Smarter hard-coded credentials check

Check right-hand side expr for literals when looking for hard-coded
credentials. This is to avoid issuing warnings for cases where a
password, token, etc. is read from a file or a terminal.
This commit is contained in:
Cedric Staub 2016-07-27 22:51:34 -07:00
parent 81b5e98828
commit 3cd0ebee96

View file

@ -15,9 +15,10 @@
package rules
import (
gas "github.com/HewlettPackard/gas/core"
"go/ast"
"regexp"
gas "github.com/HewlettPackard/gas/core"
)
type CredsAssign struct {
@ -30,8 +31,11 @@ func (r *CredsAssign) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err erro
for _, i := range node.Lhs {
if ident, ok := i.(*ast.Ident); ok {
if r.pattern.MatchString(ident.Name) {
gi = gas.NewIssue(c, n, r.What, r.Severity, r.Confidence)
break
for _, e := range node.Rhs {
if _, ok := e.(*ast.BasicLit); ok {
return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
}
}
}
}
}