x/tools/go/analysis/structtag: stricter JSON tag checking · golang/go#74376

(6 评论) (11 反应) (0 负责人)Go (133,883 star) (19,008 fork)batch import

AnalysisProposalProposal-Acceptedhelp wanted

描述

Background: This recent article https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/ describes (among other things) a number of security weaknesses in Go's encoding/json package. Some of these could be mitigated by better static checking of struct field tags; indeed, the author of the post links to two semgrep rules that enforce these checks. Specifically:

semgrep -c r/trailofbits.go.unmarshal-tag-is-dash
semgrep -c r/trailofbits.go.unmarshal-tag-is-omitempty

Proposal: Let's add these two checks to the structtag analyzer so that users get immediate feedback in their LSP-enabled editor, and whenever they run go vet.

贡献者指南

技术栈: go
领域: securitytooling
议题类型: feature
难度: 3
预计时间: half day
活动状态: fresh
清晰度: clear
前置要求: Gogo/analysisstruct tagsencoding/json
新手友好度: 60
研究方向: Start by reading the referenced Trail of Bits blog post and the two semgrep rules to understand the desired checks. Then examine the existing structtag analyzer in golang.org/x/tools/go/analysis/passes/structtag to see its structure and how it reports issues. The implementation should add two new checks that detect JSON tags set to ' ' in Unmarshal contexts and missing 'omitempty' on fields that could cause security issues. Check the issue comments for any maintainer guidance.