|
Looks more like a contrived example to me: h.db.Exec(fmt.Sprintf("insert into users(name, email, phone_number) values ('%s', '%s', '%s');",
request.Name, request.Email, request.PhoneNumber))
Any database driver including database/sql will support h.db.Exec("insert into users(name, email, phone_number) values (?, ?, ?);",
request.Name, request.Email, request.PhoneNumber)
which is shorter and more natural. They’re throwing in a fmt.Sprintf in there for no reason other than forcing a tired old SQL injection.Now, shitty HTML templating causing injection with unsanitized user input is a lot more realistic, since the golang templating story isn’t great. Edit: “templating” -> “HTML templating”. |
Even then, the approach of "just do it right the first time" is fallible. People have varying degrees of experience, and people have brain farts and type the wrong thing instead of the write thing. Your job as the technical lead is to have some sort of process in place to catch these things before they become security disasters. "Sorry, our junior engineer didn't know about prepared statements," is not something you want to tell your customers whose data was exfiltrated. The current industry standard here would be "cross your fingers and hope for the best", and that's why everyone knows your social security number and have opened 6 credit cards in your name. Fuzzing is another layer of sanity checking, on top of static analysis (where I think this issue should be caught), code reviews, and just typing in the correct code in the first place.
At the end of the day, this just another example of how you could use fuzzing to detect problems that other things missed. That's valuable, as even with 100% code coverage and turning on all the lint checks, software still has bugs. Here's a tool that can help reduce the bug count.