actions/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2024-11-05 11:35:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
gosec/helpers.go

556 lines
16 KiB
Go
Raw Permalink Normal View History

Initial public release
2016-07-20 11:02:01 +01:00
// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
Replace gas with gosec everywhere in the project
2018-07-19 17:42:25 +01:00
package gosec
Initial public release
2016-07-20 11:02:01 +01:00
import (
fix(helpers/goversion): get from go.mod
2024-03-20 10:19:57 +00:00
"bytes"
"encoding/json"
Derive the package from given files Move some utility functions into the helper
2018-07-23 14:16:47 +01:00
"errors"
Initial public release
2016-07-20 11:02:01 +01:00
"fmt"
"go/ast"
"go/token"
Add MatchCall helper that utilizes type checker This introduces a helper function that will significantly reduce the number of false positives that occur due to the use of regexp based call matching. It resolves the object related to a CallExpr and checks that against the supplied package and identifier name. If both of these match the returned value is the CallExpr and Object.
2016-11-04 18:20:28 +00:00
"go/types"
Derive the package from given files Move some utility functions into the helper
2018-07-23 14:16:47 +01:00
"os"
fix(helpers/goversion): get from go.mod
2024-03-20 10:19:57 +00:00
"os/exec"
Derive the package from given files Move some utility functions into the helper
2018-07-23 14:16:47 +01:00
"os/user"
"path/filepath"
Scan the go packages path recursively starting from a root folder This is replacing the gotool.ImportPaths which seems to have some troubles with Go modules. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-25 11:47:13 +01:00
"regexp"
Derive the package from given files Move some utility functions into the helper
2018-07-23 14:16:47 +01:00
"runtime"
Initial public release
2016-07-20 11:02:01 +01:00
"strconv"
Derive the package from given files Move some utility functions into the helper
2018-07-23 14:16:47 +01:00
"strings"
Initial public release
2016-07-20 11:02:01 +01:00
)
feat: add env var to override the Go version detection
2024-05-24 15:00:01 +01:00
// envGoModVersion overrides the Go version detection.
const envGoModVersion = "GOSECGOVERSION"
Add an environment varialbe which disables the parsing of Go version from module file Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-22 09:08:42 +01:00
MatchCallByPackage updated to avoid GetCallObject There seems to be an inconsistency in the way that the type.Info.Uses map is populated by the type checker in Go 1.5 and the latest release. It is possible to ascertain the package that relates to an object 1.7.x release but this does not work for earlier Go versions. To work around this limitation we now track imports, and monitor if they are aliased or initalization only imports.
2016-11-07 17:13:20 +00:00
// MatchCallByPackage ensures that the specified package is imported,
// adjusts the name for any aliases and ignores cases that are
// initialization only imports.
Add MatchCall helper that utilizes type checker This introduces a helper function that will significantly reduce the number of false positives that occur due to the use of regexp based call matching. It resolves the object related to a CallExpr and checks that against the supplied package and identifier name. If both of these match the returned value is the CallExpr and Object.
2016-11-04 18:20:28 +00:00
//
// Usage:
//
fix: parsing of the Go version (#844) * fix: parsing of the Go version * fix: convert pseudo directive to comment
2022-08-08 08:28:41 +01:00
// node, matched := MatchCallByPackage(n, ctx, "math/rand", "Read")
MatchCallByPackage updated to avoid GetCallObject There seems to be an inconsistency in the way that the type.Info.Uses map is populated by the type checker in Go 1.5 and the latest release. It is possible to ascertain the package that relates to an object 1.7.x release but this does not work for earlier Go versions. To work around this limitation we now track imports, and monitor if they are aliased or initalization only imports.
2016-11-07 17:13:20 +00:00
func MatchCallByPackage(n ast.Node, c *Context, pkg string, names ...string) (*ast.CallExpr, bool) {
Refactor to support duplicate imports with different aliases (#865) The existing code assumed imports to be either imported, or imported with an alias. Badly formatted files may have duplicate imports for a package, using different aliases. This patch refactors the code, and; Introduces a new `GetImportedNames` function, which returns all name(s) and aliase(s) for a package, which effectively combines `GetAliasedName` and `GetImportedName`, but adding support for duplicate imports. The old `GetAliasedName` and `GetImportedName` functions have been rewritten to use the new function and marked deprecated, but could be removed if there are no external consumers. With this patch, the linter is able to detect issues in files such as; package main import ( crand "crypto/rand" "math/big" "math/rand" rand2 "math/rand" rand3 "math/rand" ) func main() { _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good _ = rand.Intn(2) // bad _ = rand2.Intn(2) // bad _ = rand3.Intn(2) // bad } Before this patch, only a single issue would be detected: gosec --quiet . [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad With this patch, all issues are identified: gosec --quiet . [main.go:16] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 15: _ = rand2.Intn(2) // bad > 16: _ = rand3.Intn(2) // bad 17: } [main.go:15] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 14: _ = rand.Intn(2) // bad > 15: _ = rand2.Intn(2) // bad 16: _ = rand3.Intn(2) // bad [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad While working on this change, I noticed that ImportTracker.TrackFile() was not able to find import aliases; Analyser.Check() called both ImportTracker.TrackFile() and ast.Walk(), which (with the updated ImportTracker) resulted in importes to be in- correctly included multiple times (once with the correct alias, once with the default). I updated ImportTracker.TrackFile() to fix this, but with the updated ImportTracker, Analyser.Check() no longer has to call ImportTracker.TrackFile() separately, as ast.Walk() already handles the file, and will find all imports. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 09:59:18 +01:00
importedNames, found := GetImportedNames(pkg, c)
Update error test case There were several issues with the error test case that have been addressed in this commit. - It is possible to specify a whitelist of calls that error handling should be ignored for. - Additional support for ast.ExprStmt for cases where the error is implicitly ignored. There were several other additions to the helpers and call list in order to support this type of functionality. Fixes #54
2016-11-18 22:09:10 +00:00
if !found {
Refactor to support duplicate imports with different aliases (#865) The existing code assumed imports to be either imported, or imported with an alias. Badly formatted files may have duplicate imports for a package, using different aliases. This patch refactors the code, and; Introduces a new `GetImportedNames` function, which returns all name(s) and aliase(s) for a package, which effectively combines `GetAliasedName` and `GetImportedName`, but adding support for duplicate imports. The old `GetAliasedName` and `GetImportedName` functions have been rewritten to use the new function and marked deprecated, but could be removed if there are no external consumers. With this patch, the linter is able to detect issues in files such as; package main import ( crand "crypto/rand" "math/big" "math/rand" rand2 "math/rand" rand3 "math/rand" ) func main() { _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good _ = rand.Intn(2) // bad _ = rand2.Intn(2) // bad _ = rand3.Intn(2) // bad } Before this patch, only a single issue would be detected: gosec --quiet . [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad With this patch, all issues are identified: gosec --quiet . [main.go:16] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 15: _ = rand2.Intn(2) // bad > 16: _ = rand3.Intn(2) // bad 17: } [main.go:15] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 14: _ = rand.Intn(2) // bad > 15: _ = rand2.Intn(2) // bad 16: _ = rand3.Intn(2) // bad [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad While working on this change, I noticed that ImportTracker.TrackFile() was not able to find import aliases; Analyser.Check() called both ImportTracker.TrackFile() and ast.Walk(), which (with the updated ImportTracker) resulted in importes to be in- correctly included multiple times (once with the correct alias, once with the default). I updated ImportTracker.TrackFile() to fix this, but with the updated ImportTracker, Analyser.Check() no longer has to call ImportTracker.TrackFile() separately, as ast.Walk() already handles the file, and will find all imports. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 09:59:18 +01:00
return nil, false
MatchCallByPackage updated to avoid GetCallObject There seems to be an inconsistency in the way that the type.Info.Uses map is populated by the type checker in Go 1.5 and the latest release. It is possible to ascertain the package that relates to an object 1.7.x release but this does not work for earlier Go versions. To work around this limitation we now track imports, and monitor if they are aliased or initalization only imports.
2016-11-07 17:13:20 +00:00
}
Extend helpers and call list - Update call list to work directly with call expression - Add call list test cases - Extend helpers to add GetCallInfo to resolve call name and package or type if it's a var. - Add test cases to ensure correct behaviour
2016-11-18 17:57:34 +00:00
if callExpr, ok := n.(*ast.CallExpr); ok {
packageName, callName, err := GetCallInfo(callExpr, c)
if err != nil {
return nil, false
}
Refactor to support duplicate imports with different aliases (#865) The existing code assumed imports to be either imported, or imported with an alias. Badly formatted files may have duplicate imports for a package, using different aliases. This patch refactors the code, and; Introduces a new `GetImportedNames` function, which returns all name(s) and aliase(s) for a package, which effectively combines `GetAliasedName` and `GetImportedName`, but adding support for duplicate imports. The old `GetAliasedName` and `GetImportedName` functions have been rewritten to use the new function and marked deprecated, but could be removed if there are no external consumers. With this patch, the linter is able to detect issues in files such as; package main import ( crand "crypto/rand" "math/big" "math/rand" rand2 "math/rand" rand3 "math/rand" ) func main() { _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good _ = rand.Intn(2) // bad _ = rand2.Intn(2) // bad _ = rand3.Intn(2) // bad } Before this patch, only a single issue would be detected: gosec --quiet . [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad With this patch, all issues are identified: gosec --quiet . [main.go:16] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 15: _ = rand2.Intn(2) // bad > 16: _ = rand3.Intn(2) // bad 17: } [main.go:15] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 14: _ = rand.Intn(2) // bad > 15: _ = rand2.Intn(2) // bad 16: _ = rand3.Intn(2) // bad [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad While working on this change, I noticed that ImportTracker.TrackFile() was not able to find import aliases; Analyser.Check() called both ImportTracker.TrackFile() and ast.Walk(), which (with the updated ImportTracker) resulted in importes to be in- correctly included multiple times (once with the correct alias, once with the default). I updated ImportTracker.TrackFile() to fix this, but with the updated ImportTracker, Analyser.Check() no longer has to call ImportTracker.TrackFile() separately, as ast.Walk() already handles the file, and will find all imports. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 09:59:18 +01:00
for _, in := range importedNames {
if packageName != in {
continue
}
Extend helpers and call list - Update call list to work directly with call expression - Add call list test cases - Extend helpers to add GetCallInfo to resolve call name and package or type if it's a var. - Add test cases to ensure correct behaviour
2016-11-18 17:57:34 +00:00
for _, name := range names {
if callName == name {
return callExpr, true
MatchCallByPackage updated to avoid GetCallObject There seems to be an inconsistency in the way that the type.Info.Uses map is populated by the type checker in Go 1.5 and the latest release. It is possible to ascertain the package that relates to an object 1.7.x release but this does not work for earlier Go versions. To work around this limitation we now track imports, and monitor if they are aliased or initalization only imports.
2016-11-07 17:13:20 +00:00
}
}
}
Add MatchCall helper that utilizes type checker This introduces a helper function that will significantly reduce the number of false positives that occur due to the use of regexp based call matching. It resolves the object related to a CallExpr and checks that against the supplied package and identifier name. If both of these match the returned value is the CallExpr and Object.
2016-11-04 18:20:28 +00:00
}
MatchCallByPackage updated to avoid GetCallObject There seems to be an inconsistency in the way that the type.Info.Uses map is populated by the type checker in Go 1.5 and the latest release. It is possible to ascertain the package that relates to an object 1.7.x release but this does not work for earlier Go versions. To work around this limitation we now track imports, and monitor if they are aliased or initalization only imports.
2016-11-07 17:13:20 +00:00
return nil, false
Add MatchCall helper that utilizes type checker This introduces a helper function that will significantly reduce the number of false positives that occur due to the use of regexp based call matching. It resolves the object related to a CallExpr and checks that against the supplied package and identifier name. If both of these match the returned value is the CallExpr and Object.
2016-11-04 18:20:28 +00:00
}
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
// MatchCompLit will match an ast.CompositeLit based on the supplied type
func MatchCompLit(n ast.Node, ctx *Context, required string) *ast.CompositeLit {
if complit, ok := n.(*ast.CompositeLit); ok {
typeOf := ctx.Info.TypeOf(complit)
if typeOf.String() == required {
return complit
}
Initial public release
2016-07-20 11:02:01 +01:00
}
return nil
}
Adding some inline documentation for godoc
2016-08-12 14:17:28 +01:00
// GetInt will read and return an integer value from an ast.BasicLit
Initial public release
2016-07-20 11:02:01 +01:00
func GetInt(n ast.Node) (int64, error) {
if node, ok := n.(*ast.BasicLit); ok && node.Kind == token.INT {
return strconv.ParseInt(node.Value, 0, 64)
}
return 0, fmt.Errorf("Unexpected AST node type: %T", n)
}
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
// GetFloat will read and return a float value from an ast.BasicLit
Initial public release
2016-07-20 11:02:01 +01:00
func GetFloat(n ast.Node) (float64, error) {
if node, ok := n.(*ast.BasicLit); ok && node.Kind == token.FLOAT {
return strconv.ParseFloat(node.Value, 64)
}
return 0.0, fmt.Errorf("Unexpected AST node type: %T", n)
}
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
// GetChar will read and return a char value from an ast.BasicLit
Initial public release
2016-07-20 11:02:01 +01:00
func GetChar(n ast.Node) (byte, error) {
if node, ok := n.(*ast.BasicLit); ok && node.Kind == token.CHAR {
return node.Value[0], nil
}
return 0, fmt.Errorf("Unexpected AST node type: %T", n)
}
fix: correctly identify infixed concats as potential SQL injections (#987)
2023-07-25 16:13:07 +01:00
// GetStringRecursive will recursively walk down a tree of *ast.BinaryExpr. It will then concat the results, and return.
// Unlike the other getters, it does _not_ raise an error for unknown ast.Node types. At the base, the recursion will hit a non-BinaryExpr type,
// either BasicLit or other, so it's not an error case. It will only error if `strconv.Unquote` errors. This matters, because there's
// currently functionality that relies on error values being returned by GetString if and when it hits a non-basiclit string node type,
Fix typos in struct fields, comments, and docs (#1023)
2023-10-05 11:59:17 +01:00
// hence for cases where recursion is needed, we use this separate function, so that we can still be backwards compatible.
fix: correctly identify infixed concats as potential SQL injections (#987)
2023-07-25 16:13:07 +01:00
//
// This was added to handle a SQL injection concatenation case where the injected value is infixed between two strings, not at the start or end. See example below
//
// Do note that this will omit non-string values. So for example, if you were to use this node:
// ```go
// q := "SELECT * FROM foo WHERE name = '" + os.Args[0] + "' AND 1=1" // will result in "SELECT * FROM foo WHERE ” AND 1=1"
func GetStringRecursive(n ast.Node) (string, error) {
if node, ok := n.(*ast.BasicLit); ok && node.Kind == token.STRING {
return strconv.Unquote(node.Value)
}
if expr, ok := n.(*ast.BinaryExpr); ok {
x, err := GetStringRecursive(expr.X)
if err != nil {
return "", err
}
y, err := GetStringRecursive(expr.Y)
if err != nil {
return "", err
}
return x + y, nil
}
return "", nil
}
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
// GetString will read and return a string value from an ast.BasicLit
Initial public release
2016-07-20 11:02:01 +01:00
func GetString(n ast.Node) (string, error) {
if node, ok := n.(*ast.BasicLit); ok && node.Kind == token.STRING {
return strconv.Unquote(node.Value)
}
fix: correctly identify infixed concats as potential SQL injections (#987)
2023-07-25 16:13:07 +01:00
Initial public release
2016-07-20 11:02:01 +01:00
return "", fmt.Errorf("Unexpected AST node type: %T", n)
}
Split out MatchCallByObject into two functions Allows direct call to GetCallObject.
2016-11-04 21:39:22 +00:00
// GetCallObject returns the object and call expression and associated
// object for a given AST node. nil, nil will be returned if the
// object cannot be resolved.
func GetCallObject(n ast.Node, ctx *Context) (*ast.CallExpr, types.Object) {
switch node := n.(type) {
case *ast.CallExpr:
switch fn := node.Fun.(type) {
case *ast.Ident:
return node, ctx.Info.Uses[fn]
case *ast.SelectorExpr:
return node, ctx.Info.Uses[fn.Sel]
}
}
return nil, nil
}
Extend helpers and call list - Update call list to work directly with call expression - Add call list test cases - Extend helpers to add GetCallInfo to resolve call name and package or type if it's a var. - Add test cases to ensure correct behaviour
2016-11-18 17:57:34 +00:00
// GetCallInfo returns the package or type and name associated with a
// call expression.
func GetCallInfo(n ast.Node, ctx *Context) (string, string, error) {
switch node := n.(type) {
case *ast.CallExpr:
switch fn := node.Fun.(type) {
case *ast.SelectorExpr:
switch expr := fn.X.(type) {
case *ast.Ident:
if expr.Obj != nil && expr.Obj.Kind == ast.Var {
t := ctx.Info.TypeOf(expr)
if t != nil {
return t.String(), fn.Sel.Name, nil
}
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
return "undefined", fn.Sel.Name, fmt.Errorf("missing type info")
Extend helpers and call list - Update call list to work directly with call expression - Add call list test cases - Extend helpers to add GetCallInfo to resolve call name and package or type if it's a var. - Add test cases to ensure correct behaviour
2016-11-18 17:57:34 +00:00
}
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
return expr.Name, fn.Sel.Name, nil
Fix the call list info to handle selector expressions Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-15 14:42:26 +00:00
case *ast.SelectorExpr:
if expr.Sel != nil {
t := ctx.Info.TypeOf(expr.Sel)
if t != nil {
return t.String(), fn.Sel.Name, nil
}
return "undefined", fn.Sel.Name, fmt.Errorf("missing type info")
}
Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-28 13:11:00 +00:00
case *ast.CallExpr:
switch call := expr.Fun.(type) {
case *ast.Ident:
Handle new function when getting the call info in case is overriden Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-12 09:01:41 +01:00
if call.Name == "new" && len(expr.Args) > 0 {
Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-28 13:11:00 +00:00
t := ctx.Info.TypeOf(expr.Args[0])
if t != nil {
return t.String(), fn.Sel.Name, nil
}
return "undefined", fn.Sel.Name, fmt.Errorf("missing type info")
}
if call.Obj != nil {
switch decl := call.Obj.Decl.(type) {
case *ast.FuncDecl:
ret := decl.Type.Results
if ret != nil && len(ret.List) > 0 {
ret1 := ret.List[0]
if ret1 != nil {
t := ctx.Info.TypeOf(ret1.Type)
if t != nil {
return t.String(), fn.Sel.Name, nil
}
return "undefined", fn.Sel.Name, fmt.Errorf("missing type info")
}
}
}
}
}
Extend helpers and call list - Update call list to work directly with call expression - Add call list test cases - Extend helpers to add GetCallInfo to resolve call name and package or type if it's a var. - Add test cases to ensure correct behaviour
2016-11-18 17:57:34 +00:00
}
Update error test case There were several issues with the error test case that have been addressed in this commit. - It is possible to specify a whitelist of calls that error handling should be ignored for. - Additional support for ast.ExprStmt for cases where the error is implicitly ignored. There were several other additions to the helpers and call list in order to support this type of functionality. Fixes #54
2016-11-18 22:09:10 +00:00
case *ast.Ident:
return ctx.Pkg.Name(), fn.Name, nil
Extend helpers and call list - Update call list to work directly with call expression - Add call list test cases - Extend helpers to add GetCallInfo to resolve call name and package or type if it's a var. - Add test cases to ensure correct behaviour
2016-11-18 17:57:34 +00:00
}
}
Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-28 13:11:00 +00:00
Extend helpers and call list - Update call list to work directly with call expression - Add call list test cases - Extend helpers to add GetCallInfo to resolve call name and package or type if it's a var. - Add test cases to ensure correct behaviour
2016-11-18 17:57:34 +00:00
return "", "", fmt.Errorf("unable to determine call info")
}
Update error test case There were several issues with the error test case that have been addressed in this commit. - It is possible to specify a whitelist of calls that error handling should be ignored for. - Additional support for ast.ExprStmt for cases where the error is implicitly ignored. There were several other additions to the helpers and call list in order to support this type of functionality. Fixes #54
2016-11-18 22:09:10 +00:00
Extend the bind rule to handle the case when the net.Listen address in provided from a const
2018-12-02 15:28:51 +00:00
// GetCallStringArgsValues returns the values of strings arguments if they can be resolved
Fix some linting warnings
2023-03-20 09:08:49 +00:00
func GetCallStringArgsValues(n ast.Node, _ *Context) []string {
Add a helper function which extracts the string parameters values of a call expression
2018-12-02 14:36:02 +00:00
values := []string{}
switch node := n.(type) {
case *ast.CallExpr:
for _, arg := range node.Args {
switch param := arg.(type) {
case *ast.BasicLit:
value, err := GetString(param)
if err == nil {
values = append(values, value)
}
case *ast.Ident:
Extend the bind rule to handle the case when the net.Listen address in provided from a const
2018-12-02 15:28:51 +00:00
values = append(values, GetIdentStringValues(param)...)
}
}
}
return values
}
Add a helper function which extracts the string parameters values of a call expression
2018-12-02 14:36:02 +00:00
fix: correctly identify infixed concats as potential SQL injections (#987)
2023-07-25 16:13:07 +01:00
func getIdentStringValues(ident *ast.Ident, stringFinder func(ast.Node) (string, error)) []string {
Extend the bind rule to handle the case when the net.Listen address in provided from a const
2018-12-02 15:28:51 +00:00
values := []string{}
obj := ident.Obj
if obj != nil {
switch decl := obj.Decl.(type) {
case *ast.ValueSpec:
for _, v := range decl.Values {
fix: correctly identify infixed concats as potential SQL injections (#987)
2023-07-25 16:13:07 +01:00
value, err := stringFinder(v)
Extend the bind rule to handle the case when the net.Listen address in provided from a const
2018-12-02 15:28:51 +00:00
if err == nil {
values = append(values, value)
}
}
case *ast.AssignStmt:
for _, v := range decl.Rhs {
fix: correctly identify infixed concats as potential SQL injections (#987)
2023-07-25 16:13:07 +01:00
value, err := stringFinder(v)
Extend the bind rule to handle the case when the net.Listen address in provided from a const
2018-12-02 15:28:51 +00:00
if err == nil {
values = append(values, value)
Add a helper function which extracts the string parameters values of a call expression
2018-12-02 14:36:02 +00:00
}
}
}
}
return values
}
chore: fix function name Signed-off-by: avoidalone <wuguangdong@outlook.com>
2024-03-11 07:28:58 +00:00
// GetIdentStringValuesRecursive returns the string of values of an Ident if they can be resolved
fix: correctly identify infixed concats as potential SQL injections (#987)
2023-07-25 16:13:07 +01:00
// The difference between this and GetIdentStringValues is that it will attempt to resolve the strings recursively,
// if it is passed a *ast.BinaryExpr. See GetStringRecursive for details
func GetIdentStringValuesRecursive(ident *ast.Ident) []string {
return getIdentStringValues(ident, GetStringRecursive)
}
// GetIdentStringValues return the string values of an Ident if they can be resolved
func GetIdentStringValues(ident *ast.Ident) []string {
return getIdentStringValues(ident, GetString)
}
Improve the SQL strings concat rules to handle multiple string concatenation Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 14:42:43 +01:00
// GetBinaryExprOperands returns all operands of a binary expression by traversing
// the expression tree
func GetBinaryExprOperands(be *ast.BinaryExpr) []ast.Node {
var traverse func(be *ast.BinaryExpr)
result := []ast.Node{}
traverse = func(be *ast.BinaryExpr) {
if lhs, ok := be.X.(*ast.BinaryExpr); ok {
traverse(lhs)
} else {
result = append(result, be.X)
}
if rhs, ok := be.Y.(*ast.BinaryExpr); ok {
traverse(rhs)
} else {
result = append(result, be.Y)
}
}
traverse(be)
return result
}
Refactor to support duplicate imports with different aliases (#865) The existing code assumed imports to be either imported, or imported with an alias. Badly formatted files may have duplicate imports for a package, using different aliases. This patch refactors the code, and; Introduces a new `GetImportedNames` function, which returns all name(s) and aliase(s) for a package, which effectively combines `GetAliasedName` and `GetImportedName`, but adding support for duplicate imports. The old `GetAliasedName` and `GetImportedName` functions have been rewritten to use the new function and marked deprecated, but could be removed if there are no external consumers. With this patch, the linter is able to detect issues in files such as; package main import ( crand "crypto/rand" "math/big" "math/rand" rand2 "math/rand" rand3 "math/rand" ) func main() { _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good _ = rand.Intn(2) // bad _ = rand2.Intn(2) // bad _ = rand3.Intn(2) // bad } Before this patch, only a single issue would be detected: gosec --quiet . [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad With this patch, all issues are identified: gosec --quiet . [main.go:16] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 15: _ = rand2.Intn(2) // bad > 16: _ = rand3.Intn(2) // bad 17: } [main.go:15] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 14: _ = rand.Intn(2) // bad > 15: _ = rand2.Intn(2) // bad 16: _ = rand3.Intn(2) // bad [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad While working on this change, I noticed that ImportTracker.TrackFile() was not able to find import aliases; Analyser.Check() called both ImportTracker.TrackFile() and ast.Walk(), which (with the updated ImportTracker) resulted in importes to be in- correctly included multiple times (once with the correct alias, once with the default). I updated ImportTracker.TrackFile() to fix this, but with the updated ImportTracker, Analyser.Check() no longer has to call ImportTracker.TrackFile() separately, as ast.Walk() already handles the file, and will find all imports. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 09:59:18 +01:00
// GetImportedNames returns the name(s)/alias(es) used for the package within
// the code. It ignores initialization-only imports.
