Skip to content

JGC-429 - Bump go 1.25.4 #1483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 10, 2025
Merged

JGC-429 - Bump go 1.25.4 #1483

merged 1 commit into from
Nov 10, 2025

Conversation

@ehl-jf
Copy link
Contributor

@ehl-jf ehl-jf commented Nov 6, 2025
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • All static analysis checks passed.
  • This pull request is on the master branch.
  • I used gofmt for formatting the code before submitting the pull request.

@ehl-jf ehl-jf added the ignore for release Automatically generated release notes label Nov 6, 2025
@ehl-jf ehl-jf enabled auto-merge (squash) November 6, 2025 14:10
@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 11 issues
Scan Category Status Security Issues
Software Composition Analysis ✅ Done Not Found
Contextual Analysis ✅ Done -
Static Application Security Testing (SAST) ✅ Done
11 Issues Found 3 High
5 Medium
3 Low
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025 

body

at artifactory/commands/transferfiles/utils_test.go (line 213)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
high
High		 Deserializing untrusted data without validation
Full description

Vulnerability Details
Rule ID: go-unsafe-deserialization

Overview

Unsafe deserialization in Go occurs when a program deserializes untrusted
data with a potentially dangerous deserializer. Deserialization is the
process of converting serialized data (data that has been converted into a
format that can be easily transmitted or stored) back into its original
form. In some ("unsafe") serialization protocols, if an attacker is able
to manipulate the serialized data, they may be able to execute arbitrary
code or perform other malicious actions when the data is deserialized.

Vulnerable example

import (
    "github.com/go-yaml/yaml"
    "net/http"
)

func storeHandler(w http.ResponseWriter, r *http.Request) {
    var data map[string]interface{}
    yaml.Unmarshal([]byte(r.URL.Query().Get("data")), &data) // NOT OK
}

This code uses yaml.Unmarshal to deserialize untrusted data from the
user, with a potentially dangerous deserializer.

Remediation

import (
    "github.com/go-yaml/yaml"
    "net/http"
)

func storeHandler(w http.ResponseWriter, r *http.Request) {
    var data map[string]interface{}
    yaml.UnmarshalStrict([]byte(r.URL.Query().Get("data")), &data) // SAFE
}

Using yaml.UnmarshalStrict solves the problem by ensuring a safe
serialization protocol.

Code Flows
Vulnerable data flow analysis result

↘️ r.Body (at artifactory/commands/transferfiles/utils_test.go line 210)

↘️ io.ReadAll(r.Body) (at artifactory/commands/transferfiles/utils_test.go line 210)

↘️ body (at artifactory/commands/transferfiles/utils_test.go line 210)

↘️ body (at artifactory/commands/transferfiles/utils_test.go line 213)

github-actions[bot]
github-actions bot reviewed Nov 6, 2025
View reviewed changes
@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025 

transferDir

at artifactory/commands/transferfiles/transfer.go (line 465)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
high
High		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ GetJfrogHomeDir() (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 593)

↘️ filepath.Join(homeDir, JfrogTransferDirName) (at utils/coreutils/utils.go line 593)

↘️ return filepath.Join(homeDir, JfrogTransferDirName), nil (at utils/coreutils/utils.go line 593)

↘️ (string, error) (at utils/coreutils/utils.go line 588)

↘️ coreutils.GetJfrogTransferDir() (at artifactory/commands/transferfiles/transfer.go line 451)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 451)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 465)

github-actions[bot]
github-actions bot reviewed Nov 6, 2025
View reviewed changes
@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025 

transferDir

at artifactory/commands/transferfiles/transfer.go (line 461)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ GetJfrogHomeDir() (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 593)

↘️ filepath.Join(homeDir, JfrogTransferDirName) (at utils/coreutils/utils.go line 593)

↘️ return filepath.Join(homeDir, JfrogTransferDirName), nil (at utils/coreutils/utils.go line 593)

↘️ (string, error) (at utils/coreutils/utils.go line 588)

↘️ coreutils.GetJfrogTransferDir() (at artifactory/commands/transferfiles/transfer.go line 451)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 451)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 461)

@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025 

transferDir

at artifactory/commands/transferfiles/transfer.go (line 739)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ GetJfrogHomeDir() (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 593)

↘️ filepath.Join(homeDir, JfrogTransferDirName) (at utils/coreutils/utils.go line 593)

↘️ return filepath.Join(homeDir, JfrogTransferDirName), nil (at utils/coreutils/utils.go line 593)

↘️ (string, error) (at utils/coreutils/utils.go line 588)

↘️ coreutils.GetJfrogTransferDir() (at artifactory/commands/transferfiles/transfer.go line 734)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 734)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 739)

