// Use when auditing Go code involving OS command execution, SQL queries, template rendering, or child command invocation. Covers CWE-78/89/77/94/88. Keywords: command injection, SQL injection, exec.Command, os/exec, database/sql, text/template, html/template, argument injection, shell injection, Gogs, Grafana, MCP stdio
Use when building or updating vulnerability pattern Skills from multiple sources: GitHub Security Advisories (GHSA), HackerOne Hacktivity, or NVD. Triggers on keywords: GHSA, CVE, vulnerability skill, vuln pattern, update skills, security advisory, HackerOne, H1, hacktivity, pentest skill, bug bounty, check for updates.
Use when building or updating vulnerability pattern Skills from multiple sources: GitHub Security Advisories (GHSA), HackerOne Hacktivity, or NVD. Triggers on keywords: GHSA, CVE, vulnerability skill, vuln pattern, update skills, security advisory, HackerOne, H1, hacktivity, pentest skill, bug bounty, check for updates.
Use when auditing Go code involving authentication flows, RBAC policies, Kubernetes admission webhooks, JWT/OAuth token validation, or privilege escalation in cloud-native infrastructure. Covers CWE-287/863/269/284/285/862. Keywords: authentication bypass, authorization bypass, RBAC, admission webhook, JWT, OAuth, privilege escalation, Rancher, Kyverno, impersonation, namespace isolation, middleware auth
Use when auditing Go code involving TLS configuration, certificate validation, JWT token parsing, SAML assertion verification, webhook signature checking, or cryptographic operations. Covers CWE-295/347/345. Keywords: InsecureSkipVerify, TLS, mTLS, certificate validation, JWT algorithm, SAML signature, cosign, sigstore, hmac.Equal, X.509, webhook HMAC
Use when auditing Go code involving goroutine management, channel operations, HTTP request handling, resource allocation, or panic recovery. Covers CWE-400/770/476. Keywords: denial of service, goroutine leak, channel deadlock, panic recover, io.ReadAll, resource exhaustion, OOM, HTTP/2 abuse, protobuf, unbounded allocation, rate limiting
Use when auditing Go code involving logging, error handling, HTTP response data, Kubernetes Secret management, or credential storage. Covers CWE-200/532/522/312/552. Keywords: information disclosure, credential leak, log exposure, Kubernetes Secret, json tag, struct formatting, error message, stack trace, Rancher, Argo CD, sensitive data
| name | go-vuln-injection |
| description | Use when auditing Go code involving OS command execution, SQL queries, template rendering, or child command invocation. Covers CWE-78/89/77/94/88. Keywords: command injection, SQL injection, exec.Command, os/exec, database/sql, text/template, html/template, argument injection, shell injection, Gogs, Grafana, MCP stdio |
当审计 Go 代码中涉及命令执行、SQL 查询、模板渲染、外部进程调用时加载此 Skill。
Sources(攻击入口):
Sinks(危险操作):
exec.Command("sh", "-c", userInput) -- OS 命令注入exec.Command("bash", "-c", userInput) -- 同上exec.Command(binary, "--flag=" + userInput) -- 参数注入 (CWE-88)exec.CommandContext(ctx, "git", "--upload-pack=evil", ...) -- Git argument injectiondb.Query("SELECT * FROM t WHERE id=" + userInput) -- SQL 注入db.Exec(fmt.Sprintf("INSERT INTO t VALUES ('%s')", userInput)) -- SQL 注入template.New("").Parse(userInput) (text/template) -- 模板注入template.HTML(userInput) -- XSS(绕过 html/template 自动转义)Sanitization(安全屏障):
exec.Command(binary, arg1, arg2) -- 不经过 shell,每个参数独立传递db.Query(sql, args...) / db.Exec(sql, args...) -- 参数化查询html/template(非 text/template)-- 自动 HTML 转义shellescape / shlex 包 -- shell 参数转义检测路径:
# OS 命令执行
grep -rn "exec.Command\|exec.CommandContext\|os.StartProcess" --include="*.go"
# Shell 调用
grep -rn '"sh".*"-c"\|"bash".*"-c"\|"cmd".*"/c"' --include="*.go"
# SQL 拼接
grep -rn 'fmt.Sprintf.*SELECT\|fmt.Sprintf.*INSERT\|fmt.Sprintf.*UPDATE\|fmt.Sprintf.*DELETE' --include="*.go"
grep -rn 'Sprintf.*WHERE\|"+.*WHERE\|`.*%s.*FROM' --include="*.go"
# 模板注入
grep -rn "text/template\|template.New\|template.Must" --include="*.go"
# 参数化查询(安全模式)
grep -rn "db.Query.*,\|db.Exec.*,\|db.QueryRow.*," --include="*.go"
# Argument injection — Git
grep -rn '"git".*"--upload-pack\|"git".*"--exec-path\|"git".*"--config"' --include="*.go"
exec.Command 是否通过 shell(sh -c)执行?直接传参不经过 shell 通常安全? 占位符)?fmt.Sprintf 拼接 SQL 是危险信号html/template(安全)而非 text/template(不安全)?--upload-pack、--config 等可执行的参数?exec.Command Shell 调用审计 (CWE-78):是否使用 exec.Command("sh", "-c", input) 或 exec.Command("bash", "-c", input) 执行用户输入?Go 中 exec.Command 默认不经过 shell,但显式调用 shell 时存在注入风险。exec.Command("git", userArgs...) 是否允许用户注入 --upload-pack、--exec-path、--config=core.sshCommand=evil 等可执行参数?Gogs 的 SSH argument injection 是经典案例。fmt.Sprintf 或字符串连接构造 SQL?应使用 db.Query(sql, args...) 的参数化形式。特别注意 ORDER BY、LIMIT 等不能用参数化的子句。text/template 用于 HTML 审计 (CWE-94):是否误用 text/template 生成 HTML 输出?应使用 html/template 以获得自动转义。检查 import 路径。{{ 语法是否能执行任意 Go 模板函数?Flux helm-controller 曾因此导致 RCE。command 字段是否经过验证?WeKnora 的 MCP stdio test 功能曾允许注入任意命令。os.StartProcess 参数审计 (CWE-78):低层级的 os.StartProcess 调用是否正确隔离了参数?参数数组中是否有用户控制的元素?以下模式不是此类漏洞:
exec.Command("git", "--version") -- 无用户输入的硬编码命令exec.Command(binary, fixedArgs...) -- 参数完全硬编码,无用户输入db.Query("SELECT * FROM t WHERE id = ?", userID) -- 参数化查询是安全的html/template 渲染用户输入 -- 自动转义会处理 XSS(除非使用 template.HTML() 类型转换)fmt.Sprintf 用于日志而非 SQL -- 拼接字符串用于 log 而非数据库查询以下模式需要深入检查:
exec.Command("git", userProvidedRepoURL) -- URL 中可能包含 --upload-pack 参数db.Exec("CREATE TABLE " + tableName) -- DDL 语句中标识符不能用 ? 参数化text/template 用于非 HTML 输出 -- 如生成 YAML/JSON,可能导致结构注入strings.Replace(input, "'", "''", -1) -- 手工 SQL 转义极易遗漏边缘情况详见 references/cases.md(7 个真实案例,需要时加载)。