gosec/rules/fileperms.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package rules

import (
	"fmt"
	"go/ast"
	"strconv"

	"github.com/securego/gosec/v2"
	"github.com/securego/gosec/v2/issue"
)

type filePermissions struct {
	issue.MetaData
	mode  int64
	pkgs  []string
	calls []string
}

// ID returns the ID of the rule.
func (r *filePermissions) ID() string {
	return r.MetaData.ID
}

func getConfiguredMode(conf map[string]interface{}, configKey string, defaultMode int64) int64 {
	mode := defaultMode
	if value, ok := conf[configKey]; ok {
		switch value := value.(type) {
		case int64:
			mode = value
		case string:
			if m, e := strconv.ParseInt(value, 0, 64); e != nil {
				mode = defaultMode
			} else {
				mode = m
			}
		}
	}
	return mode
}

func modeIsSubset(subset int64, superset int64) bool {
	return (subset | superset) == superset
}

// Match checks if the rule is matched.
func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) {
	for _, pkg := range r.pkgs {
		if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {
			modeArg := callexpr.Args[len(callexpr.Args)-1]
			if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) {
				return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil
			}
		}
	}
	return nil, nil
}

// NewWritePerms creates a rule to detect file Writes with bad permissions.
func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	mode := getConfiguredMode(conf, id, 0o600)
	return &filePermissions{
		mode:  mode,
		pkgs:  []string{"io/ioutil", "os"},
		calls: []string{"WriteFile"},
		MetaData: issue.MetaData{
			ID:         id,
			Severity:   issue.Medium,
			Confidence: issue.High,
			What:       fmt.Sprintf("Expect WriteFile permissions to be %#o or less", mode),
		},
	}, []ast.Node{(*ast.CallExpr)(nil)}
}

// NewFilePerms creates a rule to detect file creation with a more permissive than configured
// permission mask.
func NewFilePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	mode := getConfiguredMode(conf, id, 0o600)
	return &filePermissions{
		mode:  mode,
		pkgs:  []string{"os"},
		calls: []string{"OpenFile", "Chmod"},
		MetaData: issue.MetaData{
			ID:         id,
			Severity:   issue.Medium,
			Confidence: issue.High,
			What:       fmt.Sprintf("Expect file permissions to be %#o or less", mode),
		},
	}, []ast.Node{(*ast.CallExpr)(nil)}
}

// NewMkdirPerms creates a rule to detect directory creation with more permissive than
// configured permission mask.
func NewMkdirPerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	mode := getConfiguredMode(conf, id, 0o750)
	return &filePermissions{
		mode:  mode,
		pkgs:  []string{"os"},
		calls: []string{"Mkdir", "MkdirAll"},
		MetaData: issue.MetaData{
			ID:         id,
			Severity:   issue.Medium,
			Confidence: issue.High,
			What:       fmt.Sprintf("Expect directory permissions to be %#o or less", mode),
		},
	}, []ast.Node{(*ast.CallExpr)(nil)}
}

type osCreatePermissions struct {
	issue.MetaData
	mode  int64
	pkgs  []string
	calls []string
}

const defaultOsCreateMode = 0o666

// ID returns the ID of the rule.
func (r *osCreatePermissions) ID() string {
	return r.MetaData.ID
}

// Match checks if the rule is matched.
func (r *osCreatePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) {
	for _, pkg := range r.pkgs {
		if _, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {
			if !modeIsSubset(defaultOsCreateMode, r.mode) {
				return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil
			}
		}
	}
	return nil, nil
}

// NewOsCreatePerms reates a rule to detect file creation with a more permissive than configured
// permission mask.
func NewOsCreatePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	mode := getConfiguredMode(conf, id, 0o666)
	return &osCreatePermissions{
		mode:  mode,
		pkgs:  []string{"os"},
		calls: []string{"Create"},
		MetaData: issue.MetaData{
			ID:         id,
			Severity:   issue.Medium,
			Confidence: issue.High,
			What: fmt.Sprintf("Expect file permissions to be %#o or less but os.Create used with default permissions %#o",
				mode, defaultOsCreateMode),
		},
	}, []ast.Node{(*ast.CallExpr)(nil)}
}
Initial public release 2016-07-20 11:02:01 +01:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package rules`

