mirror of
https://github.com/securego/gosec.git
synced 2024-12-26 04:25:52 +00:00
Add a check for PreferServerCipherSuites flag of tls.Config
This commit is contained in:
parent
1c8e7ff686
commit
2262f5d474
2 changed files with 41 additions and 0 deletions
12
rules/tls.go
12
rules/tls.go
|
@ -68,6 +68,16 @@ func (t *InsecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Contex
|
||||||
return gas.NewIssue(c, n, "TLS InsecureSkipVerify may be true.", gas.High, gas.Low)
|
return gas.NewIssue(c, n, "TLS InsecureSkipVerify may be true.", gas.High, gas.Low)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
case "PreferServerCipherSuites":
|
||||||
|
if node, ok := n.Value.(*ast.Ident); ok {
|
||||||
|
if node.Name == "false" {
|
||||||
|
return gas.NewIssue(c, n, "TLS PreferServerCipherSuites set false.", gas.Medium, gas.High)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// TODO(tk): symbol tab look up to get the actual value
|
||||||
|
return gas.NewIssue(c, n, "TLS PreferServerCipherSuites may be false.", gas.Medium, gas.Low)
|
||||||
|
}
|
||||||
|
|
||||||
case "MinVersion":
|
case "MinVersion":
|
||||||
if ival, ierr := gas.GetInt(n.Value); ierr == nil {
|
if ival, ierr := gas.GetInt(n.Value); ierr == nil {
|
||||||
if (int16)(ival) < t.MinVersion {
|
if (int16)(ival) < t.MinVersion {
|
||||||
|
@ -90,7 +100,9 @@ func (t *InsecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Contex
|
||||||
if ret := t.processTlsCipherSuites(n, c); ret != nil {
|
if ret := t.processTlsCipherSuites(n, c); ret != nil {
|
||||||
return ret
|
return ret
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -138,3 +138,32 @@ func TestInsecureCipherSuite(t *testing.T) {
|
||||||
|
|
||||||
checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_RSA_WITH_RC4_128_SHA")
|
checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_RSA_WITH_RC4_128_SHA")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestPreferServerCipherSuites(t *testing.T) {
|
||||||
|
config := map[string]interface{}{"ignoreNosec": false}
|
||||||
|
analyzer := gas.NewAnalyzer(config, nil)
|
||||||
|
analyzer.AddRule(NewModernTlsCheck(config))
|
||||||
|
|
||||||
|
issues := gasTestRunner(`
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
tr := &http.Transport{
|
||||||
|
TLSClientConfig: &tls.Config{PreferServerCipherSuites: false},
|
||||||
|
}
|
||||||
|
client := &http.Client{Transport: tr}
|
||||||
|
_, err := client.Get("https://golang.org/")
|
||||||
|
if err != nil {
|
||||||
|
fmt.Println(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
`, analyzer)
|
||||||
|
|
||||||
|
checkTestResults(t, issues, 1, "TLS PreferServerCipherSuites set false")
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue