Go Mysql Empty Password In Dsn
Description
This detector identifies Go applications using empty passwords in MySQL database connection strings. Empty passwords create a significant security vulnerability as they allow unauthorized access to the database without authentication, potentially exposing sensitive data and allowing malicious operations.
Detection Strategy
• The detector only analyzes Go source files that are not test files
• The code must import both the database/sql package and a MySQL driver package
• The detector looks for calls to the sql.Open() function (or aliased equivalent)
• It examines the second argument (index 1) of sql.Open() which contains the database connection string
• The connection string is analyzed to determine if it contains an empty password field in the MySQL DSN format
• A vulnerability is reported when sql.Open() is called with a connection string that has an empty password
Vulnerable code example
package main
import (
"database/sql"
"github.com/go-sql-driver/mysql"
_ "github.com/go-sql-driver/mysql"
)
...✅ Secure code example
package main
import (
"database/sql"
"os"
"github.com/go-sql-driver/mysql"
_ "github.com/go-sql-driver/mysql"
)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.