gosec/rules/fileperms.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package rules

import (
	"fmt"
	"go/ast"
	"strconv"

	"github.com/securego/gosec/v2"
)

type filePermissions struct {
	gosec.MetaData
	mode  int64
	pkgs  []string
	calls []string
}

func (r *filePermissions) ID() string {
	return r.MetaData.ID
}

func getConfiguredMode(conf map[string]interface{}, configKey string, defaultMode int64) int64 {
	mode := defaultMode
	if value, ok := conf[configKey]; ok {
		switch value := value.(type) {
		case int64:
			mode = value
		case string:
			if m, e := strconv.ParseInt(value, 0, 64); e != nil {
				mode = defaultMode
			} else {
				mode = m
			}
		}
	}
	return mode
}

func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
	for _, pkg := range r.pkgs {
		if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {
			modeArg := callexpr.Args[len(callexpr.Args)-1]
			if mode, err := gosec.GetInt(modeArg); err == nil && mode > r.mode {
				return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
			}
		}
	}
	return nil, nil
}

// NewWritePerms creates a rule to detect file Writes with bad permissions.
func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	mode := getConfiguredMode(conf, "G306", 0600)
	return &filePermissions{
		mode:  mode,
		pkgs:  []string{"io/ioutil", "os"},
		calls: []string{"WriteFile"},
		MetaData: gosec.MetaData{
			ID:         id,
			Severity:   gosec.Medium,
			Confidence: gosec.High,
			What:       fmt.Sprintf("Expect WriteFile permissions to be %#o or less", mode),
		},
	}, []ast.Node{(*ast.CallExpr)(nil)}
}

// NewFilePerms creates a rule to detect file creation with a more permissive than configured
// permission mask.
func NewFilePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	mode := getConfiguredMode(conf, "G302", 0600)
	return &filePermissions{
		mode:  mode,
		pkgs:  []string{"os"},
		calls: []string{"OpenFile", "Chmod"},
		MetaData: gosec.MetaData{
			ID:         id,
			Severity:   gosec.Medium,
			Confidence: gosec.High,
			What:       fmt.Sprintf("Expect file permissions to be %#o or less", mode),
		},
	}, []ast.Node{(*ast.CallExpr)(nil)}
}

// NewMkdirPerms creates a rule to detect directory creation with more permissive than
// configured permission mask.
func NewMkdirPerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	mode := getConfiguredMode(conf, "G301", 0750)
	return &filePermissions{
		mode:  mode,
		pkgs:  []string{"os"},
		calls: []string{"Mkdir", "MkdirAll"},
		MetaData: gosec.MetaData{
			ID:         id,
			Severity:   gosec.Medium,
			Confidence: gosec.High,
			What:       fmt.Sprintf("Expect directory permissions to be %#o or less", mode),
		},
	}, []ast.Node{(*ast.CallExpr)(nil)}
}
Initial public release 2016-07-20 11:02:01 +01:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package rules`

			`import (`
			`"fmt"`
			`"go/ast"`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`"strconv"`
Rule selection rules This makes the following changes: - riles are identified by an ID - include / exclude list now work - rules are selected based on these lists - blacklist rules are broken out into methods - rule constructors now take the config map - config file can be used to select rules - CLI options embelish config selection options 2016-08-10 12:51:03 +01:00
Handle properly the gosec module version v2 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-04-01 21:18:39 +01:00			`"github.com/securego/gosec/v2"`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type filePermissions struct {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`gosec.MetaData`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`mode int64`
fix: WriteParams rule to work also with golang 1.16 (#577) In go 1.16 the `ioutil` package was deprecated and the functions should be replaced by their equivalents in either `io` or `os` packages. This means, that `ioutil.WriteFile` should be replaced by `os.WriteFile` instead. To account for this change and to detect incorrect permissions also for `os.WriteFile` I changed `filePermissions` rule slightly to allows specifying multiple packages that can contain given function and that we should check. This workaround can be removed after a sufficient time has passed and after it is decided that checking `os.WriteFile` is enough. Fixes: https://github.com/securego/gosec/issues/576 2021-02-22 08:22:04 +00:00			`pkgs []string`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`calls []string`
			`}`

Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`func (r *filePermissions) ID() string {`
			`return r.MetaData.ID`
			`}`

Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`func getConfiguredMode(conf map[string]interface{}, configKey string, defaultMode int64) int64 {`
Fix lint and fail on error in the ci build 2021-05-31 09:44:12 +01:00			`mode := defaultMode`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`if value, ok := conf[configKey]; ok {`
Fix some lint warnings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2019-04-30 10:32:06 +01:00			`switch value := value.(type) {`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`case int64:`
Fix some lint warnings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2019-04-30 10:32:06 +01:00			`mode = value`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`case string:`
Fix some lint warnings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2019-04-30 10:32:06 +01:00			`if m, e := strconv.ParseInt(value, 0, 64); e != nil {`
Address unhandled error conditions Closes #95 2016-12-02 18:20:23 +00:00			`mode = defaultMode`
			`} else {`
			`mode = m`
			`}`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`}`
			`}`
			`return mode`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func (r filePermissions) Match(n ast.Node, c gosec.Context) (*gosec.Issue, error) {`
fix: WriteParams rule to work also with golang 1.16 (#577) In go 1.16 the `ioutil` package was deprecated and the functions should be replaced by their equivalents in either `io` or `os` packages. This means, that `ioutil.WriteFile` should be replaced by `os.WriteFile` instead. To account for this change and to detect incorrect permissions also for `os.WriteFile` I changed `filePermissions` rule slightly to allows specifying multiple packages that can contain given function and that we should check. This workaround can be removed after a sufficient time has passed and after it is decided that checking `os.WriteFile` is enough. Fixes: https://github.com/securego/gosec/issues/576 2021-02-22 08:22:04 +00:00			`for _, pkg := range r.pkgs {`
			`if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {`
			`modeArg := callexpr.Args[len(callexpr.Args)-1]`
			`if mode, err := gosec.GetInt(modeArg); err == nil && mode > r.mode {`
			`return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil`
			`}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
			`return nil, nil`
			`}`

