mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 12:05:52 +00:00
fix: WriteParams rule to work also with golang 1.16 (#577)
In go 1.16 the `ioutil` package was deprecated and the functions should be replaced by their equivalents in either `io` or `os` packages. This means, that `ioutil.WriteFile` should be replaced by `os.WriteFile` instead. To account for this change and to detect incorrect permissions also for `os.WriteFile` I changed `filePermissions` rule slightly to allows specifying multiple packages that can contain given function and that we should check. This workaround can be removed after a sufficient time has passed and after it is decided that checking `os.WriteFile` is enough. Fixes: https://github.com/securego/gosec/issues/576
This commit is contained in:
parent
dcbcc4dd2a
commit
1fce46151c
1 changed files with 10 additions and 8 deletions
|
@ -25,7 +25,7 @@ import (
|
||||||
type filePermissions struct {
|
type filePermissions struct {
|
||||||
gosec.MetaData
|
gosec.MetaData
|
||||||
mode int64
|
mode int64
|
||||||
pkg string
|
pkgs []string
|
||||||
calls []string
|
calls []string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -51,12 +51,14 @@ func getConfiguredMode(conf map[string]interface{}, configKey string, defaultMod
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
|
func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
|
||||||
if callexpr, matched := gosec.MatchCallByPackage(n, c, r.pkg, r.calls...); matched {
|
for _, pkg := range r.pkgs {
|
||||||
|
if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {
|
||||||
modeArg := callexpr.Args[len(callexpr.Args)-1]
|
modeArg := callexpr.Args[len(callexpr.Args)-1]
|
||||||
if mode, err := gosec.GetInt(modeArg); err == nil && mode > r.mode {
|
if mode, err := gosec.GetInt(modeArg); err == nil && mode > r.mode {
|
||||||
return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
|
return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -65,7 +67,7 @@ func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
||||||
mode := getConfiguredMode(conf, "G306", 0600)
|
mode := getConfiguredMode(conf, "G306", 0600)
|
||||||
return &filePermissions{
|
return &filePermissions{
|
||||||
mode: mode,
|
mode: mode,
|
||||||
pkg: "io/ioutil",
|
pkgs: []string{"io/ioutil", "os"},
|
||||||
calls: []string{"WriteFile"},
|
calls: []string{"WriteFile"},
|
||||||
MetaData: gosec.MetaData{
|
MetaData: gosec.MetaData{
|
||||||
ID: id,
|
ID: id,
|
||||||
|
@ -82,7 +84,7 @@ func NewFilePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
||||||
mode := getConfiguredMode(conf, "G302", 0600)
|
mode := getConfiguredMode(conf, "G302", 0600)
|
||||||
return &filePermissions{
|
return &filePermissions{
|
||||||
mode: mode,
|
mode: mode,
|
||||||
pkg: "os",
|
pkgs: []string{"os"},
|
||||||
calls: []string{"OpenFile", "Chmod"},
|
calls: []string{"OpenFile", "Chmod"},
|
||||||
MetaData: gosec.MetaData{
|
MetaData: gosec.MetaData{
|
||||||
ID: id,
|
ID: id,
|
||||||
|
@ -99,7 +101,7 @@ func NewMkdirPerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
||||||
mode := getConfiguredMode(conf, "G301", 0750)
|
mode := getConfiguredMode(conf, "G301", 0750)
|
||||||
return &filePermissions{
|
return &filePermissions{
|
||||||
mode: mode,
|
mode: mode,
|
||||||
pkg: "os",
|
pkgs: []string{"os"},
|
||||||
calls: []string{"Mkdir", "MkdirAll"},
|
calls: []string{"Mkdir", "MkdirAll"},
|
||||||
MetaData: gosec.MetaData{
|
MetaData: gosec.MetaData{
|
||||||
ID: id,
|
ID: id,
|
||||||
|
|
Loading…
Reference in a new issue