2016-07-20 11:02:01 +01:00
// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package rules
import (
"go/ast"
2016-08-10 12:51:03 +01:00
2020-04-01 21:18:39 +01:00
"github.com/securego/gosec/v2"
2023-02-15 19:44:13 +00:00
"github.com/securego/gosec/v2/issue"
2016-07-20 11:02:01 +01:00
)
2017-12-13 07:39:00 +00:00
type templateCheck struct {
2023-02-15 19:44:13 +00:00
issue . MetaData
2018-07-19 17:42:25 +01:00
calls gosec . CallList
2016-07-20 11:02:01 +01:00
}
2017-10-05 22:32:03 +01:00
func ( t * templateCheck ) ID ( ) string {
return t . MetaData . ID
}
2023-02-15 19:44:13 +00:00
func ( t * templateCheck ) Match ( n ast . Node , c * gosec . Context ) ( * issue . Issue , error ) {
2020-01-28 13:11:00 +00:00
if node := t . calls . ContainsPkgCallExpr ( n , c , false ) ; node != nil {
2016-07-20 11:02:01 +01:00
for _ , arg := range node . Args {
if _ , ok := arg . ( * ast . BasicLit ) ; ! ok { // basic lits are safe
2023-02-15 19:44:13 +00:00
return c . NewIssue ( n , t . ID ( ) , t . What , t . Severity , t . Confidence ) , nil
2016-07-20 11:02:01 +01:00
}
}
}
return nil , nil
}
2017-12-13 07:39:00 +00:00
// NewTemplateCheck constructs the template check rule. This rule is used to
2018-10-11 13:45:31 +01:00
// find use of templates where HTML/JS escaping is not being used
2018-07-19 17:42:25 +01:00
func NewTemplateCheck ( id string , conf gosec . Config ) ( gosec . Rule , [ ] ast . Node ) {
calls := gosec . NewCallList ( )
2018-01-05 13:05:53 +00:00
calls . Add ( "html/template" , "HTML" )
calls . Add ( "html/template" , "HTMLAttr" )
calls . Add ( "html/template" , "JS" )
calls . Add ( "html/template" , "URL" )
2017-12-13 07:39:00 +00:00
return & templateCheck {
2017-12-28 06:54:10 +00:00
calls : calls ,
2023-02-15 19:44:13 +00:00
MetaData : issue . MetaData {
2017-10-05 22:32:03 +01:00
ID : id ,
2023-02-15 19:44:13 +00:00
Severity : issue . Medium ,
Confidence : issue . Low ,
2022-04-05 06:41:36 +01:00
What : "The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input." ,
2016-07-20 11:02:01 +01:00
} ,
2016-11-13 20:55:31 +00:00
} , [ ] ast . Node { ( * ast . CallExpr ) ( nil ) }
2016-07-20 11:02:01 +01:00
}