I've been doing source code analysis of certain types of public repos for a specific classes of problems, and I found a something in your repo from my research that you may want to take a look at.

Specifically:

When using GORM's db.First() method, if the second argument is a string that comes from user input instead of an int, it can provide a SQL Injection opportunity. GORM doesn't escape or automatically parameterize the query in this specific case. See https://gorm.io/docs/security.html#Inline-Condition for more details. The fix is to ensure that the second argument is always an integer or a struct.

Example:

id := c.Param("id") db.First(&user, id) // If `id` is a string from attacker/user input, GORM performs direct concatenation

Fixed:

id := c.Param("id") if parsedId, err := strconv.Atoi(id); err == nil { db.First(&user, parsedId) // Now `id` is guaranteed to be an integer and GORM handles it safely } else { ... handle the error }

Note: This research has taken some time to complete, so the commit I'm referencing is a few weeks old. You may have already fixed this issue in a later commit. If so, feel free to ignore/close. Just wanted to give you a heads up as a courtesy in case you found it helpful.