diff --git a/rules/readfile.go b/rules/readfile.go index a52f742..459b4ad 100644 --- a/rules/readfile.go +++ b/rules/readfile.go @@ -102,5 +102,6 @@ func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { rule.pathJoin.Add("path", "Join") rule.Add("io/ioutil", "ReadFile") rule.Add("os", "Open") + rule.Add("os", "OpenFile") return rule, []ast.Node{(*ast.CallExpr)(nil)} } diff --git a/testutils/source.go b/testutils/source.go index d76fdf6..4b8f136 100644 --- a/testutils/source.go +++ b/testutils/source.go @@ -1478,6 +1478,30 @@ func main() { }`}, 1, gosec.NewConfig()}, {[]string{` package main +import ( + "fmt" + "log" + "net/http" + "os" +) + +func main() { + http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) { + title := r.URL.Query().Get("title") + f, err := os.OpenFile(title, os.O_RDWR|os.O_CREATE, 0755) + if err != nil { + fmt.Printf("Error: %v\n", err) + } + body := make([]byte, 5) + if _, err = f.Read(body); err != nil { + fmt.Printf("Error: %v\n", err) + } + fmt.Fprintf(w, "%s", body) + }) + log.Fatal(http.ListenAndServe(":3000", nil)) +}`}, 1, gosec.NewConfig()}, {[]string{` +package main + import ( "log" "os"