gosec/rules/sql.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package rules

import (
	"go/ast"
	"regexp"

	"github.com/securego/gosec"
)

type sqlStatement struct {
	gosec.MetaData

	// Contains a list of patterns which must all match for the rule to match.
	patterns []*regexp.Regexp
}

func (s *sqlStatement) ID() string {
	return s.MetaData.ID
}

// See if the string matches the patterns for the statement.
func (s *sqlStatement) MatchPatterns(str string) bool {
	for _, pattern := range s.patterns {
		if !pattern.MatchString(str) {
			return false
		}
	}
	return true
}

type sqlStrConcat struct {
	sqlStatement
}

func (s *sqlStrConcat) ID() string {
	return s.MetaData.ID
}

// see if we can figure out what it is
func (s *sqlStrConcat) checkObject(n *ast.Ident) bool {
	if n.Obj != nil {
		return n.Obj.Kind != ast.Var && n.Obj.Kind != ast.Fun
	}
	return false
}

// Look for "SELECT * FROM table WHERE " + " ' OR 1=1"
func (s *sqlStrConcat) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
	if node, ok := n.(*ast.BinaryExpr); ok {
		if start, ok := node.X.(*ast.BasicLit); ok {
			if str, e := gosec.GetString(start); e == nil {
				if !s.MatchPatterns(str) {
					return nil, nil
				}
				if _, ok := node.Y.(*ast.BasicLit); ok {
					return nil, nil // string cat OK
				}
				if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second) {
					return nil, nil
				}
				return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil
			}
		}
	}
	return nil, nil
}

// NewSQLStrConcat looks for cases where we are building SQL strings via concatenation
func NewSQLStrConcat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	return &sqlStrConcat{
		sqlStatement: sqlStatement{
			patterns: []*regexp.Regexp{
				regexp.MustCompile(`(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) `),
			},
			MetaData: gosec.MetaData{
				ID:         id,
				Severity:   gosec.Medium,
				Confidence: gosec.High,
				What:       "SQL string concatenation",
			},
		},
	}, []ast.Node{(*ast.BinaryExpr)(nil)}
}

type sqlStrFormat struct {
	sqlStatement
	calls gosec.CallList
}

// Looks for "fmt.Sprintf("SELECT * FROM foo where '%s', userInput)"
func (s *sqlStrFormat) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {

	// TODO(gm) improve confidence if database/sql is being used
	if node := s.calls.ContainsCallExpr(n, c); node != nil {
		if arg, e := gosec.GetString(node.Args[0]); s.MatchPatterns(arg) && e == nil {
			return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil
		}
	}
	return nil, nil
}

// NewSQLStrFormat looks for cases where we're building SQL query strings using format strings
func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	rule := &sqlStrFormat{
		calls: gosec.NewCallList(),
		sqlStatement: sqlStatement{
			patterns: []*regexp.Regexp{
				regexp.MustCompile("(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
				regexp.MustCompile("%[^bdoxXfFp]"),
			},
			MetaData: gosec.MetaData{
				ID:         id,
				Severity:   gosec.Medium,
				Confidence: gosec.High,
				What:       "SQL string formatting",
			},
		},
	}
	rule.calls.AddAll("fmt", "Sprint", "Sprintf", "Sprintln")
	return rule, []ast.Node{(*ast.CallExpr)(nil)}
}
Initial public release 2016-07-20 11:02:01 +01:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package rules`

			`import (`
			`"go/ast"`
			`"regexp"`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`"github.com/securego/gosec"`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type sqlStatement struct {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`gosec.MetaData`
Adjust SQL format-string rules to ignore inherently safe formats 2017-10-05 17:24:29 +01:00
			`// Contains a list of patterns which must all match for the rule to match.`
			`patterns []*regexp.Regexp`
			`}`

Build improvments (#179) * Add a semantic version to the usage text * Add a comment to the version function * Inject the version, git tag and build date as build variables * Update README * Fix lint warnings * Update README * Manage dependencies with dep tool instead of godep * Add a Makefile for common build tasks * Update the build file to use the make tool * Update Dockerfile * Add docker entry point in to make the passing of arguments easy * Update README * Add missing tools to the build * Drop 1.7 support and add 1.10 * Fix Go 1.10 according with the travis guidelines https://docs.travis-ci.com/user/languages/go/ * Update the tls-observatory package * Fix lint warnings * Change the output of the tests to be more verbose * Check if the are build errors before executing the rule test 2018-03-12 22:57:10 +00:00			`func (s *sqlStatement) ID() string {`
			`return s.MetaData.ID`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`}`

