Usage of vulnerable 'unsafe' package

• Rule ID: go_gosec_unsafe_unsafe
• Languages: go
• Source: unsafe.yml

Description

The unsafe package in Go allows for low-level memory management, including direct memory access and pointer manipulation. While unsafe is a powerful library, using it bypasses Go's type safety checks and opens the door to security vulnerabilities and unpredictable behavior in your application.

Remediations

• Do not use the unsafe package unless it is absolutely necessary. If you must use it, ensure you fully understand the implications and thoroughly test your code.
• Do ensure buffer boundaries are respected to avoid buffer overflows. This precaution helps prevent unauthorized code execution.

  buffer := make([]byte, 10)

• Do not access memory after it has been freed to avoid use-after-free vulnerabilities, which can lead to unintended code execution or unpredictable system behavior.

  unsafePointer := unsafe.Pointer(&data)
  C.free(unsafePointer)
  // now unsafe to access

• Do regularly review and audit your code to prevent memory or information leaks that could compromise security or lead to system failures due to exhausted memory.

References

• Buffer Overflows - OWASP
• Using Freed Memory - OWASP
• Memory Leaks - OWASP

Associated CWE

• CWE-242: Use of Inherently Dangerous Function

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_unsafe_unsafe

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_unsafe_unsafe