Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.input-validation

Gin handlers should validate sensitive request bodies

Sensitive Gin binds should use `binding` or validator tags so authentication and mutation payloads cannot be silently empty.

#Metadata

Rule ID
go.security.gin-sensitive-binding-without-validation
Severity
medium
Confidence
0.74
Languages
go
Presets
security, strict
Stability
experimental
Applies to
block
Tags
gin, go, rules-catalog, security

#Why it matters

Regex heuristics flag `ShouldBindJSON`/`BindJSON` usage when structs in the same file omit `binding`/`validate` tags on sensitive fields such as passwords or roles.

#Remediation

Add `binding`/`validate` tags, register validators, or reject requests before they reach persistence layers.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/go/go.security.gin-sensitive-binding-without-validation.rule.yaml.

Back to directoryOpen rule in repository