Add 2 unmarshal tag Semgrep rules

Vasco-jofra · Vasco-jofra · commit a04bcfd50ecf · 2025-04-21T10:19:32.000+02:00
diff --git a/go/unmarshal_tag_is_dash.go b/go/unmarshal_tag_is_dash.go
@@ -0,0 +1,21 @@
+package main
+
+type TestStruct1 struct {
+	// ok: unmarshal-tag-is-dash
+	A string `json:"id"`
+}
+
+type TestStruct2 struct {
+	// ruleid: unmarshal-tag-is-dash
+	B string `json:"-,omitempty"`
+}
+
+type TestStruct3 struct {
+	// ruleid: unmarshal-tag-is-dash
+	C string `json:"-,123"`
+}
+
+type TestStruct4 struct {
+	// ruleid: unmarshal-tag-is-dash
+	D string `json:"-,"`
+}
diff --git a/go/unmarshal_tag_is_dash.yml b/go/unmarshal_tag_is_dash.yml
@@ -0,0 +1,26 @@
+rules:
+  - id: unmarshal-tag-is-dash
+    message: >-
+      Struct field can be decoded with the `-` key because the JSON tag starts with a `-` but is followed by a comma.
+    languages: [go]
+    severity: WARNING
+    metadata:
+      cwe: "CWE-172: Encoding Error"
+      category: security
+      subcategory: [vuln]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+    patterns:
+      - pattern: |
+          type $T1 struct {
+            ...
+            $X $T2 `$TAG`
+            ...
+          }
+      - focus-metavariable: $TAG
+      - metavariable-regex:
+          metavariable: $TAG
+          regex: >-
+            .*(json|yaml|xml):"-,[^"]*"
+
diff --git a/go/unmarshal_tag_is_omitempty.go b/go/unmarshal_tag_is_omitempty.go
@@ -0,0 +1,20 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+type SomeStruct struct {
+	// ruleid: unmarshal-tag-is-omitempty
+	SomeField string `json:"omitempty"`
+	// ok: unmarshal-tag-is-omitempty
+	SomeField_2 string `json:",omitempty"`
+}
+
+func test_omitempty() {
+	u := SomeStruct{}
+	_ = json.Unmarshal([]byte(`{"omitempty": "123", "SomeField_2": "456"}`), &u)
+	fmt.Printf("Result: %#v\n", u)
+	// Result: main.SomeStruct{SomeField:"123"}
+}
diff --git a/go/unmarshal_tag_is_omitempty.yml b/go/unmarshal_tag_is_omitempty.yml
@@ -0,0 +1,25 @@
+rules:
+  - id: unmarshal-tag-is-omitempty
+    message: >-
+      Struct field can be unmarshaled with the `omitempty` key. The developer likely wanted to write ",omitempty" instead.
+    languages: [go]
+    severity: WARNING
+    metadata:
+      cwe: "CWE-172: Encoding Error"
+      category: security
+      subcategory: [vuln]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: LOW
+    patterns:
+      - pattern: |
+          type $T1 struct {
+            ...
+            $X $T2 `$TAG`
+            ...
+          }
+      - focus-metavariable: $TAG
+      - metavariable-regex:
+          metavariable: $TAG
+          regex: >-
+            .*(json|yaml|xml):"omitempty
