DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Go

Go

Made by DeepSource
Use Analyzer

Function call made to an unsafe package GSC-G103

Security
Minor
 cwe-242

Package unsafe contains operations that step around the type safety of Go programs and may be non-portable. Also note that unsafe package is not supported by Go 1 compatibility guidelines.

Using the unsafe package in Go gives you low-level memory management and many C language strengths but provides flexibility to your attacker's application. The pointer arithmetic is one example of an unsafe package used for the data leak, memory corruption, or even execution of the attacker's script. Also, it would be best to remember that Go 1 compatibility guidelines do not protect the "unsafe" package.

Bad practice

package main

import (
    "fmt"
    "unsafe"
)

type Fake struct{}

func (Fake) Good() {}

func main() {
    unsafeM := Fake{}
    unsafeM.Good()
    intArray := [...]int{1, 2}
    fmt.Printf("
intArray: %v
", intArray)
    intPtr := &intArray[0]
    fmt.Printf("
intPtr=%p, *intPtr=%d.
", intPtr, *intPtr)
    addressHolder := uintptr(unsafe.Pointer(intPtr)) + unsafe.Sizeof(intArray[0])
    intPtr = (*int)(unsafe.Pointer(addressHolder))
    fmt.Printf("
intPtr=%p, *intPtr=%d.

", intPtr, *intPtr)
}

References