Docs/defensive-coding-guide
2
0
Fork 0
Code Issues 3 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Merge #24 Update modules/ROOT/pages/programming-languages/Go.adoc

Browse source
This commit is contained in:
Huzaifa Sidhpurwala 2022-02-11 11:55:36 +00:00
commit c53e5b1f71
1 changed files with 13 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

26
modules/ROOT/pages/programming-languages/Go.adoc
View file

@ -137,12 +137,12 @@ There are also third-party libraries you can use when developing web apps in Go.
[source, go]
----
```golang
name := r.FormValue("name")
template := template.Must(template.ParseGlob("xss.html"))
data["Name"] = name
err := template.ExecuteTemplate(w, name, data)
```
----
=== 4. Protect yourself from SQL injections
@ -151,10 +151,10 @@ But, the most critical piece of code youd need to include is the use of param
[source, go]
----
```golang
customerName := r.URL.Query().Get("name")
db.Exec("UPDATE creditcards SET name=? WHERE customerId=?", customerName, 233, 90)
```
----
If using the db.Query() function instead, ensure you sanitize the users input first, as above.
@ -167,18 +167,18 @@ To secure in-transit connection in the system isnt only about the app listeni
[source, go]
----
```golang
w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
```
----
You might also want to specify the server name in the TLS configuration, like this:
[source, go]
----
```golang
config := &tls.Config{ServerName: "yourSiteOrServiceName"}
```
----
Of Note: Its always a good practice to implement in-transit encryption even if your application is only for internal communication. Imagine if, for some reason, an attacker could sniff your internal traffic. Whenever you can, its always best to raise the difficulty bar for possible future attackers.
@ -202,18 +202,18 @@ Here are some problems with using Cgo in your application:
Go doesnt have exceptions. This means that youd need to handle errors differently than with other languages. The standard looks like this:
[source, go]
----
```golang
if err != nil {
// handle the error
}
```
----
Also, Go offers a native library to work with logs. The most simple code is like this:
[source, go]
----
```golang
package main
import (
@ -223,7 +223,7 @@ import (
func main() {
log.Print("Logging in Go!")
}
```
----
@ -241,7 +241,7 @@ Finally, make sure you apply all the previous rules like encryption and sanitiza
==== Further Reading
* https://github.com/Binject/awesome-go-securityhttps://github.com/Binject/awesome-go-security
* https://github.com/Binject/awesome-go-security
* https://owasp.org/www-pdf-archive/Owasp-171123063052.pdf
* https://github.com/securego/gosec
* https://tutorialedge.net/golang/secure-coding-in-go-input-validation/