Go Gorm Sql Injection
Description
Detects potential SQL injection vulnerabilities when using GORM (a Go ORM library) where user-controlled input can be passed directly into raw SQL queries. This vulnerability could allow an attacker to modify or inject malicious SQL commands, potentially leading to unauthorized data access or manipulation of the database.
Detection Strategy
• Check if the GORM library (gorm.io/gorm) is imported in the source code
• Identify function calls that use dangerous GORM methods like Raw(), Exec(), or other methods that accept raw SQL
• Analyze the arguments passed to these dangerous methods to check if they contain user-controlled or untrusted input
• Report a vulnerability if untrusted input flows into these dangerous GORM methods without proper sanitization
Vulnerable code example
package main
import (
"net/http"
"gorm.io/gorm"
)
func handleUser(w http.ResponseWriter, r *http.Request, db *gorm.DB) {...✅ Secure code example
package main
import (
"net/http"
"gorm.io/gorm"
"strings"
)
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.