From 4c1afaa49249cfbbd022e87b5bddee74e3e758ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ville=20Skytt=C3=A4?= Date: Tue, 4 Jan 2022 15:48:02 +0200 Subject: [PATCH] Find G303 with filepath.Join'd temp dirs (#754) --- rules/tempfiles.go | 1 + testutils/source.go | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/rules/tempfiles.go b/rules/tempfiles.go index 1eb2d73..63822c0 100644 --- a/rules/tempfiles.go +++ b/rules/tempfiles.go @@ -71,6 +71,7 @@ func NewBadTempFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { argCalls.Add("os", "TempDir") nestedCalls := gosec.NewCallList() nestedCalls.Add("path", "Join") + nestedCalls.Add("path/filepath", "Join") return &badTempFile{ calls: calls, args: regexp.MustCompile(`^(/(usr|var))?/tmp(/.*)?$`), diff --git a/testutils/source.go b/testutils/source.go index 4bdbf72..717fab5 100644 --- a/testutils/source.go +++ b/testutils/source.go @@ -1759,6 +1759,7 @@ import ( "io/ioutil" "os" "path" + "path/filepath" ) func main() { @@ -1796,7 +1797,11 @@ func main() { if err != nil { fmt.Println("Error while writing!") } -}`}, 8, gosec.NewConfig()}} + err = os.WriteFile(filepath.Join(os.TempDir(), "demo2"), []byte("This is some data"), 0644) + if err != nil { + fmt.Println("Error while writing!") + } +}`}, 9, gosec.NewConfig()}} // SampleCodeG304 - potential file inclusion vulnerability SampleCodeG304 = []CodeSample{{[]string{`