Skip to content

Unsanitized user input false positive for Go SQL calls with context #1831

New issue
New issue
Open
Open
Unsanitized user input false positive for Go SQL calls with context#1831
Labels
bugSomething isn't working
@leejuyuu

Description

@leejuyuu
leejuyuu
opened on Sep 11, 2025

Handling user inputs for SQL queries with sql.DB using placeholders should be safe because the sql package creates prepared statements for us. Bearer CLI incorrectly flags queries with contexts like db.QueryContext(r.Context(), "SELECT * FROM users WHERE id = ?", id) as vulnerable, while db.Query("SELECT * FROM users WHERE id = ?", id) is safe.

Description & Reproduction

Sample code:

package main

import (
	"database/sql"
	"fmt"
	"net/http"
	"os"
)

func main() {
	if err := run(); err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
}

func run() error {

	http.ListenAndServe(":9999", http.HandlerFunc(handler))

	return nil
}

func handler(w http.ResponseWriter, r *http.Request) {
	db, err := sql.Open("mysql", "localhost")
	if err != nil {
		return
	}
	defer db.Close()

	id := r.URL.Query().Get("id")

	rows, err := db.Query("SELECT * FROM users WHERE id = ?", id)
	if err != nil {
		fmt.Println(err)
		return
	}
	rows.Close()

	rows, err = db.QueryContext(r.Context(), "SELECT * FROM users WHERE id = ?", id)
	if err != nil {
		fmt.Println(err)
		return
	}
	rows.Close()

	_, err = db.Exec("UPDATE users SET updated = CURRENT_TIMESTAMP WHERE id = ?", id)
	if err != nil {
		fmt.Println(err)
		return
	}

	_, err = db.ExecContext(r.Context(), "UPDATE users SET updated = CURRENT_TIMESTAMP WHERE id = ?", id)
	if err != nil {
		fmt.Println(err)
		return
	}

}

Expected Behavior

Only http.ListenAndServe should be flagged as vulnerable.

Actual Behavior

Security Report

=====================================

Rules: 
https://docs.bearer.com/reference/rules [v0.48.2]

Language  Default Rules  Custom Rules  Files  
Go        72             0             1      


CRITICAL: Unsanitized user input in SQL query [CWE-89]
https://docs.bearer.com/reference/rules/go_gosec_sql_concat_sqli
To ignore this finding, run: bearer ignore add e91a83627db670ab2c82fd505bffd7d3_0

File: main.go:40

 40 	rows, err = db.QueryContext(r.Context(), "SELECT * FROM users WHERE id = ?", id)

CRITICAL: Unsanitized user input in SQL query [CWE-89]
https://docs.bearer.com/reference/rules/go_gosec_sql_concat_sqli
To ignore this finding, run: bearer ignore add e91a83627db670ab2c82fd505bffd7d3_1

File: main.go:53

 53 	_, err = db.ExecContext(r.Context(), "UPDATE users SET updated = CURRENT_TIMESTAMP WHERE id = ?", id)

HIGH: Usage of vulnerable 'serve' function [CWE-400]
https://docs.bearer.com/reference/rules/go_gosec_http_http_serve
To ignore this finding, run: bearer ignore add 8851c695cdf7875b26897a35f7a00645_0

File: main.go:19

 19 	http.ListenAndServe(":9999", http.HandlerFunc(handler))
=====================================

72 checks, 3 findings

CRITICAL: 2 (CWE-89)
HIGH: 1 (CWE-400)
MEDIUM: 0
LOW: 0
WARNING: 0

Possible Fix

Your Environment

go version go1.25.1 X:nodwarf5 linux/amd64

  • Operating System and version: Arch Linux
  • Output of 'bearer version':
bearer version dev, build devSHA
(built from source at 3a762f77)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions