2018-09-04 07:55:03 +01:00
|
|
|
package rules
|
|
|
|
|
|
|
|
import (
|
|
|
|
"go/ast"
|
|
|
|
"go/types"
|
|
|
|
|
|
|
|
"github.com/securego/gosec"
|
|
|
|
)
|
|
|
|
|
|
|
|
type ssrf struct {
|
|
|
|
gosec.MetaData
|
|
|
|
gosec.CallList
|
|
|
|
}
|
|
|
|
|
|
|
|
// ID returns the identifier for this rule
|
|
|
|
func (r *ssrf) ID() string {
|
|
|
|
return r.MetaData.ID
|
|
|
|
}
|
|
|
|
|
|
|
|
// ResolveVar tries to resolve the first argument of a call expression
|
|
|
|
// The first argument is the url
|
|
|
|
func (r *ssrf) ResolveVar(n *ast.CallExpr, c *gosec.Context) bool {
|
|
|
|
if len(n.Args) > 0 {
|
|
|
|
arg := n.Args[0]
|
|
|
|
if ident, ok := arg.(*ast.Ident); ok {
|
|
|
|
obj := c.Info.ObjectOf(ident)
|
2019-10-04 12:25:38 +01:00
|
|
|
if _, ok := obj.(*types.Var); ok {
|
|
|
|
scope := c.Pkg.Scope()
|
|
|
|
if scope != nil && scope.Lookup(ident.Name) != nil {
|
|
|
|
// a URL defined in a variable at package scope can be changed at any time
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
if !gosec.TryResolve(ident, c) {
|
|
|
|
return true
|
|
|
|
}
|
2018-09-04 07:55:03 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// Match inspects AST nodes to determine if certain net/http methods are called with variable input
|
|
|
|
func (r *ssrf) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
|
|
|
|
// Call expression is using http package directly
|
2018-09-25 08:40:05 +01:00
|
|
|
if node := r.ContainsCallExpr(n, c, false); node != nil {
|
2018-09-04 07:55:03 +01:00
|
|
|
if r.ResolveVar(node, c) {
|
|
|
|
return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewSSRFCheck detects cases where HTTP requests are sent
|
|
|
|
func NewSSRFCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
|
|
|
rule := &ssrf{
|
|
|
|
CallList: gosec.NewCallList(),
|
|
|
|
MetaData: gosec.MetaData{
|
|
|
|
ID: id,
|
|
|
|
What: "Potential HTTP request made with variable url",
|
|
|
|
Severity: gosec.Medium,
|
|
|
|
Confidence: gosec.Medium,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
rule.AddAll("net/http", "Do", "Get", "Head", "Post", "PostForm", "RoundTrip")
|
|
|
|
return rule, []ast.Node{(*ast.CallExpr)(nil)}
|
|
|
|
}
|