gosec/rules/sql.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package rules

import (
	"go/ast"
	"regexp"

	"github.com/GoASTScanner/gas"
)

type sqlStatement struct {
	gas.MetaData
	pattern *regexp.Regexp
}

type sqlStrConcat struct {
	sqlStatement
}

// see if we can figure out what it is
func (s *sqlStrConcat) checkObject(n *ast.Ident) bool {
	if n.Obj != nil {
		return n.Obj.Kind != ast.Var && n.Obj.Kind != ast.Fun
	}
	return false
}

// Look for "SELECT * FROM table WHERE " + " ' OR 1=1"
func (s *sqlStrConcat) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
	if node, ok := n.(*ast.BinaryExpr); ok {
		if start, ok := node.X.(*ast.BasicLit); ok {
			if str, e := gas.GetString(start); s.pattern.MatchString(str) && e == nil {
				if _, ok := node.Y.(*ast.BasicLit); ok {
					return nil, nil // string cat OK
				}
				if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second) {
					return nil, nil
				}
				return gas.NewIssue(c, n, s.What, s.Severity, s.Confidence), nil
			}
		}
	}
	return nil, nil
}

// NewSQLStrConcat looks for cases where we are building SQL strings via concatenation
func NewSQLStrConcat(conf gas.Config) (gas.Rule, []ast.Node) {
	return &sqlStrConcat{
		sqlStatement: sqlStatement{
			pattern: regexp.MustCompile(`(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) `),
			MetaData: gas.MetaData{
				Severity:   gas.Medium,
				Confidence: gas.High,
				What:       "SQL string concatenation",
			},
		},
	}, []ast.Node{(*ast.BinaryExpr)(nil)}
}

type sqlStrFormat struct {
	sqlStatement
	calls gas.CallList
}

// Looks for "fmt.Sprintf("SELECT * FROM foo where '%s', userInput)"
func (s *sqlStrFormat) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {

	// TODO(gm) improve confidence if database/sql is being used
	if node := s.calls.ContainsCallExpr(n, c); node != nil {
		if arg, e := gas.GetString(node.Args[0]); s.pattern.MatchString(arg) && e == nil {
			return gas.NewIssue(c, n, s.What, s.Severity, s.Confidence), nil
		}
	}
	return nil, nil
}

// NewSQLStrFormat looks for cases where we're building SQL query strings using format strings
func NewSQLStrFormat(conf gas.Config) (gas.Rule, []ast.Node) {
	rule := &sqlStrFormat{
		calls: gas.NewCallList(),
		sqlStatement: sqlStatement{
			pattern: regexp.MustCompile("(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
			MetaData: gas.MetaData{
				Severity:   gas.Medium,
				Confidence: gas.High,
				What:       "SQL string formatting",
			},
		},
	}
	rule.calls.AddAll("fmt", "Sprint", "Sprintf", "Sprintln")
	return rule, []ast.Node{(*ast.CallExpr)(nil)}
}
Initial public release 2016-07-20 11:02:01 +01:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package rules`

			`import (`
			`"go/ast"`
			`"regexp"`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00
Restructure to focus on lib rather than cli 2017-04-26 16:08:46 +01:00			`"github.com/GoASTScanner/gas"`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type sqlStatement struct {`
Initial public release 2016-07-20 11:02:01 +01:00			`gas.MetaData`
			`pattern *regexp.Regexp`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type sqlStrConcat struct {`
			`sqlStatement`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Address go vet failure in SQL rule 2016-11-03 00:12:23 +00:00			`// see if we can figure out what it is`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`func (s sqlStrConcat) checkObject(n ast.Ident) bool {`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`if n.Obj != nil {`
Address go vet failure in SQL rule 2016-11-03 00:12:23 +00:00			`return n.Obj.Kind != ast.Var && n.Obj.Kind != ast.Fun`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`}`
			`return false`
			`}`

