io.ReadCloser io.EOF seems to be should also be whitelisted

[psydvl]

However, this can be solved somehow with the whitelisting that follows interface embedding

Example:

func Magic(rc io.ReadCloser) {
	a := make([]byte, 10)
	_, err := rc.Read(a)
	if err != nil && err != io.EOF {
		fmt.Println(err)
		return
	}
	fmt.Println(a)
}

type MyReader interface{
	io.Reader
}

func MyMagic(rc MyReader) {
	a := make([]byte, 10)
	_, err := rc.Read(a)
	if err != nil && err != io.EOF {
		fmt.Println(err)
		return
	}
	fmt.Println(a)
}

Both raise comparing with != will fail on wrapped errors. Use errors.Is to check for a specific error

[polyfloyd]

Thanks for reporting this! I allowed io.EOF from (io.ReadCloser).Read.

The second example is a bit trickier as the allow-list works based on the name of the type. And since MyReader is a custom type it is not known by the allow-list. A solution would involve checking whether the source function implements one of the allowed interfaces, but I have not attempted that yet.

[psydvl]

Should we also expect same behavior for next types?

• json.Decoder{}.Decode()
• csv.Reader{}.Read() ReadAll()
• mime/multipart.Reader{}.NextPart()

https://github.com/search?q=repo%3Agolang%2Fgo+%22func+Example%22+%22%3D%3D+io.EOF%22&type=code

[polyfloyd]

Yes, any function in the standard library that returns io.EOF is ok to allow