Incomplete URL scheme check¶
ID: go/incomplete-url-scheme-check Kind: problem Severity: warning Precision: high Tags: - security - correctness - external/cwe/cwe-020 Query suites: - go-code-scanning.qls - go-security-extended.qls - go-security-and-quality.qls
URLs with the special scheme
vbscript schemes can be used to represent executable code in a very similar way, so any validation logic that checks against
vbscript, is likely to be insufficient.
Add checks covering both
The following function validates a (presumably untrusted) URL
urlstr. If its scheme is
about:blank is returned to prevent code injection; otherwise
urlstr itself is returned.
While this check provides partial projection, it should be extended to cover
vbscript as well: