gosec/rules/ssrf.go

package rules

import (
	"go/ast"
	"go/types"

	"github.com/securego/gosec"
)

type ssrf struct {
	gosec.MetaData
	gosec.CallList
}

// ID returns the identifier for this rule
func (r *ssrf) ID() string {
	return r.MetaData.ID
}

// ResolveVar tries to resolve the first argument of a call expression
// The first argument is the url
func (r *ssrf) ResolveVar(n *ast.CallExpr, c *gosec.Context) bool {
	if len(n.Args) > 0 {
		arg := n.Args[0]
		if ident, ok := arg.(*ast.Ident); ok {
			obj := c.Info.ObjectOf(ident)
			if _, ok := obj.(*types.Var); ok {
				scope := c.Pkg.Scope()
				if scope != nil && scope.Lookup(ident.Name) != nil {
					// a URL defined in a variable at package scope can be changed at any time
					return true
				}
				if !gosec.TryResolve(ident, c) {
					return true
				}
			}
		}
	}
	return false
}

// Match inspects AST nodes to determine if certain net/http methods are called with variable input
func (r *ssrf) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
	// Call expression is using http package directly
	if node := r.ContainsPkgCallExpr(n, c, false); node != nil {
		if r.ResolveVar(node, c) {
			return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
		}
	}
	return nil, nil
}

// NewSSRFCheck detects cases where HTTP requests are sent
func NewSSRFCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	rule := &ssrf{
		CallList: gosec.NewCallList(),
		MetaData: gosec.MetaData{
			ID:         id,
			What:       "Potential HTTP request made with variable url",
			Severity:   gosec.Medium,
			Confidence: gosec.Medium,
		},
	}
	rule.AddAll("net/http", "Do", "Get", "Head", "Post", "PostForm", "RoundTrip")
	return rule, []ast.Node{(*ast.CallExpr)(nil)}
}
G107 - SSRF (#236) * Initial SSRF Rule * Added Selector evaluation * Added source code tests * Fixed spacing issues * Fixed Spacingv2 * Removed resty test 2018-09-04 07:55:03 +01:00			`package rules`

			`import (`
			`"go/ast"`
			`"go/types"`

			`"github.com/securego/gosec"`
			`)`

			`type ssrf struct {`
			`gosec.MetaData`
			`gosec.CallList`
			`}`

			`// ID returns the identifier for this rule`
			`func (r *ssrf) ID() string {`
			`return r.MetaData.ID`
			`}`

			`// ResolveVar tries to resolve the first argument of a call expression`
			`// The first argument is the url`
			`func (r ssrf) ResolveVar(n ast.CallExpr, c *gosec.Context) bool {`
			`if len(n.Args) > 0 {`
			`arg := n.Args[0]`
			`if ident, ok := arg.(*ast.Ident); ok {`
			`obj := c.Info.ObjectOf(ident)`
Improve the SSRF rule to report an issue for package scoped variables Made also the rule to not report an issue when encountering function scoped variable which terminate in a basic literal such as a string. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2019-10-04 12:25:38 +01:00			`if _, ok := obj.(*types.Var); ok {`
			`scope := c.Pkg.Scope()`
			`if scope != nil && scope.Lookup(ident.Name) != nil {`
			`// a URL defined in a variable at package scope can be changed at any time`
			`return true`
			`}`
			`if !gosec.TryResolve(ident, c) {`
			`return true`
			`}`
G107 - SSRF (#236) * Initial SSRF Rule * Added Selector evaluation * Added source code tests * Fixed spacing issues * Fixed Spacingv2 * Removed resty test 2018-09-04 07:55:03 +01:00			`}`
			`}`
			`}`
			`return false`
			`}`

			`// Match inspects AST nodes to determine if certain net/http methods are called with variable input`
			`func (r ssrf) Match(n ast.Node, c gosec.Context) (*gosec.Issue, error) {`
			`// Call expression is using http package directly`
Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-01-28 13:11:00 +00:00			`if node := r.ContainsPkgCallExpr(n, c, false); node != nil {`
G107 - SSRF (#236) * Initial SSRF Rule * Added Selector evaluation * Added source code tests * Fixed spacing issues * Fixed Spacingv2 * Removed resty test 2018-09-04 07:55:03 +01:00			`if r.ResolveVar(node, c) {`
			`return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil`
			`}`
			`}`
			`return nil, nil`
			`}`

			`// NewSSRFCheck detects cases where HTTP requests are sent`
			`func NewSSRFCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
			`rule := &ssrf{`
			`CallList: gosec.NewCallList(),`
			`MetaData: gosec.MetaData{`
			`ID: id,`
			`What: "Potential HTTP request made with variable url",`
			`Severity: gosec.Medium,`
			`Confidence: gosec.Medium,`
			`},`
			`}`
			`rule.AddAll("net/http", "Do", "Get", "Head", "Post", "PostForm", "RoundTrip")`
			`return rule, []ast.Node{(*ast.CallExpr)(nil)}`
			`}`