gosec/rules/readfile.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package rules

import (
	"go/ast"
	"go/types"

	"github.com/securego/gosec"
)

type readfile struct {
	gosec.MetaData
	gosec.CallList
}

// ID returns the identifier for this rule
func (r *readfile) ID() string {
	return r.MetaData.ID
}

// Match inspects AST nodes to determine if the match the methods `os.Open` or `ioutil.ReadFile`
func (r *readfile) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
	if node := r.ContainsCallExpr(n, c); node != nil {
		for _, arg := range node.Args {
			if ident, ok := arg.(*ast.Ident); ok {
				obj := c.Info.ObjectOf(ident)
				if _, ok := obj.(*types.Var); ok && !gosec.TryResolve(ident, c) {
					return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
				}
			}
		}
	}
	return nil, nil
}

// NewReadFile detects cases where we read files
func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	rule := &readfile{
		CallList: gosec.NewCallList(),
		MetaData: gosec.MetaData{
			ID:         id,
			What:       "Potential file inclusion via variable",
			Severity:   gosec.Medium,
			Confidence: gosec.High,
		},
	}
	rule.Add("io/ioutil", "ReadFile")
	rule.Add("os", "Open")
	return rule, []ast.Node{(*ast.CallExpr)(nil)}
}
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import 2018-03-08 23:23:27 +00:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package rules`

			`import (`
			`"go/ast"`
			`"go/types"`

Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`"github.com/securego/gosec"`
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import 2018-03-08 23:23:27 +00:00			`)`

			`type readfile struct {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`gosec.MetaData`
			`gosec.CallList`
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import 2018-03-08 23:23:27 +00:00			`}`

Port readfile rule to include ID and metadata 2018-03-09 01:27:41 +00:00			`// ID returns the identifier for this rule`
			`func (r *readfile) ID() string {`
			`return r.MetaData.ID`
			`}`

New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import 2018-03-08 23:23:27 +00:00			// Match inspects AST nodes to determine if the match the methods `os.Open` or `ioutil.ReadFile`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func (r readfile) Match(n ast.Node, c gosec.Context) (*gosec.Issue, error) {`
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import 2018-03-08 23:23:27 +00:00			`if node := r.ContainsCallExpr(n, c); node != nil {`
			`for _, arg := range node.Args {`
			`if ident, ok := arg.(*ast.Ident); ok {`
			`obj := c.Info.ObjectOf(ident)`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`if _, ok := obj.(*types.Var); ok && !gosec.TryResolve(ident, c) {`
			`return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil`
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import 2018-03-08 23:23:27 +00:00			`}`
			`}`
			`}`
			`}`
			`return nil, nil`
			`}`

			`// NewReadFile detects cases where we read files`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
Port readfile rule to include ID and metadata 2018-03-09 01:27:41 +00:00			`rule := &readfile{`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`CallList: gosec.NewCallList(),`
			`MetaData: gosec.MetaData{`
Port readfile rule to include ID and metadata 2018-03-09 01:27:41 +00:00			`ID: id,`
			`What: "Potential file inclusion via variable",`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`Severity: gosec.Medium,`
			`Confidence: gosec.High,`
fix gofmt errors 2018-03-09 02:49:01 +00:00			`},`
			`}`
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import 2018-03-08 23:23:27 +00:00			`rule.Add("io/ioutil", "ReadFile")`
			`rule.Add("os", "Open")`
			`return rule, []ast.Node{(*ast.CallExpr)(nil)}`
			`}`