func GetImportedNames(path string, ctx *Context) (names []string, found bool) {
importNames, imported := ctx.Imports.Imported[path]
return importNames, imported
Update error test case There were several issues with the error test case that have been addressed in this commit. - It is possible to specify a whitelist of calls that error handling should be ignored for. - Additional support for ast.ExprStmt for cases where the error is implicitly ignored. There were several other additions to the helpers and call list in order to support this type of functionality. Fixes #54
2016-11-18 22:09:10 +00:00
}
Fix typos in comments and rulelist (#256)
2018-10-11 13:45:31 +01:00
// GetImportPath resolves the full import path of an identifier based on
Fix for G402. Check package path instead of package name (#838)
2022-07-28 07:51:30 +01:00
// the imports in the current context(including aliases).
Update error test case There were several issues with the error test case that have been addressed in this commit. - It is possible to specify a whitelist of calls that error handling should be ignored for. - Additional support for ast.ExprStmt for cases where the error is implicitly ignored. There were several other additions to the helpers and call list in order to support this type of functionality. Fixes #54
2016-11-18 22:09:10 +00:00
func GetImportPath(name string, ctx *Context) (string, bool) {
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
for path := range ctx.Imports.Imported {
Refactor to support duplicate imports with different aliases (#865) The existing code assumed imports to be either imported, or imported with an alias. Badly formatted files may have duplicate imports for a package, using different aliases. This patch refactors the code, and; Introduces a new `GetImportedNames` function, which returns all name(s) and aliase(s) for a package, which effectively combines `GetAliasedName` and `GetImportedName`, but adding support for duplicate imports. The old `GetAliasedName` and `GetImportedName` functions have been rewritten to use the new function and marked deprecated, but could be removed if there are no external consumers. With this patch, the linter is able to detect issues in files such as; package main import ( crand "crypto/rand" "math/big" "math/rand" rand2 "math/rand" rand3 "math/rand" ) func main() { _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good _ = rand.Intn(2) // bad _ = rand2.Intn(2) // bad _ = rand3.Intn(2) // bad } Before this patch, only a single issue would be detected: gosec --quiet . [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad With this patch, all issues are identified: gosec --quiet . [main.go:16] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 15: _ = rand2.Intn(2) // bad > 16: _ = rand3.Intn(2) // bad 17: } [main.go:15] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 14: _ = rand.Intn(2) // bad > 15: _ = rand2.Intn(2) // bad 16: _ = rand3.Intn(2) // bad [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad While working on this change, I noticed that ImportTracker.TrackFile() was not able to find import aliases; Analyser.Check() called both ImportTracker.TrackFile() and ast.Walk(), which (with the updated ImportTracker) resulted in importes to be in- correctly included multiple times (once with the correct alias, once with the default). I updated ImportTracker.TrackFile() to fix this, but with the updated ImportTracker, Analyser.Check() no longer has to call ImportTracker.TrackFile() separately, as ast.Walk() already handles the file, and will find all imports. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 09:59:18 +01:00
if imported, ok := GetImportedNames(path, ctx); ok {
for _, n := range imported {
if n == name {
return path, true
}
}
Fix for G402. Check package path instead of package name (#838)
2022-07-28 07:51:30 +01:00
}
}
Update error test case There were several issues with the error test case that have been addressed in this commit. - It is possible to specify a whitelist of calls that error handling should be ignored for. - Additional support for ast.ExprStmt for cases where the error is implicitly ignored. There were several other additions to the helpers and call list in order to support this type of functionality. Fixes #54
2016-11-18 22:09:10 +00:00
return "", false
}
Address unhandled error conditions Closes #95
2016-12-02 18:20:23 +00:00
// GetLocation returns the filename and line number of an ast.Node
func GetLocation(n ast.Node, ctx *Context) (string, int) {
fobj := ctx.FileSet.File(n.Pos())
return fobj.Name(), fobj.Line(n.Pos())
}
Derive the package from given files Move some utility functions into the helper
2018-07-23 14:16:47 +01:00
// Gopath returns all GOPATHs
func Gopath() []string {
defaultGoPath := runtime.GOROOT()
if u, err := user.Current(); err == nil {
defaultGoPath = filepath.Join(u.HomeDir, "go")
}
path := Getenv("GOPATH", defaultGoPath)
paths := strings.Split(path, string(os.PathListSeparator))
for idx, path := range paths {
if abs, err := filepath.Abs(path); err == nil {
paths[idx] = abs
}
}
return paths
}
// Getenv returns the values of the environment variable, otherwise
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
// returns the default if variable is not set
Derive the package from given files Move some utility functions into the helper
2018-07-23 14:16:47 +01:00
func Getenv(key, userDefault string) string {
if val := os.Getenv(key); val != "" {
return val
}
return userDefault
}
Fix typos in comments, vars and tests
2023-05-26 16:03:54 +01:00
// GetPkgRelativePath returns the Go relative path derived
Derive the package from given files Move some utility functions into the helper
2018-07-23 14:16:47 +01:00
// form the given path
func GetPkgRelativePath(path string) (string, error) {
abspath, err := filepath.Abs(path)
if err != nil {
abspath = path
}
if strings.HasSuffix(abspath, ".go") {
