gosec/rules/subproc.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package rules

import (
	"go/ast"
	"go/types"

	"github.com/securego/gosec"
)

type subprocess struct {
	gosec.MetaData
	gosec.CallList
}

func (r *subprocess) ID() string {
	return r.MetaData.ID
}

// TODO(gm) The only real potential for command injection with a Go project
// is something like this:
//
// syscall.Exec("/bin/sh", []string{"-c", tainted})
//
// E.g. Input is correctly escaped but the execution context being used
// is unsafe. For example:
//
// syscall.Exec("echo", "foobar" + tainted)
func (r *subprocess) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
	if node := r.ContainsPkgCallExpr(n, c, false); node != nil {
		for _, arg := range node.Args {
			if ident, ok := arg.(*ast.Ident); ok {
				obj := c.Info.ObjectOf(ident)
				if _, ok := obj.(*types.Var); ok && !gosec.TryResolve(ident, c) {
					return gosec.NewIssue(c, n, r.ID(), "Subprocess launched with variable", gosec.Medium, gosec.High), nil
				}
			} else if !gosec.TryResolve(arg, c) {
				// the arg is not a constant or a variable but instead a function call or os.Args[i]
				return gosec.NewIssue(c, n, r.ID(), "Subprocess launched with function call as argument or cmd arguments", gosec.Medium, gosec.High), nil
			}
		}
	}
	return nil, nil
}

// NewSubproc detects cases where we are forking out to an external process
func NewSubproc(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	rule := &subprocess{gosec.MetaData{ID: id}, gosec.NewCallList()}
	rule.Add("os/exec", "Command")
	rule.Add("os/exec", "CommandContext")
	rule.Add("syscall", "Exec")
	return rule, []ast.Node{(*ast.CallExpr)(nil)}
}
Initial public release 2016-07-20 11:02:01 +01:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package rules`

			`import (`
			`"go/ast"`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`"go/types"`
Try to resolve all elements in an expression to a known const This is used in the subprocess launching test but will be added to others as applicable. This also closes #28 2016-08-03 14:54:17 +01:00
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`"github.com/securego/gosec"`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type subprocess struct {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`gosec.MetaData`
			`gosec.CallList`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`func (r *subprocess) ID() string {`
			`return r.MetaData.ID`
			`}`

Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`// TODO(gm) The only real potential for command injection with a Go project`
			`// is something like this:`
			`//`
			`// syscall.Exec("/bin/sh", []string{"-c", tainted})`
			`//`
			`// E.g. Input is correctly escaped but the execution context being used`
			`// is unsafe. For example:`
			`//`
			`// syscall.Exec("echo", "foobar" + tainted)`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func (r subprocess) Match(n ast.Node, c gosec.Context) (*gosec.Issue, error) {`
Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-01-28 13:11:00 +00:00			`if node := r.ContainsPkgCallExpr(n, c, false); node != nil {`
Initial public release 2016-07-20 11:02:01 +01:00			`for _, arg := range node.Args {`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`if ident, ok := arg.(*ast.Ident); ok {`
			`obj := c.Info.ObjectOf(ident)`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`if _, ok := obj.(*types.Var); ok && !gosec.TryResolve(ident, c) {`
			`return gosec.NewIssue(c, n, r.ID(), "Subprocess launched with variable", gosec.Medium, gosec.High), nil`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`}`
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com> 2019-09-16 15:15:06 +01:00			`} else if !gosec.TryResolve(arg, c) {`
			`// the arg is not a constant or a variable but instead a function call or os.Args[i]`
			`return gosec.NewIssue(c, n, r.ID(), "Subprocess launched with function call as argument or cmd arguments", gosec.Medium, gosec.High), nil`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
			`}`
			`return nil, nil`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewSubproc detects cases where we are forking out to an external process`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func NewSubproc(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
			`rule := &subprocess{gosec.MetaData{ID: id}, gosec.NewCallList()}`
Use explicit packages in call lists By allowing partial matches of selectors there are chances of collisions such as those in issue #145, this removes it to expect explicit packages for each rule. Closes #145 2018-01-05 13:05:53 +00:00			`rule.Add("os/exec", "Command")`
add CommandContext as subprocess launcher 2018-06-03 22:43:28 +01:00			`rule.Add("os/exec", "CommandContext")`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`rule.Add("syscall", "Exec")`
			`return rule, []ast.Node{(*ast.CallExpr)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`