mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 12:05:52 +00:00
Add a check for PreferServerCipherSuites flag of tls.Config
This commit is contained in:
parent
1c8e7ff686
commit
2262f5d474
2 changed files with 41 additions and 0 deletions
12
rules/tls.go
12
rules/tls.go
|
@ -68,6 +68,16 @@ func (t *InsecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Contex
|
|||
return gas.NewIssue(c, n, "TLS InsecureSkipVerify may be true.", gas.High, gas.Low)
|
||||
}
|
||||
|
||||
case "PreferServerCipherSuites":
|
||||
if node, ok := n.Value.(*ast.Ident); ok {
|
||||
if node.Name == "false" {
|
||||
return gas.NewIssue(c, n, "TLS PreferServerCipherSuites set false.", gas.Medium, gas.High)
|
||||
}
|
||||
} else {
|
||||
// TODO(tk): symbol tab look up to get the actual value
|
||||
return gas.NewIssue(c, n, "TLS PreferServerCipherSuites may be false.", gas.Medium, gas.Low)
|
||||
}
|
||||
|
||||
case "MinVersion":
|
||||
if ival, ierr := gas.GetInt(n.Value); ierr == nil {
|
||||
if (int16)(ival) < t.MinVersion {
|
||||
|
@ -90,7 +100,9 @@ func (t *InsecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Contex
|
|||
if ret := t.processTlsCipherSuites(n, c); ret != nil {
|
||||
return ret
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -138,3 +138,32 @@ func TestInsecureCipherSuite(t *testing.T) {
|
|||
|
||||
checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_RSA_WITH_RC4_128_SHA")
|
||||
}
|
||||
|
||||
func TestPreferServerCipherSuites(t *testing.T) {
|
||||
config := map[string]interface{}{"ignoreNosec": false}
|
||||
analyzer := gas.NewAnalyzer(config, nil)
|
||||
analyzer.AddRule(NewModernTlsCheck(config))
|
||||
|
||||
issues := gasTestRunner(`
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
func main() {
|
||||
tr := &http.Transport{
|
||||
TLSClientConfig: &tls.Config{PreferServerCipherSuites: false},
|
||||
}
|
||||
client := &http.Client{Transport: tr}
|
||||
_, err := client.Get("https://golang.org/")
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
}
|
||||
}
|
||||
`, analyzer)
|
||||
|
||||
checkTestResults(t, issues, 1, "TLS PreferServerCipherSuites set false")
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue