From d1e67fc9952f74b38d935f960e9d6bd28e1dc41a Mon Sep 17 00:00:00 2001 From: Grant Murphy Date: Wed, 11 Jan 2017 09:41:35 -0800 Subject: [PATCH 1/2] Ensure hardcoded credentials only examines strings The hardcoded credentials test should only consider assignment of const strings. Related to issue #108 --- rules/hardcoded_credentials.go | 4 ++-- rules/hardcoded_credentials_test.go | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/rules/hardcoded_credentials.go b/rules/hardcoded_credentials.go index 3c1a985..6d19fa0 100644 --- a/rules/hardcoded_credentials.go +++ b/rules/hardcoded_credentials.go @@ -41,7 +41,7 @@ func (r *Credentials) matchAssign(assign *ast.AssignStmt, ctx *gas.Context) (*ga if ident, ok := i.(*ast.Ident); ok { if r.pattern.MatchString(ident.Name) { for _, e := range assign.Rhs { - if _, ok := e.(*ast.BasicLit); ok { + if rhs, ok := e.(*ast.BasicLit); ok && rhs.Kind == token.STRING { return gas.NewIssue(ctx, assign, r.What, r.Severity, r.Confidence), nil } } @@ -63,7 +63,7 @@ func (r *Credentials) matchGenDecl(decl *ast.GenDecl, ctx *gas.Context) (*gas.Is if len(valueSpec.Values) <= index { index = len(valueSpec.Values) - 1 } - if _, ok := valueSpec.Values[index].(*ast.BasicLit); ok { + if rhs, ok := valueSpec.Values[index].(*ast.BasicLit); ok && rhs.Kind == token.STRING { return gas.NewIssue(ctx, decl, r.What, r.Severity, r.Confidence), nil } } diff --git a/rules/hardcoded_credentials_test.go b/rules/hardcoded_credentials_test.go index 0b32e8b..3999d7f 100644 --- a/rules/hardcoded_credentials_test.go +++ b/rules/hardcoded_credentials_test.go @@ -111,3 +111,20 @@ func TestHardecodedVarsNotAssigned(t *testing.T) { }`, analyzer) checkTestResults(t, issues, 1, "Potential hardcoded credentials") } + +func TestHardcodedConstInteger(t *testing.T) { + config := map[string]interface{}{"ignoreNosec": false} + analyzer := gas.NewAnalyzer(config, nil) + analyzer.AddRule(NewHardcodedCredentials(config)) + issues := gasTestRunner(` + package main + + const ( + ATNStateSomethingElse = 1, + ATNStateTokenStart = 42, + ) + func main() { + println(ATNStateTokenStart) + }`, analyzer) + checkTestResults(t, issues, 0, "Potential hardcoded credentials") +} From 1e736c8838bf020b7461e157588ee570a78b761a Mon Sep 17 00:00:00 2001 From: Grant Murphy Date: Wed, 11 Jan 2017 09:51:25 -0800 Subject: [PATCH 2/2] Fix test case (invalid sample code) --- rules/hardcoded_credentials_test.go | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/rules/hardcoded_credentials_test.go b/rules/hardcoded_credentials_test.go index 3999d7f..966ee10 100644 --- a/rules/hardcoded_credentials_test.go +++ b/rules/hardcoded_credentials_test.go @@ -120,11 +120,27 @@ func TestHardcodedConstInteger(t *testing.T) { package main const ( - ATNStateSomethingElse = 1, - ATNStateTokenStart = 42, + ATNStateSomethingElse = 1 + ATNStateTokenStart = 42 ) func main() { println(ATNStateTokenStart) }`, analyzer) checkTestResults(t, issues, 0, "Potential hardcoded credentials") } + +func TestHardcodedConstString(t *testing.T) { + config := map[string]interface{}{"ignoreNosec": false} + analyzer := gas.NewAnalyzer(config, nil) + analyzer.AddRule(NewHardcodedCredentials(config)) + issues := gasTestRunner(` + package main + + const ( + ATNStateTokenStart = "foo bar" + ) + func main() { + println(ATNStateTokenStart) + }`, analyzer) + checkTestResults(t, issues, 1, "Potential hardcoded credentials") +}