actions/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2024-12-26 04:25:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: WriteParams rule to work also with golang 1.16 (#577)

Browse source 
In go 1.16 the `ioutil` package was deprecated and
the functions should be replaced by their equivalents
in either `io` or `os` packages. This means,
that `ioutil.WriteFile` should be replaced by
`os.WriteFile` instead. To account for this change
and to detect incorrect permissions also for `os.WriteFile`
I changed `filePermissions` rule slightly to allows
specifying multiple packages that can contain given
function and that we should check. This workaround
can be removed after a sufficient time has passed
and after it is decided that checking `os.WriteFile`
is enough.

Fixes: https://github.com/securego/gosec/issues/576
This commit is contained in:
Matouš Dzivjak 2021-02-22 09:22:04 +01:00 committed by GitHub
parent dcbcc4dd2a
commit 1fce46151c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
rules/fileperms.go
View file

@ -25,7 +25,7 @@ import (
type filePermissions struct { type filePermissions struct {
gosec.MetaData gosec.MetaData
mode int64 mode int64
pkg string pkgs []string
calls []string calls []string
} }
@ -51,12 +51,14 @@ func getConfiguredMode(conf map[string]interface{}, configKey string, defaultMod
} }
func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) { func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
if callexpr, matched := gosec.MatchCallByPackage(n, c, r.pkg, r.calls...); matched { for _, pkg := range r.pkgs {
if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {
modeArg := callexpr.Args[len(callexpr.Args)-1] modeArg := callexpr.Args[len(callexpr.Args)-1]
if mode, err := gosec.GetInt(modeArg); err == nil && mode > r.mode { if mode, err := gosec.GetInt(modeArg); err == nil && mode > r.mode {
return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
} }
} }
}
return nil, nil return nil, nil
} }
@ -65,7 +67,7 @@ func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
mode := getConfiguredMode(conf, "G306", 0600) mode := getConfiguredMode(conf, "G306", 0600)
return &filePermissions{ return &filePermissions{
mode: mode, mode: mode,
pkg: "io/ioutil", pkgs: []string{"io/ioutil", "os"},
calls: []string{"WriteFile"}, calls: []string{"WriteFile"},
MetaData: gosec.MetaData{ MetaData: gosec.MetaData{
ID: id, ID: id,
@ -82,7 +84,7 @@ func NewFilePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
mode := getConfiguredMode(conf, "G302", 0600) mode := getConfiguredMode(conf, "G302", 0600)
return &filePermissions{ return &filePermissions{
mode: mode, mode: mode,
pkg: "os", pkgs: []string{"os"},
calls: []string{"OpenFile", "Chmod"}, calls: []string{"OpenFile", "Chmod"},
MetaData: gosec.MetaData{ MetaData: gosec.MetaData{
ID: id, ID: id,
@ -99,7 +101,7 @@ func NewMkdirPerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
mode := getConfiguredMode(conf, "G301", 0750) mode := getConfiguredMode(conf, "G301", 0750)
return &filePermissions{ return &filePermissions{
mode: mode, mode: mode,
pkg: "os", pkgs: []string{"os"},
calls: []string{"Mkdir", "MkdirAll"}, calls: []string{"Mkdir", "MkdirAll"},
MetaData: gosec.MetaData{ MetaData: gosec.MetaData{
ID: id, ID: id,