G120 - unbounded form parsing in separate function #1600
Description
I just made an interesting discovery and not sure if this is a bug or intention, but if you extract form parsing from handler to a separate function G120 does not trigger
package main
import (
"net/http"
)
func fooHandler(w http.ResponseWriter, r *http.Request) {
_, err := formParser(r)
if err != nil {
println("form error")
}
_, _ = w.Write([]byte("foo"))
}
func formParser(r *http.Request) (string, error) {
if err := r.ParseForm(); err != nil {
println("form parse error")
return "", err
}
return r.FormValue("varName"), nil
}
func main() {
mux := http.NewServeMux()
mux.Handle("POST /foo", http.HandlerFunc(fooHandler))
println("listening on :3000...")
err := http.ListenAndServe(":3000", mux) //#nosec G114
_ = err
}
Summary:
Gosec : v2.24.7-16-gb7b2c7b
Files : 1
Lines : 31
Nosec : 1
Issues : 0