			`import (`
			`"fmt"`
			`"go/ast"`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`"strconv"`
Rule selection rules This makes the following changes: - riles are identified by an ID - include / exclude list now work - rules are selected based on these lists - blacklist rules are broken out into methods - rule constructors now take the config map - config file can be used to select rules - CLI options embelish config selection options 2016-08-10 12:51:03 +01:00
Handle properly the gosec module version v2 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-04-01 21:18:39 +01:00			`"github.com/securego/gosec/v2"`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`"github.com/securego/gosec/v2/issue"`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type filePermissions struct {`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`issue.MetaData`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`mode int64`
fix: WriteParams rule to work also with golang 1.16 (#577) In go 1.16 the `ioutil` package was deprecated and the functions should be replaced by their equivalents in either `io` or `os` packages. This means, that `ioutil.WriteFile` should be replaced by `os.WriteFile` instead. To account for this change and to detect incorrect permissions also for `os.WriteFile` I changed `filePermissions` rule slightly to allows specifying multiple packages that can contain given function and that we should check. This workaround can be removed after a sufficient time has passed and after it is decided that checking `os.WriteFile` is enough. Fixes: https://github.com/securego/gosec/issues/576 2021-02-22 08:22:04 +00:00			`pkgs []string`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`calls []string`
			`}`

Add a new rule which detects when a file is created with os.Create but the configured permissions are less than 0666 It seems that the os.Create will create by default a file with 0666 permissions. This should be detected when the configured permissions are less than 0666. By default will not detect this case unless the more restrictive mode is configured. Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com> 2023-09-25 12:11:00 +01:00			`// ID returns the ID of the rule.`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`func (r *filePermissions) ID() string {`
			`return r.MetaData.ID`
			`}`

Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`func getConfiguredMode(conf map[string]interface{}, configKey string, defaultMode int64) int64 {`
Fix lint and fail on error in the ci build 2021-05-31 09:44:12 +01:00			`mode := defaultMode`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`if value, ok := conf[configKey]; ok {`
Fix some lint warnings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2019-04-30 10:32:06 +01:00			`switch value := value.(type) {`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`case int64:`
Fix some lint warnings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2019-04-30 10:32:06 +01:00			`mode = value`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`case string:`
Fix some lint warnings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2019-04-30 10:32:06 +01:00			`if m, e := strconv.ParseInt(value, 0, 64); e != nil {`
Address unhandled error conditions Closes #95 2016-12-02 18:20:23 +00:00			`mode = defaultMode`
			`} else {`
			`mode = m`
			`}`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`}`
			`}`
			`return mode`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

fileperms: bitwise permission comparison (#883) * fileperms: extract existing mode comparison logic * fileperms: add failing test * fileperms: bitwise permission comparison 2022-10-20 07:48:40 +01:00			`func modeIsSubset(subset int64, superset int64) bool {`
			`return (subset \| superset) == superset`
			`}`

Add a new rule which detects when a file is created with os.Create but the configured permissions are less than 0666 It seems that the os.Create will create by default a file with 0666 permissions. This should be detected when the configured permissions are less than 0666. By default will not detect this case unless the more restrictive mode is configured. Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com> 2023-09-25 12:11:00 +01:00			`// Match checks if the rule is matched.`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`func (r filePermissions) Match(n ast.Node, c gosec.Context) (*issue.Issue, error) {`
fix: WriteParams rule to work also with golang 1.16 (#577) In go 1.16 the `ioutil` package was deprecated and the functions should be replaced by their equivalents in either `io` or `os` packages. This means, that `ioutil.WriteFile` should be replaced by `os.WriteFile` instead. To account for this change and to detect incorrect permissions also for `os.WriteFile` I changed `filePermissions` rule slightly to allows specifying multiple packages that can contain given function and that we should check. This workaround can be removed after a sufficient time has passed and after it is decided that checking `os.WriteFile` is enough. Fixes: https://github.com/securego/gosec/issues/576 2021-02-22 08:22:04 +00:00			`for _, pkg := range r.pkgs {`
			`if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {`
			`modeArg := callexpr.Args[len(callexpr.Args)-1]`
fileperms: bitwise permission comparison (#883) * fileperms: extract existing mode comparison logic * fileperms: add failing test * fileperms: bitwise permission comparison 2022-10-20 07:48:40 +01:00			`if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) {`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil`
fix: WriteParams rule to work also with golang 1.16 (#577) In go 1.16 the `ioutil` package was deprecated and the functions should be replaced by their equivalents in either `io` or `os` packages. This means, that `ioutil.WriteFile` should be replaced by `os.WriteFile` instead. To account for this change and to detect incorrect permissions also for `os.WriteFile` I changed `filePermissions` rule slightly to allows specifying multiple packages that can contain given function and that we should check. This workaround can be removed after a sufficient time has passed and after it is decided that checking `os.WriteFile` is enough. Fixes: https://github.com/securego/gosec/issues/576 2021-02-22 08:22:04 +00:00			`}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
			`return nil, nil`
			`}`

