gosec/rules/tempfiles.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package rules

import (
	"go/ast"
	"regexp"

	"github.com/securego/gosec/v2"
)

type badTempFile struct {
	gosec.MetaData
	calls gosec.CallList
	args  *regexp.Regexp
}

func (t *badTempFile) ID() string {
	return t.MetaData.ID
}

func (t *badTempFile) Match(n ast.Node, c *gosec.Context) (gi *gosec.Issue, err error) {
	if node := t.calls.ContainsPkgCallExpr(n, c, false); node != nil {
		if arg, e := gosec.GetString(node.Args[0]); t.args.MatchString(arg) && e == nil {
			return gosec.NewIssue(c, n, t.ID(), t.What, t.Severity, t.Confidence), nil
		}
	}
	return nil, nil
}

// NewBadTempFile detects direct writes to predictable path in temporary directory
func NewBadTempFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	calls := gosec.NewCallList()
	calls.Add("io/ioutil", "WriteFile")
	calls.Add("os", "Create")
	return &badTempFile{
		calls: calls,
		args:  regexp.MustCompile(`^/tmp/.*$|^/var/tmp/.*$`),
		MetaData: gosec.MetaData{
			ID:         id,
			Severity:   gosec.Medium,
			Confidence: gosec.High,
			What:       "File creation in shared tmp directory without using ioutil.Tempfile",
		},
	}, []ast.Node{(*ast.CallExpr)(nil)}
}
Initial public release 2016-07-20 11:02:01 +01:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package rules`

			`import (`
			`"go/ast"`
			`"regexp"`
Rule selection rules This makes the following changes: - riles are identified by an ID - include / exclude list now work - rules are selected based on these lists - blacklist rules are broken out into methods - rule constructors now take the config map - config file can be used to select rules - CLI options embelish config selection options 2016-08-10 12:51:03 +01:00
Handle properly the gosec module version v2 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-04-01 21:18:39 +01:00			`"github.com/securego/gosec/v2"`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type badTempFile struct {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`gosec.MetaData`
			`calls gosec.CallList`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`args *regexp.Regexp`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`func (t *badTempFile) ID() string {`
			`return t.MetaData.ID`
			`}`

Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func (t badTempFile) Match(n ast.Node, c gosec.Context) (gi *gosec.Issue, err error) {`
Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-01-28 13:11:00 +00:00			`if node := t.calls.ContainsPkgCallExpr(n, c, false); node != nil {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`if arg, e := gosec.GetString(node.Args[0]); t.args.MatchString(arg) && e == nil {`
			`return gosec.NewIssue(c, n, t.ID(), t.What, t.Severity, t.Confidence), nil`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
			`return nil, nil`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewBadTempFile detects direct writes to predictable path in temporary directory`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func NewBadTempFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
			`calls := gosec.NewCallList()`
Use explicit packages in call lists By allowing partial matches of selectors there are chances of collisions such as those in issue #145, this removes it to expect explicit packages for each rule. Closes #145 2018-01-05 13:05:53 +00:00			`calls.Add("io/ioutil", "WriteFile")`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`calls.Add("os", "Create")`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`return &badTempFile{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`calls: calls,`
			args: regexp.MustCompile(`^/tmp/.$\|^/var/tmp/.$`),
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`MetaData: gosec.MetaData{`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`ID: id,`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`Severity: gosec.Medium,`
			`Confidence: gosec.High,`
Initial public release 2016-07-20 11:02:01 +01:00			`What: "File creation in shared tmp directory without using ioutil.Tempfile",`
			`},`
Allow rules to register against multiple ast nodes Update the AddRule interface to allow rules to register interest in multiple ast.Nodes. Adds more flexibility to how rules can work, and was needed to fix the hard coded credentials test specifically. 2016-11-13 20:55:31 +00:00			`}, []ast.Node{(*ast.CallExpr)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`