Find G303 with filepath.Join'd temp dirs (#754)

This commit is contained in:
Ville Skyttä 2022-01-04 15:48:02 +02:00 committed by GitHub
parent 19bda8d15f
commit 4c1afaa492
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 1 deletions

View file

@ -71,6 +71,7 @@ func NewBadTempFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
argCalls.Add("os", "TempDir") argCalls.Add("os", "TempDir")
nestedCalls := gosec.NewCallList() nestedCalls := gosec.NewCallList()
nestedCalls.Add("path", "Join") nestedCalls.Add("path", "Join")
nestedCalls.Add("path/filepath", "Join")
return &badTempFile{ return &badTempFile{
calls: calls, calls: calls,
args: regexp.MustCompile(`^(/(usr|var))?/tmp(/.*)?$`), args: regexp.MustCompile(`^(/(usr|var))?/tmp(/.*)?$`),

View file

@ -1759,6 +1759,7 @@ import (
"io/ioutil" "io/ioutil"
"os" "os"
"path" "path"
"path/filepath"
) )
func main() { func main() {
@ -1796,7 +1797,11 @@ func main() {
if err != nil { if err != nil {
fmt.Println("Error while writing!") fmt.Println("Error while writing!")
} }
}`}, 8, gosec.NewConfig()}} err = os.WriteFile(filepath.Join(os.TempDir(), "demo2"), []byte("This is some data"), 0644)
if err != nil {
fmt.Println("Error while writing!")
}
}`}, 9, gosec.NewConfig()}}
// SampleCodeG304 - potential file inclusion vulnerability // SampleCodeG304 - potential file inclusion vulnerability
SampleCodeG304 = []CodeSample{{[]string{` SampleCodeG304 = []CodeSample{{[]string{`