gosec/rules/tls.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

//go:generate tlsconfig

package rules

import (
	"fmt"
	"go/ast"

	"github.com/GoASTScanner/gas"
)

type insecureConfigTLS struct {
	MinVersion   int16
	MaxVersion   int16
	requiredType string
	goodCiphers  []string
}

func stringInSlice(a string, list []string) bool {
	for _, b := range list {
		if b == a {
			return true
		}
	}
	return false
}

func (t *insecureConfigTLS) processTLSCipherSuites(n ast.Node, c *gas.Context) *gas.Issue {

	if ciphers, ok := n.(*ast.CompositeLit); ok {
		for _, cipher := range ciphers.Elts {
			if ident, ok := cipher.(*ast.SelectorExpr); ok {
				if !stringInSlice(ident.Sel.Name, t.goodCiphers) {
					err := fmt.Sprintf("TLS Bad Cipher Suite: %s", ident.Sel.Name)
					return gas.NewIssue(c, ident, err, gas.High, gas.High)
				}
			}
		}
	}
	return nil
}

func (t *insecureConfigTLS) processTLSConfVal(n *ast.KeyValueExpr, c *gas.Context) *gas.Issue {
	if ident, ok := n.Key.(*ast.Ident); ok {
		switch ident.Name {

		case "InsecureSkipVerify":
			if node, ok := n.Value.(*ast.Ident); ok {
				if node.Name != "false" {
					return gas.NewIssue(c, n, "TLS InsecureSkipVerify set true.", gas.High, gas.High)
				}
			} else {
				// TODO(tk): symbol tab look up to get the actual value
				return gas.NewIssue(c, n, "TLS InsecureSkipVerify may be true.", gas.High, gas.Low)
			}

		case "PreferServerCipherSuites":
			if node, ok := n.Value.(*ast.Ident); ok {
				if node.Name == "false" {
					return gas.NewIssue(c, n, "TLS PreferServerCipherSuites set false.", gas.Medium, gas.High)
				}
			} else {
				// TODO(tk): symbol tab look up to get the actual value
				return gas.NewIssue(c, n, "TLS PreferServerCipherSuites may be false.", gas.Medium, gas.Low)
			}

		case "MinVersion":
			if ival, ierr := gas.GetInt(n.Value); ierr == nil {
				if (int16)(ival) < t.MinVersion {
					return gas.NewIssue(c, n, "TLS MinVersion too low.", gas.High, gas.High)
				}
				// TODO(tk): symbol tab look up to get the actual value
				return gas.NewIssue(c, n, "TLS MinVersion may be too low.", gas.High, gas.Low)
			}

		case "MaxVersion":
			if ival, ierr := gas.GetInt(n.Value); ierr == nil {
				if (int16)(ival) < t.MaxVersion {
					return gas.NewIssue(c, n, "TLS MaxVersion too low.", gas.High, gas.High)
				}
				// TODO(tk): symbol tab look up to get the actual value
				return gas.NewIssue(c, n, "TLS MaxVersion may be too low.", gas.High, gas.Low)
			}

		case "CipherSuites":
			if ret := t.processTLSCipherSuites(n.Value, c); ret != nil {
				return ret
			}

		}

	}
	return nil
}

func (t *insecureConfigTLS) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
	if complit, ok := n.(*ast.CompositeLit); ok && complit.Type != nil && c.Info.TypeOf(complit.Type).String() == t.requiredType {
		for _, elt := range complit.Elts {
			if kve, ok := elt.(*ast.KeyValueExpr); ok {
				issue := t.processTLSConfVal(kve, c)
				if issue != nil {
					return issue, nil
				}
			}
		}
	}
	return nil, nil
}
Initial public release 2016-07-20 11:02:01 +01:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions 2018-02-21 05:59:18 +00:00			`//go:generate tlsconfig`

Initial public release 2016-07-20 11:02:01 +01:00			`package rules`

			`import (`
			`"fmt"`
			`"go/ast"`

Restructure to focus on lib rather than cli 2017-04-26 16:08:46 +01:00			`"github.com/GoASTScanner/gas"`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

fix hound-ci errors 2017-12-13 07:39:00 +00:00			`type insecureConfigTLS struct {`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`MinVersion int16`
			`MaxVersion int16`
			`requiredType string`
			`goodCiphers []string`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

