HTTP request with given method and url

Sinks

— dangerous functions taint must not reach

.SetURL()Sink

Signature

SetURL(url string) *Request

Sets the request URL. Sink for SSRF when url is user-controlled.

tracks:0

.Get()Sink

Signature

Get(url string) (*Response, error)

Makes GET request to url. Sink for SSRF.

tracks:0

.Post()Sink

Signature

Post(url string) (*Response, error)

Makes POST request to url. Sink for SSRF.

tracks:0

.Execute()Sink

Signature

Execute(method, url string) (*Response, error)

Makes HTTP request with given method and url. Sink for SSRF.

tracks:1

Fully-Qualified Names

FQN	Field
github.com/go-resty/resty/v2.Client	fqns[0]
github.com/go-resty/resty/v2.Request	fqns[1]
*.Client	patterns
*.Request	patterns

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

go.mod

require github.com/go-resty/resty/v2 v2.11.0

rule.py

from codepathfinder.go_rule import GoRestyClient

Rules Using This Class

GO-SSRF-001

← PreviousGoCloudGoogleCom