abspath = filepath.Dir(abspath)
}
for _, base := range Gopath() {
projectRoot := filepath.FromSlash(fmt.Sprintf("%s/src/", base))
if strings.HasPrefix(abspath, projectRoot) {
return strings.TrimPrefix(abspath, projectRoot), nil
}
}
return "", errors.New("no project relative path found")
}
// GetPkgAbsPath returns the Go package absolute path derived from
// the given path
func GetPkgAbsPath(pkgPath string) (string, error) {
absPath, err := filepath.Abs(pkgPath)
if err != nil {
return "", err
}
if _, err := os.Stat(absPath); os.IsNotExist(err) {
return "", errors.New("no project absolute path found")
}
return absPath, nil
}
Small update to G201 and added ConcatString Function (#228)
2018-08-19 18:57:36 +01:00
Fix typos in comments and rulelist (#256)
2018-10-11 13:45:31 +01:00
// ConcatString recursively concatenates strings from a binary expression
Small update to G201 and added ConcatString Function (#228)
2018-08-19 18:57:36 +01:00
func ConcatString(n *ast.BinaryExpr) (string, bool) {
var s string
// sub expressions are found in X object, Y object is always last BasicLit
if rightOperand, ok := n.Y.(*ast.BasicLit); ok {
if str, err := GetString(rightOperand); err == nil {
s = str + s
}
} else {
return "", false
}
if leftOperand, ok := n.X.(*ast.BinaryExpr); ok {
if recursion, ok := ConcatString(leftOperand); ok {
s = recursion + s
}
} else if leftOperand, ok := n.X.(*ast.BasicLit); ok {
if str, err := GetString(leftOperand); err == nil {
s = str + s
}
} else {
return "", false
}
return s, true
}
update to G304 which adds binary expressions and file joining (#233) * Added features to G304 * Linted * Added path selectors * Used better solution * removed debugging lines * fixed comments * Added test code * fixed a spacing change
2018-08-28 05:34:07 +01:00
// FindVarIdentities returns array of all variable identities in a given binary expression
func FindVarIdentities(n *ast.BinaryExpr, c *Context) ([]*ast.Ident, bool) {
identities := []*ast.Ident{}
// sub expressions are found in X object, Y object is always the last term
if rightOperand, ok := n.Y.(*ast.Ident); ok {
obj := c.Info.ObjectOf(rightOperand)
if _, ok := obj.(*types.Var); ok && !TryResolve(rightOperand, c) {
identities = append(identities, rightOperand)
}
}
if leftOperand, ok := n.X.(*ast.BinaryExpr); ok {
if leftIdentities, ok := FindVarIdentities(leftOperand, c); ok {
identities = append(identities, leftIdentities...)
}
} else {
if leftOperand, ok := n.X.(*ast.Ident); ok {
obj := c.Info.ObjectOf(leftOperand)
if _, ok := obj.(*types.Var); ok && !TryResolve(leftOperand, c) {
identities = append(identities, leftOperand)
}
}
}
if len(identities) > 0 {
return identities, true
}
// if nil or error, return false
return nil, false
}
Scan the go packages path recursively starting from a root folder This is replacing the gotool.ImportPaths which seems to have some troubles with Go modules. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-25 11:47:13 +01:00
// PackagePaths returns a slice with all packages path at given root directory
Add support to exclude arbitrary folders from scanning (#353) Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-09 13:01:36 +01:00
func PackagePaths(root string, excludes []*regexp.Regexp) ([]string, error) {
Scan the go packages path recursively starting from a root folder This is replacing the gotool.ImportPaths which seems to have some troubles with Go modules. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-25 11:47:13 +01:00
if strings.HasSuffix(root, "...") {
root = root[0 : len(root)-3]
} else {
return []string{root}, nil
}
paths := map[string]bool{}
err := filepath.Walk(root, func(path string, f os.FileInfo, err error) error {
if filepath.Ext(path) == ".go" {
path = filepath.Dir(path)
Allows the exclude-dir option to exclude sub directories
2021-08-04 16:31:16 +01:00
if isExcluded(filepath.ToSlash(path), excludes) {
Scan the go packages path recursively starting from a root folder This is replacing the gotool.ImportPaths which seems to have some troubles with Go modules. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-25 11:47:13 +01:00
return nil
}
paths[path] = true
}
return nil
})
if err != nil {
return []string{}, err
}
result := []string{}
for path := range paths {
result = append(result, path)
}
return result, nil
}
Fix the file path in the Sonarqube report Add some test to validate the Sonarqube formatter. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-24 13:10:51 +01:00
Add support to exclude arbitrary folders from scanning (#353) Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-09 13:01:36 +01:00
// isExcluded checks if a string matches any of the exclusion regexps
func isExcluded(str string, excludes []*regexp.Regexp) bool {
if excludes == nil {
return false
}
for _, exclude := range excludes {
if exclude != nil && exclude.MatchString(str) {
return true
}
}
return false
}
// ExcludedDirsRegExp builds the regexps for a list of excluded dirs provided as strings
func ExcludedDirsRegExp(excludedDirs []string) []*regexp.Regexp {
var exps []*regexp.Regexp
for _, excludedDir := range excludedDirs {
Allows the exclude-dir option to exclude sub directories
2021-08-04 16:31:16 +01:00
str := fmt.Sprintf(`([\\/])?%s([\\/])?`, strings.ReplaceAll(filepath.ToSlash(excludedDir), "/", `\/`))
Add support to exclude arbitrary folders from scanning (#353) Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-09 13:01:36 +01:00
r := regexp.MustCompile(str)
exps = append(exps, r)
}
return exps
}
Fix the file path in the Sonarqube report Add some test to validate the Sonarqube formatter. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-24 13:10:51 +01:00
// RootPath returns the absolute root path of a scan
func RootPath(root string) (string, error) {
Fix the unit tests (#652) Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-06-17 13:56:27 +01:00
root = strings.TrimSuffix(root, "...")
