logo

Database

Go Sql Plaintext Storage Of Password

Description

This detector identifies Go applications that store passwords in plaintext within SQL databases. It looks for SQL write operations (INSERT, UPDATE) where password-related arguments are passed directly without encryption or hashing, creating a security risk where sensitive credentials could be exposed if the database is compromised.

Weakness:

020 - Non-encrypted confidential information

Category: Information Collection

Detection Strategy

    The code must import the 'database/sql' Go library

    Must contain function calls ending with SQL-related method names like 'Exec', 'ExecContext', 'Query', or 'QueryContext'

    The SQL statement must be a write operation (contains INSERT, UPDATE, or similar SQL commands)

    At least one function argument after the SQL query must be identified as password-related (contains keywords like 'password', 'passwd', 'pwd', etc.)

    The password argument is passed directly to the SQL function without apparent encryption or hashing

Vulnerable code example

package main

import (
	"database/sql"
	"net/http"
)

func storePassword(db *sql.DB, r *http.Request) {...

✅ Secure code example

package main

import (
	"database/sql"
	"net/http"
	"os"

	"golang.org/x/crypto/bcrypt"...