Adjust SQL format-string rules to ignore inherently safe formats 2017-10-05 17:24:29 +01:00			`// See if the string matches the patterns for the statement.`
Build improvments (#179) * Add a semantic version to the usage text * Add a comment to the version function * Inject the version, git tag and build date as build variables * Update README * Fix lint warnings * Update README * Manage dependencies with dep tool instead of godep * Add a Makefile for common build tasks * Update the build file to use the make tool * Update Dockerfile * Add docker entry point in to make the passing of arguments easy * Update README * Add missing tools to the build * Drop 1.7 support and add 1.10 * Fix Go 1.10 according with the travis guidelines https://docs.travis-ci.com/user/languages/go/ * Update the tls-observatory package * Fix lint warnings * Change the output of the tests to be more verbose * Check if the are build errors before executing the rule test 2018-03-12 22:57:10 +00:00			`func (s *sqlStatement) MatchPatterns(str string) bool {`
Adjust SQL format-string rules to ignore inherently safe formats 2017-10-05 17:24:29 +01:00			`for _, pattern := range s.patterns {`
			`if !pattern.MatchString(str) {`
			`return false`
			`}`
			`}`
			`return true`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type sqlStrConcat struct {`
			`sqlStatement`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Build improvments (#179) * Add a semantic version to the usage text * Add a comment to the version function * Inject the version, git tag and build date as build variables * Update README * Fix lint warnings * Update README * Manage dependencies with dep tool instead of godep * Add a Makefile for common build tasks * Update the build file to use the make tool * Update Dockerfile * Add docker entry point in to make the passing of arguments easy * Update README * Add missing tools to the build * Drop 1.7 support and add 1.10 * Fix Go 1.10 according with the travis guidelines https://docs.travis-ci.com/user/languages/go/ * Update the tls-observatory package * Fix lint warnings * Change the output of the tests to be more verbose * Check if the are build errors before executing the rule test 2018-03-12 22:57:10 +00:00			`func (s *sqlStrConcat) ID() string {`
			`return s.MetaData.ID`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`}`

Address go vet failure in SQL rule 2016-11-03 00:12:23 +00:00			`// see if we can figure out what it is`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`func (s sqlStrConcat) checkObject(n ast.Ident) bool {`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`if n.Obj != nil {`
Address go vet failure in SQL rule 2016-11-03 00:12:23 +00:00			`return n.Obj.Kind != ast.Var && n.Obj.Kind != ast.Fun`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`}`
			`return false`
			`}`

Initial public release 2016-07-20 11:02:01 +01:00			`// Look for "SELECT * FROM table WHERE " + " ' OR 1=1"`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func (s sqlStrConcat) Match(n ast.Node, c gosec.Context) (*gosec.Issue, error) {`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`if node, ok := n.(*ast.BinaryExpr); ok {`
			`if start, ok := node.X.(*ast.BasicLit); ok {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`if str, e := gosec.GetString(start); e == nil {`
Rebase to master 2018-01-22 18:45:07 +00:00			`if !s.MatchPatterns(str) {`
Adjust SQL format-string rules to ignore inherently safe formats 2017-10-05 17:24:29 +01:00			`return nil, nil`
			`}`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`if _, ok := node.Y.(*ast.BasicLit); ok {`
			`return nil, nil // string cat OK`
			`}`
			`if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second) {`
			`return nil, nil`
			`}`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
			`return nil, nil`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewSQLStrConcat looks for cases where we are building SQL strings via concatenation`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func NewSQLStrConcat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
Rebase to master 2018-01-22 18:45:07 +00:00			`return &sqlStrConcat{`
			`sqlStatement: sqlStatement{`
Adjust SQL format-string rules to ignore inherently safe formats 2017-10-05 17:24:29 +01:00			`patterns: []*regexp.Regexp{`
			regexp.MustCompile(`(?)(SELECT\|DELETE\|INSERT\|UPDATE\|INTO\|FROM\|WHERE) `),
			`},`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`MetaData: gosec.MetaData{`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`ID: id,`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`Severity: gosec.Medium,`
			`Confidence: gosec.High,`
Initial public release 2016-07-20 11:02:01 +01:00			`What: "SQL string concatenation",`
			`},`
			`},`
Allow rules to register against multiple ast nodes Update the AddRule interface to allow rules to register interest in multiple ast.Nodes. Adds more flexibility to how rules can work, and was needed to fix the hard coded credentials test specifically. 2016-11-13 20:55:31 +00:00			`}, []ast.Node{(*ast.BinaryExpr)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type sqlStrFormat struct {`
			`sqlStatement`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`calls gosec.CallList`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

			`// Looks for "fmt.Sprintf("SELECT * FROM foo where '%s', userInput)"`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func (s sqlStrFormat) Match(n ast.Node, c gosec.Context) (*gosec.Issue, error) {`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00
			`// TODO(gm) improve confidence if database/sql is being used`
			`if node := s.calls.ContainsCallExpr(n, c); node != nil {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`if arg, e := gosec.GetString(node.Args[0]); s.MatchPatterns(arg) && e == nil {`
			`return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
			`return nil, nil`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewSQLStrFormat looks for cases where we're building SQL query strings using format strings`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`rule := &sqlStrFormat{`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`calls: gosec.NewCallList(),`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`sqlStatement: sqlStatement{`
Adjust SQL format-string rules to ignore inherently safe formats 2017-10-05 17:24:29 +01:00			`patterns: []*regexp.Regexp{`
			`regexp.MustCompile("(?)(SELECT\|DELETE\|INSERT\|UPDATE\|INTO\|FROM\|WHERE) "),`
			`regexp.MustCompile("%[^bdoxXfFp]"),`
			`},`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`MetaData: gosec.MetaData{`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`ID: id,`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`Severity: gosec.Medium,`
			`Confidence: gosec.High,`
Initial public release 2016-07-20 11:02:01 +01:00			`What: "SQL string formatting",`
			`},`
			`},`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`}`
			`rule.calls.AddAll("fmt", "Sprint", "Sprintf", "Sprintln")`
			`return rule, []ast.Node{(*ast.CallExpr)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`