			`func stringInSlice(a string, list []string) bool {`
			`for _, b := range list {`
			`if b == a {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

fix hound-ci errors 2017-12-13 07:39:00 +00:00			`func (t insecureConfigTLS) processTLSCipherSuites(n ast.Node, c gas.Context) *gas.Issue {`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00
Migrated old test cases. 2017-12-28 06:54:10 +00:00			`if ciphers, ok := n.(*ast.CompositeLit); ok {`
			`for _, cipher := range ciphers.Elts {`
			`if ident, ok := cipher.(*ast.SelectorExpr); ok {`
Initial public release 2016-07-20 11:02:01 +01:00			`if !stringInSlice(ident.Sel.Name, t.goodCiphers) {`
Migrated old test cases. 2017-12-28 06:54:10 +00:00			`err := fmt.Sprintf("TLS Bad Cipher Suite: %s", ident.Sel.Name)`
			`return gas.NewIssue(c, ident, err, gas.High, gas.High)`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
			`}`
			`}`
			`return nil`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`func (t insecureConfigTLS) processTLSConfVal(n ast.KeyValueExpr, c gas.Context) gas.Issue {`
Initial public release 2016-07-20 11:02:01 +01:00			`if ident, ok := n.Key.(*ast.Ident); ok {`
			`switch ident.Name {`
Migrated old test cases. 2017-12-28 06:54:10 +00:00
Initial public release 2016-07-20 11:02:01 +01:00			`case "InsecureSkipVerify":`
			`if node, ok := n.Value.(*ast.Ident); ok {`
			`if node.Name != "false" {`
			`return gas.NewIssue(c, n, "TLS InsecureSkipVerify set true.", gas.High, gas.High)`
			`}`
			`} else {`
			`// TODO(tk): symbol tab look up to get the actual value`
			`return gas.NewIssue(c, n, "TLS InsecureSkipVerify may be true.", gas.High, gas.Low)`
			`}`

Add a check for PreferServerCipherSuites flag of tls.Config 2017-03-15 14:05:44 +00:00			`case "PreferServerCipherSuites":`
			`if node, ok := n.Value.(*ast.Ident); ok {`
			`if node.Name == "false" {`
			`return gas.NewIssue(c, n, "TLS PreferServerCipherSuites set false.", gas.Medium, gas.High)`
			`}`
			`} else {`
			`// TODO(tk): symbol tab look up to get the actual value`
			`return gas.NewIssue(c, n, "TLS PreferServerCipherSuites may be false.", gas.Medium, gas.Low)`
			`}`

Initial public release 2016-07-20 11:02:01 +01:00			`case "MinVersion":`
			`if ival, ierr := gas.GetInt(n.Value); ierr == nil {`
			`if (int16)(ival) < t.MinVersion {`
			`return gas.NewIssue(c, n, "TLS MinVersion too low.", gas.High, gas.High)`
			`}`
			`// TODO(tk): symbol tab look up to get the actual value`
			`return gas.NewIssue(c, n, "TLS MinVersion may be too low.", gas.High, gas.Low)`
			`}`

			`case "MaxVersion":`
			`if ival, ierr := gas.GetInt(n.Value); ierr == nil {`
			`if (int16)(ival) < t.MaxVersion {`
			`return gas.NewIssue(c, n, "TLS MaxVersion too low.", gas.High, gas.High)`
			`}`
			`// TODO(tk): symbol tab look up to get the actual value`
			`return gas.NewIssue(c, n, "TLS MaxVersion may be too low.", gas.High, gas.Low)`
			`}`

			`case "CipherSuites":`
Migrated old test cases. 2017-12-28 06:54:10 +00:00			`if ret := t.processTLSCipherSuites(n.Value, c); ret != nil {`
Initial public release 2016-07-20 11:02:01 +01:00			`return ret`
			`}`
Add a check for PreferServerCipherSuites flag of tls.Config 2017-03-15 14:05:44 +00:00
Initial public release 2016-07-20 11:02:01 +01:00			`}`
Add a check for PreferServerCipherSuites flag of tls.Config 2017-03-15 14:05:44 +00:00
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`return nil`
			`}`

Migrated old test cases. 2017-12-28 06:54:10 +00:00			`func (t insecureConfigTLS) Match(n ast.Node, c gas.Context) (*gas.Issue, error) {`
Fix nil pointer dereference in complit types 2018-01-05 12:19:08 +00:00			`if complit, ok := n.(*ast.CompositeLit); ok && complit.Type != nil && c.Info.TypeOf(complit.Type).String() == t.requiredType {`
Migrated old test cases. 2017-12-28 06:54:10 +00:00			`for _, elt := range complit.Elts {`
Initial public release 2016-07-20 11:02:01 +01:00			`if kve, ok := elt.(*ast.KeyValueExpr); ok {`
Migrated old test cases. 2017-12-28 06:54:10 +00:00			`issue := t.processTLSConfVal(kve, c)`
			`if issue != nil {`
			`return issue, nil`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
			`}`
			`}`
Migrated old test cases. 2017-12-28 06:54:10 +00:00			`return nil, nil`
Initial public release 2016-07-20 11:02:01 +01:00			`}`