Fileperms (#442) 2020-02-28 11:48:18 +00:00			`// NewWritePerms creates a rule to detect file Writes with bad permissions.`
			`func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
Fix use rule IDs to retrieve the rule config 2022-03-28 19:28:02 +01:00			`mode := getConfiguredMode(conf, id, 0o600)`
Fileperms (#442) 2020-02-28 11:48:18 +00:00			`return &filePermissions{`
			`mode: mode,`
fix: WriteParams rule to work also with golang 1.16 (#577) In go 1.16 the `ioutil` package was deprecated and the functions should be replaced by their equivalents in either `io` or `os` packages. This means, that `ioutil.WriteFile` should be replaced by `os.WriteFile` instead. To account for this change and to detect incorrect permissions also for `os.WriteFile` I changed `filePermissions` rule slightly to allows specifying multiple packages that can contain given function and that we should check. This workaround can be removed after a sufficient time has passed and after it is decided that checking `os.WriteFile` is enough. Fixes: https://github.com/securego/gosec/issues/576 2021-02-22 08:22:04 +00:00			`pkgs: []string{"io/ioutil", "os"},`
Fileperms (#442) 2020-02-28 11:48:18 +00:00			`calls: []string{"WriteFile"},`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`MetaData: issue.MetaData{`
Fileperms (#442) 2020-02-28 11:48:18 +00:00			`ID: id,`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`Severity: issue.Medium,`
			`Confidence: issue.High,`
Fileperms (#442) 2020-02-28 11:48:18 +00:00			`What: fmt.Sprintf("Expect WriteFile permissions to be %#o or less", mode),`
			`},`
			`}, []ast.Node{(*ast.CallExpr)(nil)}`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewFilePerms creates a rule to detect file creation with a more permissive than configured`
			`// permission mask.`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func NewFilePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
Fix use rule IDs to retrieve the rule config 2022-03-28 19:28:02 +01:00			`mode := getConfiguredMode(conf, id, 0o600)`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`return &filePermissions{`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`mode: mode,`
fix: WriteParams rule to work also with golang 1.16 (#577) In go 1.16 the `ioutil` package was deprecated and the functions should be replaced by their equivalents in either `io` or `os` packages. This means, that `ioutil.WriteFile` should be replaced by `os.WriteFile` instead. To account for this change and to detect incorrect permissions also for `os.WriteFile` I changed `filePermissions` rule slightly to allows specifying multiple packages that can contain given function and that we should check. This workaround can be removed after a sufficient time has passed and after it is decided that checking `os.WriteFile` is enough. Fixes: https://github.com/securego/gosec/issues/576 2021-02-22 08:22:04 +00:00			`pkgs: []string{"os"},`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`calls: []string{"OpenFile", "Chmod"},`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`MetaData: issue.MetaData{`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`ID: id,`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`Severity: issue.Medium,`
			`Confidence: issue.High,`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`What: fmt.Sprintf("Expect file permissions to be %#o or less", mode),`
Initial public release 2016-07-20 11:02:01 +01:00			`},`
Allow rules to register against multiple ast nodes Update the AddRule interface to allow rules to register interest in multiple ast.Nodes. Adds more flexibility to how rules can work, and was needed to fix the hard coded credentials test specifically. 2016-11-13 20:55:31 +00:00			`}, []ast.Node{(*ast.CallExpr)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewMkdirPerms creates a rule to detect directory creation with more permissive than`
			`// configured permission mask.`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func NewMkdirPerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
Fix use rule IDs to retrieve the rule config 2022-03-28 19:28:02 +01:00			`mode := getConfiguredMode(conf, id, 0o750)`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`return &filePermissions{`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`mode: mode,`
fix: WriteParams rule to work also with golang 1.16 (#577) In go 1.16 the `ioutil` package was deprecated and the functions should be replaced by their equivalents in either `io` or `os` packages. This means, that `ioutil.WriteFile` should be replaced by `os.WriteFile` instead. To account for this change and to detect incorrect permissions also for `os.WriteFile` I changed `filePermissions` rule slightly to allows specifying multiple packages that can contain given function and that we should check. This workaround can be removed after a sufficient time has passed and after it is decided that checking `os.WriteFile` is enough. Fixes: https://github.com/securego/gosec/issues/576 2021-02-22 08:22:04 +00:00			`pkgs: []string{"os"},`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`calls: []string{"Mkdir", "MkdirAll"},`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`MetaData: issue.MetaData{`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`ID: id,`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`Severity: issue.Medium,`
			`Confidence: issue.High,`
Initial public release 2016-07-20 11:02:01 +01:00			`What: fmt.Sprintf("Expect directory permissions to be %#o or less", mode),`
			`},`
Allow rules to register against multiple ast nodes Update the AddRule interface to allow rules to register interest in multiple ast.Nodes. Adds more flexibility to how rules can work, and was needed to fix the hard coded credentials test specifically. 2016-11-13 20:55:31 +00:00			`}, []ast.Node{(*ast.CallExpr)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
Add a new rule which detects when a file is created with os.Create but the configured permissions are less than 0666 It seems that the os.Create will create by default a file with 0666 permissions. This should be detected when the configured permissions are less than 0666. By default will not detect this case unless the more restrictive mode is configured. Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com> 2023-09-25 12:11:00 +01:00
			`type osCreatePermissions struct {`
			`issue.MetaData`
Fix lint warning Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com> 2023-09-25 12:18:22 +01:00			`mode int64`
			`pkgs []string`
			`calls []string`
Add a new rule which detects when a file is created with os.Create but the configured permissions are less than 0666 It seems that the os.Create will create by default a file with 0666 permissions. This should be detected when the configured permissions are less than 0666. By default will not detect this case unless the more restrictive mode is configured. Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com> 2023-09-25 12:11:00 +01:00			`}`

