# stdlib (Go) Security Rules

11 detection rules for stdlib framework in Go

- Total rules: 11
- CWE coverage: 11

## CRITICAL (2)

- **SQL Injection via Database Queries**: Detects user input flowing to SQL queries without parameterization.
- **Credential Exfiltration via User-Controlled Endpoint**: Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests
to user-controlled endpoints. This allows attackers to exfiltrate server credentials
by providing a malicious webhook URL that captures the sensitive headers or body data.

Example vulnerable pattern:
```go
// User controls 'endpoint' from request
endpoint := r.FormValue("webhook_url")

// Server sends its internal API key to attacker-controlled URL
req, _ := http.NewRequest("POST", endpoint, nil)
req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY"))
client.Do(req)
```

This is different from standard SSRF (which accesses internal resources) - here the attacker
exfiltrates server credentials to their own controlled endpoint.

## HIGH (5)

- **Environment Variable Secret Exposure**: Environment variables containing secrets flow to logs or HTTP responses.
- **NoSQL Injection**: Detects user input flowing to MongoDB or Redis queries without proper validation.
- **Path Traversal via File Operations**: User input flows to file operations like os.Open without path validation.
- **Server-Side Request Forgery (SSRF)**: Detects user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks.
- **Use of Weak Cryptographic Algorithm**: Uses MD5, SHA1, DES, or RC4 which are cryptographically broken.

## MEDIUM (4)

- **Database Error Information Exposure in HTTP Response**: Internal error messages or stack traces exposed to users in HTTP responses.
- **Integer Overflow via Unchecked Arithmetic**: User-controlled integer used in arithmetic or allocation without bounds checking.
- **Log Injection / Log Forging**: Detects unsanitized user input flowing into log statements, enabling log forging attacks.
- **Unicode Normalization Security Issues**: Security-sensitive string comparison without Unicode normalization.