nostdglobals
nostdglobals is a simple Go linter that checks for usages of global variables defined in the go standard library
Install
go >= 1.16
go install github.com/katsadim/nostdglobals
Usage
To lint all the packages in a program:
> nostdglobals ./...
std stands for standard library
After having a look at Seth Vargo's excellent blog post, I figured that it was about time to take matters into my own hands and create this tool. Here is an excerpt from the post:
As just one example, both http.DefaultClient and http.DefaultTransport are global variables with shared state. http.DefaultClient has no configured timeout, which makes it trivial to DOS your own service and create bottlenecks. Many packages mutate http.DefaultClient and http.DefaultTransport, which can waste days of developer resources tracking down bugs.
...
I also worry about this class of issues from a software supply chain standpoint. If I can develop a useful package that secretly modifies the http.DefaultTransport to use a custom RoundTripper that funnels all your traffic through my servers, that would make for a very bad time.
Support
For now this linter only reports http.DefaultClient and http.DefaultTransport. More to come soon!
Scan popular projects
Kubernetes
katsadim > ~/go/bin/nostdglobals ./...
~/dev/kubernetes/staging/src/k8s.io/client-go/transport/cache.go:87:10: should not make use of 'http.DefaultTransport'
~/dev/kubernetes/staging/src/k8s.io/client-go/rest/request.go:680:12: should not make use of 'http.DefaultClient'
~/dev/kubernetes/staging/src/k8s.io/client-go/rest/request.go:816:12: should not make use of 'http.DefaultClient'
~/dev/kubernetes/staging/src/k8s.io/client-go/rest/request.go:946:12: should not make use of 'http.DefaultClient'
~/dev/kubernetes/staging/src/k8s.io/client-go/rest/transport.go:38:18: should not make use of 'http.DefaultTransport'
~/dev/kubernetes/staging/src/k8s.io/client-go/rest/transport.go:44:16: should not make use of 'http.DefaultClient'
google-api-go-client
katsadim > ~/go/bin/nostdglobals ./...
~/dev/google-api-go-client/internal/gensupport/send.go:35:12: should not make use of 'http.DefaultClient'
~/dev/google-api-go-client/internal/gensupport/send.go:69:12: should not make use of 'http.DefaultClient'
~/dev/google-api-go-client/googleapi/transport/apikey.go:34:8: should not make use of 'http.DefaultTransport'
~/dev/google-api-go-client/transport/http/dial.go:166:27: should not make use of 'http.DefaultTransport'
~/dev/google-api-go-client/examples/main.go:72:29: should not make use of 'http.DefaultTransport'
~/dev/google-api-go-client/google-api-go-generator/gen.go:363:14: should not make use of 'http.DefaultClient'
~/dev/google-api-go-client/idtoken/idtoken.go:57:41: should not make use of 'http.DefaultTransport'
~/dev/google-api-go-client/idtoken/validate.go:33:57: should not make use of 'http.DefaultClient'
aws-sdk-go
Disclaimer: this behaviour is documented
katsadim > ~/go/bin/nostdglobals ./...
~/dev/aws-sdk-go/aws/corehandlers/handlers.go:126:15: should not make use of 'http.DefaultTransport'
~/dev/aws-sdk-go/aws/defaults/defaults.go:59:18: should not make use of 'http.DefaultClient'
~/dev/aws-sdk-go/example/aws/request/httptrace/config.go:45:11: should not make use of 'http.DefaultTransport'
istio
katsadim > ~/go/bin/nostdglobals ./...
~/dev/istio/pkg/kube/client.go:729:15: should not make use of 'http.DefaultClient'
~/dev/istio/pilot/cmd/pilot-agent/status/server.go:591:15: should not make use of 'http.DefaultClient'
Future work
- Lint Vendor directory
- Add more sketchy global variables
- Introduce configuration support which could contain globals to report
1 Oct 15, 2022
0 Jun 19, 2022
1 Jul 28, 2022
12 Dec 27, 2022
30 Aug 6, 2022
177 Dec 24, 2022
2k Jan 1, 2023
23 Dec 29, 2022
13 Dec 14, 2022
27 Oct 5, 2022
7 May 17, 2022
1.5k Jan 6, 2023
4k Dec 23, 2022
5.1k Jan 1, 2023
204 Dec 27, 2022
20 Dec 15, 2022
0 Nov 25, 2021
12 Oct 22, 2022