gosec/rules/subproc.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package rules

import (
	"go/ast"
	"go/types"

	"github.com/GoASTScanner/gas"
)

type subprocess struct {
	gas.MetaData
	gas.CallList
}

func (r *subprocess) ID() string {
	return r.MetaData.ID
}

// TODO(gm) The only real potential for command injection with a Go project
// is something like this:
//
// syscall.Exec("/bin/sh", []string{"-c", tainted})
//
// E.g. Input is correctly escaped but the execution context being used
// is unsafe. For example:
//
// syscall.Exec("echo", "foobar" + tainted)
func (r *subprocess) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
	if node := r.ContainsCallExpr(n, c); node != nil {
		for _, arg := range node.Args {
			if ident, ok := arg.(*ast.Ident); ok {
				obj := c.Info.ObjectOf(ident)
				if _, ok := obj.(*types.Var); ok && !gas.TryResolve(ident, c) {
					return gas.NewIssue(c, n, "Subprocess launched with variable", gas.Medium, gas.High), nil
				}
			}
		}
		return gas.NewIssue(c, n, "Subprocess launching should be audited", gas.Low, gas.High), nil
	}
	return nil, nil
}

// NewSubproc detects cases where we are forking out to an external process
func NewSubproc(id string, conf gas.Config) (gas.Rule, []ast.Node) {
	rule := &subprocess{gas.MetaData{ID: id}, gas.NewCallList()}
	rule.Add("os/exec", "Command")
	rule.Add("syscall", "Exec")
	return rule, []ast.Node{(*ast.CallExpr)(nil)}
}
Initial public release 2016-07-20 11:02:01 +01:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package rules`

			`import (`
			`"go/ast"`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`"go/types"`
Try to resolve all elements in an expression to a known const This is used in the subprocess launching test but will be added to others as applicable. This also closes #28 2016-08-03 14:54:17 +01:00
Restructure to focus on lib rather than cli 2017-04-26 16:08:46 +01:00			`"github.com/GoASTScanner/gas"`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type subprocess struct {`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`gas.MetaData`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`gas.CallList`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`func (r *subprocess) ID() string {`
			`return r.MetaData.ID`
			`}`

Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`// TODO(gm) The only real potential for command injection with a Go project`
			`// is something like this:`
			`//`
			`// syscall.Exec("/bin/sh", []string{"-c", tainted})`
			`//`
			`// E.g. Input is correctly escaped but the execution context being used`
			`// is unsafe. For example:`
			`//`
			`// syscall.Exec("echo", "foobar" + tainted)`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`func (r subprocess) Match(n ast.Node, c gas.Context) (*gas.Issue, error) {`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`if node := r.ContainsCallExpr(n, c); node != nil {`
Initial public release 2016-07-20 11:02:01 +01:00			`for _, arg := range node.Args {`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`if ident, ok := arg.(*ast.Ident); ok {`
			`obj := c.Info.ObjectOf(ident)`
			`if _, ok := obj.(*types.Var); ok && !gas.TryResolve(ident, c) {`
			`return gas.NewIssue(c, n, "Subprocess launched with variable", gas.Medium, gas.High), nil`
			`}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`return gas.NewIssue(c, n, "Subprocess launching should be audited", gas.Low, gas.High), nil`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`return nil, nil`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewSubproc detects cases where we are forking out to an external process`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`func NewSubproc(id string, conf gas.Config) (gas.Rule, []ast.Node) {`
			`rule := &subprocess{gas.MetaData{ID: id}, gas.NewCallList()}`
Use explicit packages in call lists By allowing partial matches of selectors there are chances of collisions such as those in issue #145, this removes it to expect explicit packages for each rule. Closes #145 2018-01-05 13:05:53 +00:00			`rule.Add("os/exec", "Command")`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`rule.Add("syscall", "Exec")`
			`return rule, []ast.Node{(*ast.CallExpr)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`