@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025 

transferDir

at artifactory/commands/transferfiles/transfer.go (line 747)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ GetJfrogHomeDir() (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 593)

↘️ filepath.Join(homeDir, JfrogTransferDirName) (at utils/coreutils/utils.go line 593)

↘️ return filepath.Join(homeDir, JfrogTransferDirName), nil (at utils/coreutils/utils.go line 593)

↘️ (string, error) (at utils/coreutils/utils.go line 588)

↘️ coreutils.GetJfrogTransferDir() (at artifactory/commands/transferfiles/transfer.go line 734)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 734)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 747)

@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025 

snapshotDir

at artifactory/commands/transferfiles/state/statemanager.go (line 480)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ GetJfrogHomeDir() (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 593)

↘️ filepath.Join(homeDir, JfrogTransferDirName) (at utils/coreutils/utils.go line 593)

↘️ return filepath.Join(homeDir, JfrogTransferDirName), nil (at utils/coreutils/utils.go line 593)

↘️ (string, error) (at utils/coreutils/utils.go line 588)

↘️ GetJfrogTransferDir() (at utils/coreutils/utils.go line 458)

↘️ transferDir (at utils/coreutils/utils.go line 458)

↘️ transferDir (at utils/coreutils/utils.go line 462)

↘️ filepath.Join(transferDir, JfrogTransferRepositoriesDirName) (at utils/coreutils/utils.go line 462)

↘️ return filepath.Join(transferDir, JfrogTransferRepositoriesDirName), nil (at utils/coreutils/utils.go line 462)

↘️ (string, error) (at utils/coreutils/utils.go line 457)

↘️ coreutils.GetJfrogTransferRepositoriesDir() (at artifactory/commands/transferfiles/state/utils.go line 84)

↘️ reposDir (at artifactory/commands/transferfiles/state/utils.go line 84)

↘️ reposDir (at artifactory/commands/transferfiles/state/utils.go line 93)

↘️ filepath.Join(reposDir, repoHash) (at artifactory/commands/transferfiles/state/utils.go line 93)

↘️ repoDir (at artifactory/commands/transferfiles/state/utils.go line 99)

↘️ return repoDir, nil (at artifactory/commands/transferfiles/state/utils.go line 99)

↘️ (string, error) (at artifactory/commands/transferfiles/state/utils.go line 83)

↘️ GetRepositoryTransferDir(repoKey) (at artifactory/commands/transferfiles/state/utils.go line 111)

↘️ transferDir (at artifactory/commands/transferfiles/state/utils.go line 111)

↘️ transferDir (at artifactory/commands/transferfiles/state/utils.go line 115)

↘️ filepath.Join(transferDir, subDirName) (at artifactory/commands/transferfiles/state/utils.go line 115)

↘️ return filepath.Join(transferDir, subDirName), nil (at artifactory/commands/transferfiles/state/utils.go line 115)

↘️ (string, error) (at artifactory/commands/transferfiles/state/utils.go line 110)

↘️ GetJfrogTransferRepoSubDir(repoKey, coreutils.JfrogTransferSnapshotDirName) (at artifactory/commands/transferfiles/state/statemanager.go line 468)

↘️ (string, error) (at artifactory/commands/transferfiles/state/statemanager.go line 467)

↘️ GetJfrogTransferRepoSnapshotDir(repoKey) (at artifactory/commands/transferfiles/state/statemanager.go line 472)

↘️ snapshotDir (at artifactory/commands/transferfiles/state/statemanager.go line 472)

↘️ snapshotDir (at artifactory/commands/transferfiles/state/statemanager.go line 480)

@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025 

os.Setenv("JENKINS_URL", "http://jenkins.test")

at common/commands/metrics_collector_test.go (line 631)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Detected usage of communication methods lacking encryption.
Full description

Vulnerability Details
Rule ID: go-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "https://", // Insecure protocol
        InsecureFtpProtocol:  "ftps://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025 

{"Jenkins", "JENKINS_URL", "http://jenkins.example.com", "jenkins"}

at common/commands/metrics_collector_test.go (line 213)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Detected usage of communication methods lacking encryption.
Full description

Vulnerability Details
Rule ID: go-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "https://", // Insecure protocol
        InsecureFtpProtocol:  "ftps://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.

@ehl-jf ehl-jf merged commit 576ae49 into master Nov 10, 2025
10 of 11 checks passed
@ehl-jf ehl-jf deleted the bump-go-1-25 branch November 10, 2025 10:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@RemiBou RemiBou RemiBou approved these changes

Assignees

No one assigned

Labels

ignore for release Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ehl-jf @RemiBou