Fileperms (#442) 2020-02-28 11:48:18 +00:00			`// NewWritePerms creates a rule to detect file Writes with bad permissions.`
			`func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
			`mode := getConfiguredMode(conf, "G306", 0600)`
			`return &filePermissions{`
			`mode: mode,`
fix: WriteParams rule to work also with golang 1.16 (#577) In go 1.16 the `ioutil` package was deprecated and the functions should be replaced by their equivalents in either `io` or `os` packages. This means, that `ioutil.WriteFile` should be replaced by `os.WriteFile` instead. To account for this change and to detect incorrect permissions also for `os.WriteFile` I changed `filePermissions` rule slightly to allows specifying multiple packages that can contain given function and that we should check. This workaround can be removed after a sufficient time has passed and after it is decided that checking `os.WriteFile` is enough. Fixes: https://github.com/securego/gosec/issues/576 2021-02-22 08:22:04 +00:00			`pkgs: []string{"io/ioutil", "os"},`
Fileperms (#442) 2020-02-28 11:48:18 +00:00			`calls: []string{"WriteFile"},`
			`MetaData: gosec.MetaData{`
			`ID: id,`
			`Severity: gosec.Medium,`
			`Confidence: gosec.High,`
			`What: fmt.Sprintf("Expect WriteFile permissions to be %#o or less", mode),`
			`},`
			`}, []ast.Node{(*ast.CallExpr)(nil)}`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewFilePerms creates a rule to detect file creation with a more permissive than configured`
			`// permission mask.`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func NewFilePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`mode := getConfiguredMode(conf, "G302", 0600)`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`return &filePermissions{`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`mode: mode,`
fix: WriteParams rule to work also with golang 1.16 (#577) In go 1.16 the `ioutil` package was deprecated and the functions should be replaced by their equivalents in either `io` or `os` packages. This means, that `ioutil.WriteFile` should be replaced by `os.WriteFile` instead. To account for this change and to detect incorrect permissions also for `os.WriteFile` I changed `filePermissions` rule slightly to allows specifying multiple packages that can contain given function and that we should check. This workaround can be removed after a sufficient time has passed and after it is decided that checking `os.WriteFile` is enough. Fixes: https://github.com/securego/gosec/issues/576 2021-02-22 08:22:04 +00:00			`pkgs: []string{"os"},`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`calls: []string{"OpenFile", "Chmod"},`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`MetaData: gosec.MetaData{`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`ID: id,`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`Severity: gosec.Medium,`
			`Confidence: gosec.High,`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`What: fmt.Sprintf("Expect file permissions to be %#o or less", mode),`
Initial public release 2016-07-20 11:02:01 +01:00			`},`
Allow rules to register against multiple ast nodes Update the AddRule interface to allow rules to register interest in multiple ast.Nodes. Adds more flexibility to how rules can work, and was needed to fix the hard coded credentials test specifically. 2016-11-13 20:55:31 +00:00			`}, []ast.Node{(*ast.CallExpr)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewMkdirPerms creates a rule to detect directory creation with more permissive than`
			`// configured permission mask.`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func NewMkdirPerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
Make the folder permissions more permissive to avoid false positives (#175) 2018-02-15 09:53:01 +00:00			`mode := getConfiguredMode(conf, "G301", 0750)`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`return &filePermissions{`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`mode: mode,`
fix: WriteParams rule to work also with golang 1.16 (#577) In go 1.16 the `ioutil` package was deprecated and the functions should be replaced by their equivalents in either `io` or `os` packages. This means, that `ioutil.WriteFile` should be replaced by `os.WriteFile` instead. To account for this change and to detect incorrect permissions also for `os.WriteFile` I changed `filePermissions` rule slightly to allows specifying multiple packages that can contain given function and that we should check. This workaround can be removed after a sufficient time has passed and after it is decided that checking `os.WriteFile` is enough. Fixes: https://github.com/securego/gosec/issues/576 2021-02-22 08:22:04 +00:00			`pkgs: []string{"os"},`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`calls: []string{"Mkdir", "MkdirAll"},`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`MetaData: gosec.MetaData{`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`ID: id,`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`Severity: gosec.Medium,`
			`Confidence: gosec.High,`
Initial public release 2016-07-20 11:02:01 +01:00			`What: fmt.Sprintf("Expect directory permissions to be %#o or less", mode),`
			`},`
Allow rules to register against multiple ast nodes Update the AddRule interface to allow rules to register interest in multiple ast.Nodes. Adds more flexibility to how rules can work, and was needed to fix the hard coded credentials test specifically. 2016-11-13 20:55:31 +00:00			`}, []ast.Node{(*ast.CallExpr)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`