gosec/rules/tls.go

126 lines
3.6 KiB
Go
Raw Normal View History

2016-07-20 11:02:01 +01:00
// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//go:generate tlsconfig
2016-07-20 11:02:01 +01:00
package rules
import (
"fmt"
"go/ast"
"github.com/GoASTScanner/gas"
2016-07-20 11:02:01 +01:00
)
2017-12-13 07:39:00 +00:00
type insecureConfigTLS struct {
MinVersion int16
MaxVersion int16
requiredType string
goodCiphers []string
2016-07-20 11:02:01 +01:00
}
func stringInSlice(a string, list []string) bool {
for _, b := range list {
if b == a {
return true
}
}
return false
}
2017-12-13 07:39:00 +00:00
func (t *insecureConfigTLS) processTLSCipherSuites(n ast.Node, c *gas.Context) *gas.Issue {
2017-12-28 06:54:10 +00:00
if ciphers, ok := n.(*ast.CompositeLit); ok {
for _, cipher := range ciphers.Elts {
if ident, ok := cipher.(*ast.SelectorExpr); ok {
2016-07-20 11:02:01 +01:00
if !stringInSlice(ident.Sel.Name, t.goodCiphers) {
2017-12-28 06:54:10 +00:00
err := fmt.Sprintf("TLS Bad Cipher Suite: %s", ident.Sel.Name)
return gas.NewIssue(c, ident, err, gas.High, gas.High)
2016-07-20 11:02:01 +01:00
}
}
}
}
return nil
}
func (t *insecureConfigTLS) processTLSConfVal(n *ast.KeyValueExpr, c *gas.Context) *gas.Issue {
2016-07-20 11:02:01 +01:00
if ident, ok := n.Key.(*ast.Ident); ok {
switch ident.Name {
2017-12-28 06:54:10 +00:00
2016-07-20 11:02:01 +01:00
case "InsecureSkipVerify":
if node, ok := n.Value.(*ast.Ident); ok {
if node.Name != "false" {
return gas.NewIssue(c, n, "TLS InsecureSkipVerify set true.", gas.High, gas.High)
}
} else {
// TODO(tk): symbol tab look up to get the actual value
return gas.NewIssue(c, n, "TLS InsecureSkipVerify may be true.", gas.High, gas.Low)
}
case "PreferServerCipherSuites":
if node, ok := n.Value.(*ast.Ident); ok {
if node.Name == "false" {
return gas.NewIssue(c, n, "TLS PreferServerCipherSuites set false.", gas.Medium, gas.High)
}
} else {
// TODO(tk): symbol tab look up to get the actual value
return gas.NewIssue(c, n, "TLS PreferServerCipherSuites may be false.", gas.Medium, gas.Low)
}
2016-07-20 11:02:01 +01:00
case "MinVersion":
if ival, ierr := gas.GetInt(n.Value); ierr == nil {
if (int16)(ival) < t.MinVersion {
return gas.NewIssue(c, n, "TLS MinVersion too low.", gas.High, gas.High)
}
// TODO(tk): symbol tab look up to get the actual value
return gas.NewIssue(c, n, "TLS MinVersion may be too low.", gas.High, gas.Low)
}
case "MaxVersion":
if ival, ierr := gas.GetInt(n.Value); ierr == nil {
if (int16)(ival) < t.MaxVersion {
return gas.NewIssue(c, n, "TLS MaxVersion too low.", gas.High, gas.High)
}
// TODO(tk): symbol tab look up to get the actual value
return gas.NewIssue(c, n, "TLS MaxVersion may be too low.", gas.High, gas.Low)
}
case "CipherSuites":
2017-12-28 06:54:10 +00:00
if ret := t.processTLSCipherSuites(n.Value, c); ret != nil {
2016-07-20 11:02:01 +01:00
return ret
}
2016-07-20 11:02:01 +01:00
}
2016-07-20 11:02:01 +01:00
}
return nil
}
2017-12-28 06:54:10 +00:00
func (t *insecureConfigTLS) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
if complit, ok := n.(*ast.CompositeLit); ok && complit.Type != nil {
actualType := c.Info.TypeOf(complit.Type)
if actualType != nil && actualType.String() == t.requiredType {
for _, elt := range complit.Elts {
if kve, ok := elt.(*ast.KeyValueExpr); ok {
issue := t.processTLSConfVal(kve, c)
if issue != nil {
return issue, nil
}
2016-07-20 11:02:01 +01:00
}
}
}
}
2017-12-28 06:54:10 +00:00
return nil, nil
2016-07-20 11:02:01 +01:00
}