GoEncodingJSON

encoding/json package. Unmarshal and Decoder.Decode() are sources of tainted data from JSON input. Marshal() propagates taint to output.

1 source

Taint flow1 source → 0 sinks

Sources — untrusted input

.Unmarshal()Decodes JSON into v

Sources

— user-controlled input enters here

.Unmarshal()Source

Signature

Unmarshal(data []byte, v any) error

Decodes JSON into v. v becomes tainted when data comes from user input.

tracks:1

.Marshal()Neutral

Signature

Marshal(v any) ([]byte, error)

Encodes v to JSON. Propagates taint from v to output bytes.

FQN	Field
encoding/json	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

go.mod

// standard library — no go.mod entry required

rule.py

from codepathfinder.go_rule import GoEncodingJSON