mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Improve the SQL strings concat rules to handle multiple string concatenation
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
This commit is contained in:
parent
68bce94323
commit
30e93bf865
4 changed files with 110 additions and 10 deletions
21
helpers.go
21
helpers.go
|
@ -226,6 +226,27 @@ func GetIdentStringValues(ident *ast.Ident) []string {
|
||||||
return values
|
return values
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetBinaryExprOperands returns all operands of a binary expression by traversing
|
||||||
|
// the expression tree
|
||||||
|
func GetBinaryExprOperands(be *ast.BinaryExpr) []ast.Node {
|
||||||
|
var traverse func(be *ast.BinaryExpr)
|
||||||
|
result := []ast.Node{}
|
||||||
|
traverse = func(be *ast.BinaryExpr) {
|
||||||
|
if lhs, ok := be.X.(*ast.BinaryExpr); ok {
|
||||||
|
traverse(lhs)
|
||||||
|
} else {
|
||||||
|
result = append(result, be.X)
|
||||||
|
}
|
||||||
|
if rhs, ok := be.Y.(*ast.BinaryExpr); ok {
|
||||||
|
traverse(rhs)
|
||||||
|
} else {
|
||||||
|
result = append(result, be.Y)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
traverse(be)
|
||||||
|
return result
|
||||||
|
}
|
||||||
|
|
||||||
// GetImportedName returns the name used for the package within the
|
// GetImportedName returns the name used for the package within the
|
||||||
// code. It will resolve aliases and ignores initialization only imports.
|
// code. It will resolve aliases and ignores initialization only imports.
|
||||||
func GetImportedName(path string, ctx *Context) (string, bool) {
|
func GetImportedName(path string, ctx *Context) (string, bool) {
|
||||||
|
|
|
@ -229,4 +229,68 @@ var _ = Describe("Helpers", func() {
|
||||||
Expect(result).Should(HaveKeyWithValue("fmt", "Println"))
|
Expect(result).Should(HaveKeyWithValue("fmt", "Println"))
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
Context("when getting binary expression operands", func() {
|
||||||
|
It("should return all operands of a binary experssion", func() {
|
||||||
|
pkg := testutils.NewTestPackage()
|
||||||
|
defer pkg.Close()
|
||||||
|
pkg.AddFile("main.go", `
|
||||||
|
package main
|
||||||
|
|
||||||
|
import(
|
||||||
|
"fmt"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
be := "test1" + "test2"
|
||||||
|
fmt.Println(be)
|
||||||
|
}
|
||||||
|
`)
|
||||||
|
ctx := pkg.CreateContext("main.go")
|
||||||
|
var be *ast.BinaryExpr
|
||||||
|
visitor := testutils.NewMockVisitor()
|
||||||
|
visitor.Context = ctx
|
||||||
|
visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool {
|
||||||
|
if expr, ok := n.(*ast.BinaryExpr); ok {
|
||||||
|
be = expr
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
ast.Walk(visitor, ctx.Root)
|
||||||
|
|
||||||
|
operands := gosec.GetBinaryExprOperands(be)
|
||||||
|
Expect(len(operands)).Should(Equal(2))
|
||||||
|
})
|
||||||
|
It("should return all operands of complex binary experssion", func() {
|
||||||
|
pkg := testutils.NewTestPackage()
|
||||||
|
defer pkg.Close()
|
||||||
|
pkg.AddFile("main.go", `
|
||||||
|
package main
|
||||||
|
|
||||||
|
import(
|
||||||
|
"fmt"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
be := "test1" + "test2" + "test3" + "test4"
|
||||||
|
fmt.Println(be)
|
||||||
|
}
|
||||||
|
`)
|
||||||
|
ctx := pkg.CreateContext("main.go")
|
||||||
|
var be *ast.BinaryExpr
|
||||||
|
visitor := testutils.NewMockVisitor()
|
||||||
|
visitor.Context = ctx
|
||||||
|
visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool {
|
||||||
|
if expr, ok := n.(*ast.BinaryExpr); ok {
|
||||||
|
if be == nil {
|
||||||
|
be = expr
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
ast.Walk(visitor, ctx.Root)
|
||||||
|
|
||||||
|
operands := gosec.GetBinaryExprOperands(be)
|
||||||
|
Expect(len(operands)).Should(Equal(4))
|
||||||
|
})
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
18
rules/sql.go
18
rules/sql.go
|
@ -16,7 +16,6 @@ package rules
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"go/ast"
|
"go/ast"
|
||||||
"go/token"
|
|
||||||
"regexp"
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
@ -82,20 +81,19 @@ func (s *sqlStrConcat) checkQuery(call *ast.CallExpr, ctx *gosec.Context) (*gose
|
||||||
}
|
}
|
||||||
|
|
||||||
if be, ok := query.(*ast.BinaryExpr); ok {
|
if be, ok := query.(*ast.BinaryExpr); ok {
|
||||||
// Skip all operations which aren't concatenation
|
operands := gosec.GetBinaryExprOperands(be)
|
||||||
if be.Op != token.ADD {
|
if start, ok := operands[0].(*ast.BasicLit); ok {
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
if start, ok := be.X.(*ast.BasicLit); ok {
|
|
||||||
if str, e := gosec.GetString(start); e == nil {
|
if str, e := gosec.GetString(start); e == nil {
|
||||||
if !s.MatchPatterns(str) {
|
if !s.MatchPatterns(str) {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
if _, ok := be.Y.(*ast.BasicLit); ok {
|
}
|
||||||
return nil, nil // string cat OK
|
for _, op := range operands[1:] {
|
||||||
|
if _, ok := op.(*ast.BasicLit); ok {
|
||||||
|
continue
|
||||||
}
|
}
|
||||||
if second, ok := be.Y.(*ast.Ident); ok && s.checkObject(second, ctx) {
|
if op, ok := op.(*ast.Ident); ok && s.checkObject(op, ctx) {
|
||||||
return nil, nil
|
continue
|
||||||
}
|
}
|
||||||
return gosec.NewIssue(ctx, be, s.ID(), s.What, s.Severity, s.Confidence), nil
|
return gosec.NewIssue(ctx, be, s.ID(), s.What, s.Severity, s.Confidence), nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -1026,6 +1026,23 @@ func main(){
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||||
|
// multiple string concatenation
|
||||||
|
package main
|
||||||
|
import (
|
||||||
|
"database/sql"
|
||||||
|
"os"
|
||||||
|
)
|
||||||
|
func main(){
|
||||||
|
db, err := sql.Open("sqlite3", ":memory:")
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
rows, err := db.Query("SELECT * FROM foo" + "WHERE name = " + os.Args[1])
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
defer rows.Close()
|
||||||
|
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||||
// false positive
|
// false positive
|
||||||
package main
|
package main
|
||||||
import (
|
import (
|
||||||
|
|
Loading…
Reference in a new issue