Create test.go

[kyle-semgrep]

Description

A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.

Resolved or fixed issue:

Affirmation

• My code follows the CONTRIBUTING.md guidelines

[ghost]

Semgrep identified an issue in your code:
Detected stack traces being printed or included in an HTTP response. This could expose sensitive information if deployed to a production environment in a user facing manner.

Dataflow graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>test.go</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/kyle-semgrep/js-app/blob/60820675fe9b0e9451135cb31a00af2145ae88c5/test.go#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] w</a>"]
        end
        %% Intermediate

        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/kyle-semgrep/js-app/blob/60820675fe9b0e9451135cb31a00af2145ae88c5/test.go#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] w</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    File0:::invis

    %% Connections

    Source --> Sink

Loading

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change

	return pprof.Lookup("goroutine").WriteTo(w, 2)
	package main
	import(
	"net/http"
	"runtime/pprof"
	"bytes"
	"log"
	)
	func dumpGoroutines(w http.ResponseWriter, r *http.Request, t auth.Token) error {
	if !permission.Check(t, permission.PermDebug) {
	return permission.ErrUnauthorized
	}
	// Fix: Buffer pprof output and do not return it in HTTP response.
	// Instead, log it securely or provide it through secure admin channels only.
	// Remove or further restrict this code entirely in production.
	var buf bytes.Buffer
	if err := pprof.Lookup("goroutine").WriteTo(&buf, 2); err != nil {
	log.Printf("Failed to collect goroutine profile: %v", err)
	http.Error(w, "Internal server error", http.StatusInternalServerError)
	return err
	}
	// Log for internal diagnostics only; do not send to end users.
	log.Printf("Goroutine profile dump:\n%s", buf.String())
	// For end users, return a generic success or OK response.
	w.WriteHeader(http.StatusOK)
	w.Write([]byte("Goroutine profile collected")) // never expose diagnostics directly
	return nil
	}

View step-by-step instructions

1. Do not write pprof or stack trace output directly to the HTTP response. This can expose sensitive information about the internals of your application to users.
2. If you need to collect the goroutine profile for debugging, write it to an in-memory buffer instead of the HTTP response: use var buf bytes.Buffer, then pprof.Lookup("goroutine").WriteTo(&buf, 2).
3. Restrict access to this diagnostic data to internal tools or authenticated admin users—never expose it on endpoints open to untrusted sources. In production environments, consider disabling or removing this endpoint entirely.
4. If sharing diagnostics is necessary, log the result securely or provide the information via a secure admin channel only.

Sensitive runtime details should not be sent in HTTP responses because they can help an attacker understand the structure of your code and active threads.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by write-pprof-profile-output.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[kyle-semgrep]

/other ignoring for reasons

[kyle-semgrep]

/fp this isn't working

[kyle-semgrep]

/ar maybe I should try kicking it