Skip to content

A Go source code linter that can be used to find dangerous global variables usages from the Go standard library.

License

Notifications You must be signed in to change notification settings

katsadim/nostdglobals

Repository files navigation

nostdglobals

nostdglobals is a simple Go linter that checks for usages of global variables defined in the go standard library

Install

go >= 1.16

go install github.com/katsadim/nostdglobals

Usage

To lint all the packages in a program:

> nostdglobals ./...

std stands for standard library

After having a look at Seth Vargo's excellent blog post, I figured that it was about time to take matters into my own hands and create this tool. Here is an excerpt from the post:

As just one example, both http.DefaultClient and http.DefaultTransport are global variables with shared state. http.DefaultClient has no configured timeout, which makes it trivial to DOS your own service and create bottlenecks. Many packages mutate http.DefaultClient and http.DefaultTransport, which can waste days of developer resources tracking down bugs.

...

I also worry about this class of issues from a software supply chain standpoint. If I can develop a useful package that secretly modifies the http.DefaultTransport to use a custom RoundTripper that funnels all your traffic through my servers, that would make for a very bad time.

Support

For now this linter only reports http.DefaultClient and http.DefaultTransport. More to come soon!

Scan popular projects

Kubernetes

katsadim > ~/go/bin/nostdglobals ./...
~/dev/kubernetes/staging/src/k8s.io/client-go/transport/cache.go:87:10: should not make use of 'http.DefaultTransport'
~/dev/kubernetes/staging/src/k8s.io/client-go/rest/request.go:680:12: should not make use of 'http.DefaultClient'
~/dev/kubernetes/staging/src/k8s.io/client-go/rest/request.go:816:12: should not make use of 'http.DefaultClient'
~/dev/kubernetes/staging/src/k8s.io/client-go/rest/request.go:946:12: should not make use of 'http.DefaultClient'
~/dev/kubernetes/staging/src/k8s.io/client-go/rest/transport.go:38:18: should not make use of 'http.DefaultTransport'
~/dev/kubernetes/staging/src/k8s.io/client-go/rest/transport.go:44:16: should not make use of 'http.DefaultClient'

google-api-go-client

katsadim > ~/go/bin/nostdglobals ./...     
~/dev/google-api-go-client/internal/gensupport/send.go:35:12: should not make use of 'http.DefaultClient'
~/dev/google-api-go-client/internal/gensupport/send.go:69:12: should not make use of 'http.DefaultClient'
~/dev/google-api-go-client/googleapi/transport/apikey.go:34:8: should not make use of 'http.DefaultTransport'
~/dev/google-api-go-client/transport/http/dial.go:166:27: should not make use of 'http.DefaultTransport'
~/dev/google-api-go-client/examples/main.go:72:29: should not make use of 'http.DefaultTransport'
~/dev/google-api-go-client/google-api-go-generator/gen.go:363:14: should not make use of 'http.DefaultClient'
~/dev/google-api-go-client/idtoken/idtoken.go:57:41: should not make use of 'http.DefaultTransport'
~/dev/google-api-go-client/idtoken/validate.go:33:57: should not make use of 'http.DefaultClient'

aws-sdk-go

Disclaimer: this behaviour is documented

katsadim > ~/go/bin/nostdglobals ./...  
~/dev/aws-sdk-go/aws/corehandlers/handlers.go:126:15: should not make use of 'http.DefaultTransport'
~/dev/aws-sdk-go/aws/defaults/defaults.go:59:18: should not make use of 'http.DefaultClient'
~/dev/aws-sdk-go/example/aws/request/httptrace/config.go:45:11: should not make use of 'http.DefaultTransport'

istio

katsadim > ~/go/bin/nostdglobals ./...  
~/dev/istio/pkg/kube/client.go:729:15: should not make use of 'http.DefaultClient'
~/dev/istio/pilot/cmd/pilot-agent/status/server.go:591:15: should not make use of 'http.DefaultClient'

Future work

  • Lint Vendor directory
  • Add more sketchy global variables
  • Introduce configuration support which could contain globals to report

About

A Go source code linter that can be used to find dangerous global variables usages from the Go standard library.

Resources

License

Stars

Watchers

Forks

Packages

No packages published