Initial public release 2016-07-20 11:02:01 +01:00			`// Look for "SELECT * FROM table WHERE " + " ' OR 1=1"`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`func (s sqlStrConcat) Match(n ast.Node, c gas.Context) (*gas.Issue, error) {`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`if node, ok := n.(*ast.BinaryExpr); ok {`
			`if start, ok := node.X.(*ast.BasicLit); ok {`
Address unhandled error conditions Closes #95 2016-12-02 18:20:23 +00:00			`if str, e := gas.GetString(start); s.pattern.MatchString(str) && e == nil {`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`if _, ok := node.Y.(*ast.BasicLit); ok {`
			`return nil, nil // string cat OK`
			`}`
			`if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second) {`
			`return nil, nil`
			`}`
			`return gas.NewIssue(c, n, s.What, s.Severity, s.Confidence), nil`
			`}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
			`return nil, nil`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewSQLStrConcat looks for cases where we are building SQL strings via concatenation`
			`func NewSQLStrConcat(conf gas.Config) (gas.Rule, []ast.Node) {`
			`return &sqlStrConcat{`
			`sqlStatement: sqlStatement{`
Fix incorrect regexp matches There are some cases where the '.' character would also match any character and could lead to incorrect results. For example the regular expression - `^ioutils.WriteFile$' would match ioutils.WriteFile, but also ioutils_WriteFile. Additionally made sure that all regexp were declared using raw strings to avoid any unnecesary string escaping that potentially make the regexp difficult to read. 2016-07-30 21:29:33 +01:00			pattern: regexp.MustCompile(`(?)(SELECT\|DELETE\|INSERT\|UPDATE\|INTO\|FROM\|WHERE) `),
Initial public release 2016-07-20 11:02:01 +01:00			`MetaData: gas.MetaData{`
			`Severity: gas.Medium,`
			`Confidence: gas.High,`
			`What: "SQL string concatenation",`
			`},`
			`},`
Allow rules to register against multiple ast nodes Update the AddRule interface to allow rules to register interest in multiple ast.Nodes. Adds more flexibility to how rules can work, and was needed to fix the hard coded credentials test specifically. 2016-11-13 20:55:31 +00:00			`}, []ast.Node{(*ast.BinaryExpr)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type sqlStrFormat struct {`
			`sqlStatement`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`calls gas.CallList`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

			`// Looks for "fmt.Sprintf("SELECT * FROM foo where '%s', userInput)"`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`func (s sqlStrFormat) Match(n ast.Node, c gas.Context) (*gas.Issue, error) {`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00
			`// TODO(gm) improve confidence if database/sql is being used`
			`if node := s.calls.ContainsCallExpr(n, c); node != nil {`
Address unhandled error conditions Closes #95 2016-12-02 18:20:23 +00:00			`if arg, e := gas.GetString(node.Args[0]); s.pattern.MatchString(arg) && e == nil {`
Initial public release 2016-07-20 11:02:01 +01:00			`return gas.NewIssue(c, n, s.What, s.Severity, s.Confidence), nil`
			`}`
			`}`
			`return nil, nil`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewSQLStrFormat looks for cases where we're building SQL query strings using format strings`
			`func NewSQLStrFormat(conf gas.Config) (gas.Rule, []ast.Node) {`
			`rule := &sqlStrFormat{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`calls: gas.NewCallList(),`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`sqlStatement: sqlStatement{`
Initial public release 2016-07-20 11:02:01 +01:00			`pattern: regexp.MustCompile("(?)(SELECT\|DELETE\|INSERT\|UPDATE\|INTO\|FROM\|WHERE) "),`
			`MetaData: gas.MetaData{`
			`Severity: gas.Medium,`
			`Confidence: gas.High,`
			`What: "SQL string formatting",`
			`},`
			`},`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`}`
			`rule.calls.AddAll("fmt", "Sprint", "Sprintf", "Sprintln")`
			`return rule, []ast.Node{(*ast.CallExpr)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`