From b3795f9f72f76d5082d1644ea8a3e2bf5fd65a8c Mon Sep 17 00:00:00 2001 From: Judy Kelly Date: Fri, 11 Feb 2022 11:40:24 +0000 Subject: [PATCH 1/2] Update modules/ROOT/pages/programming-languages/Go.adoc rfc/remove markdown from code block --- .../ROOT/pages/programming-languages/Go.adoc | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/ROOT/pages/programming-languages/Go.adoc b/modules/ROOT/pages/programming-languages/Go.adoc index 61106b9..114a4d9 100644 --- a/modules/ROOT/pages/programming-languages/Go.adoc +++ b/modules/ROOT/pages/programming-languages/Go.adoc @@ -137,12 +137,12 @@ There are also third-party libraries you can use when developing web apps in Go. [source, go] ---- -```golang + name := r.FormValue("name") template := template.Must(template.ParseGlob("xss.html")) data["Name"] = name err := template.ExecuteTemplate(w, name, data) -``` + ---- === 4. Protect yourself from SQL injections @@ -151,10 +151,10 @@ But, the most critical piece of code you’d need to include is the use of param [source, go] ---- -```golang + customerName := r.URL.Query().Get("name") db.Exec("UPDATE creditcards SET name=? WHERE customerId=?", customerName, 233, 90) -``` + ---- If using the db.Query() function instead, ensure you sanitize the user’s input first, as above. @@ -167,18 +167,18 @@ To secure in-transit connection in the system isn’t only about the app listeni [source, go] ---- -```golang + w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains") -``` + ---- You might also want to specify the server name in the TLS configuration, like this: [source, go] ---- -```golang + config := &tls.Config{ServerName: "yourSiteOrServiceName"} -``` + ---- Of Note: It’s always a good practice to implement in-transit encryption even if your application is only for internal communication. Imagine if, for some reason, an attacker could sniff your internal traffic. Whenever you can, it’s always best to raise the difficulty bar for possible future attackers. @@ -202,18 +202,18 @@ Here are some problems with using Cgo in your application: Go doesn’t have exceptions. This means that you’d need to handle errors differently than with other languages. The standard looks like this: [source, go] ---- -```golang + if err != nil { // handle the error } -``` + ---- Also, Go offers a native library to work with logs. The most simple code is like this: [source, go] ---- -```golang + package main import ( @@ -223,7 +223,7 @@ import ( func main() { log.Print("Logging in Go!") } -``` + ---- From 6ec3941773f0fb30f4c5967177ba6912d323bc9a Mon Sep 17 00:00:00 2001 From: Judy Kelly Date: Fri, 11 Feb 2022 11:48:25 +0000 Subject: [PATCH 2/2] Update modules/ROOT/pages/programming-languages/Go.adoc fix link --- modules/ROOT/pages/programming-languages/Go.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/programming-languages/Go.adoc b/modules/ROOT/pages/programming-languages/Go.adoc index 114a4d9..962b4d6 100644 --- a/modules/ROOT/pages/programming-languages/Go.adoc +++ b/modules/ROOT/pages/programming-languages/Go.adoc @@ -241,7 +241,7 @@ Finally, make sure you apply all the previous rules like encryption and sanitiza ==== Further Reading -* https://github.com/Binject/awesome-go-securityhttps://github.com/Binject/awesome-go-security +* https://github.com/Binject/awesome-go-security * https://owasp.org/www-pdf-archive/Owasp-171123063052.pdf * https://github.com/securego/gosec * https://tutorialedge.net/golang/secure-coding-in-go-input-validation/