Fix the file path in the Sonarqube report Add some test to validate the Sonarqube formatter. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-24 13:10:51 +01:00
return filepath.Abs(root)
}
Add check for usage of Rat.SetString in math/big with an overflow error (#819) * Add check for usage of Rat.SetString in math/big with an overflow error Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. It is the CVE-2022-23772. * Use ContainsPkgCallExpr instead of manual parsing
2022-06-02 23:19:51 +01:00
fix(helpers/goversion): get from go.mod
2024-03-20 10:19:57 +00:00
// GoVersion returns parsed version of Go mod version and fallback to runtime version if not found.
Add check for usage of Rat.SetString in math/big with an overflow error (#819) * Add check for usage of Rat.SetString in math/big with an overflow error Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. It is the CVE-2022-23772. * Use ContainsPkgCallExpr instead of manual parsing
2022-06-02 23:19:51 +01:00
func GoVersion() (int, int, int) {
feat: add env var to override the Go version detection
2024-05-24 15:00:01 +01:00
if env, ok := os.LookupEnv(envGoModVersion); ok {
return parseGoVersion(strings.TrimPrefix(env, "go"))
fix(helpers/goversion): get from go.mod
2024-03-20 10:19:57 +00:00
}
feat: add env var to override the Go version detection
2024-05-24 15:00:01 +01:00
goVersion, err := goModVersion()
if err != nil {
return parseGoVersion(strings.TrimPrefix(runtime.Version(), "go"))
}
return parseGoVersion(goVersion)
fix(helpers/goversion): get from go.mod
2024-03-20 10:19:57 +00:00
}
type goListOutput struct {
GoVersion string `json:"GoVersion"`
}
func goModVersion() (string, error) {
cmd := exec.Command("go", "list", "-m", "-json")
raw, err := cmd.CombinedOutput()
if err != nil {
return "", fmt.Errorf("command go list: %w: %s", err, string(raw))
}
var v goListOutput
err = json.NewDecoder(bytes.NewBuffer(raw)).Decode(&v)
if err != nil {
return "", fmt.Errorf("unmarshaling error: %w: %s", err, string(raw))
}
return v.GoVersion, nil
fix: parsing of the Go version (#844) * fix: parsing of the Go version * fix: convert pseudo directive to comment
2022-08-08 08:28:41 +01:00
}
// parseGoVersion parses Go version.
// example:
fix(helpers/goversion): get from go.mod
2024-03-20 10:19:57 +00:00
// - 1.19rc2
// - 1.19beta2
// - 1.19.4
// - 1.19
fix: parsing of the Go version (#844) * fix: parsing of the Go version * fix: convert pseudo directive to comment
2022-08-08 08:28:41 +01:00
func parseGoVersion(version string) (int, int, int) {
fix(helpers/goversion): get from go.mod
2024-03-20 10:19:57 +00:00
exp := regexp.MustCompile(`(\d+).(\d+)(?:.(\d+))?.*`)
fix: parsing of the Go version (#844) * fix: parsing of the Go version * fix: convert pseudo directive to comment
2022-08-08 08:28:41 +01:00
parts := exp.FindStringSubmatch(version)
if len(parts) <= 1 {
return 0, 0, 0
}
major, _ := strconv.Atoi(parts[1])
minor, _ := strconv.Atoi(parts[2])
build, _ := strconv.Atoi(parts[3])
Add check for usage of Rat.SetString in math/big with an overflow error (#819) * Add check for usage of Rat.SetString in math/big with an overflow error Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. It is the CVE-2022-23772. * Use ContainsPkgCallExpr instead of manual parsing
2022-06-02 23:19:51 +01:00
return major, minor, build
}
Reference in a new issue Copy permalink