SQL Injection - go-pg ORM string concatenation #977

elfgoh · 2021-08-11T10:16:24Z

elfgoh
Aug 11, 2021

I have the following line in my code:

found, err := models.Projects(qm.Where("name =?", projectName)).One(ctx, db)

which triggered a security warning

SQL Injection - go-pg ORM string concatenation

I had thought that using ? was sufficient for sanitization but perhaps I am mistaken. May I seek clarity on whether there security warning is valid, and if yes, how should the code be amended?

Answered by aarondl

Aug 12, 2021

It is enough. We don't do string building with those. This seems to be a false positive? Can you look more into what whatever vulnerability scanner you're using is reporting and why it would think this?

View full answer

aarondl · 2021-08-12T03:46:52Z

aarondl
Aug 12, 2021
Maintainer

It is enough. We don't do string building with those. This seems to be a false positive? Can you look more into what whatever vulnerability scanner you're using is reporting and why it would think this?

1 reply

elfgoh Aug 13, 2021
Author

Thanks, it seems like the scanner was unstable. Subsequent scans cleared the original trigger. Will definitely report upstream if it happens again

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL Injection - go-pg ORM string concatenation #977

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

SQL Injection - go-pg ORM string concatenation #977

elfgoh Aug 11, 2021

Replies: 1 comment · 1 reply

aarondl Aug 12, 2021 Maintainer

elfgoh Aug 13, 2021 Author

elfgoh
Aug 11, 2021

Replies: 1 comment 1 reply

aarondl
Aug 12, 2021
Maintainer

elfgoh Aug 13, 2021
Author