			`const defaultOsCreateMode = 0o666`

			`// ID returns the ID of the rule.`
			`func (r *osCreatePermissions) ID() string {`
			`return r.MetaData.ID`
			`}`

			`// Match checks if the rule is matched.`
			`func (r osCreatePermissions) Match(n ast.Node, c gosec.Context) (*issue.Issue, error) {`
			`for _, pkg := range r.pkgs {`
			`if _, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {`
			`if !modeIsSubset(defaultOsCreateMode, r.mode) {`
			`return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil`
			`}`
			`}`
			`}`
			`return nil, nil`
			`}`

			`// NewOsCreatePerms reates a rule to detect file creation with a more permissive than configured`
			`// permission mask.`
			`func NewOsCreatePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
			`mode := getConfiguredMode(conf, id, 0o666)`
			`return &osCreatePermissions{`
			`mode: mode,`
			`pkgs: []string{"os"},`
			`calls: []string{"Create"},`
			`MetaData: issue.MetaData{`
			`ID: id,`
			`Severity: issue.Medium,`
			`Confidence: issue.High,`
			`What: fmt.Sprintf("Expect file permissions to be %#o or less but os.Create used with default permissions %#o",`
			`mode, defaultOsCreateMode),`
			`},`
			`}, []ast.Node{(*ast.CallExpr)(nil)}`
			`}`