mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Improve the SSRF rule to report an issue for package scoped variables
Made also the rule to not report an issue when encountering function scoped variable which terminate in a basic literal such as a string. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
This commit is contained in:
parent
07770ae76d
commit
50e1fe267d
2 changed files with 102 additions and 9 deletions
|
@ -24,8 +24,15 @@ func (r *ssrf) ResolveVar(n *ast.CallExpr, c *gosec.Context) bool {
|
||||||
arg := n.Args[0]
|
arg := n.Args[0]
|
||||||
if ident, ok := arg.(*ast.Ident); ok {
|
if ident, ok := arg.(*ast.Ident); ok {
|
||||||
obj := c.Info.ObjectOf(ident)
|
obj := c.Info.ObjectOf(ident)
|
||||||
if _, ok := obj.(*types.Var); ok && !gosec.TryResolve(ident, c) {
|
if _, ok := obj.(*types.Var); ok {
|
||||||
return true
|
scope := c.Pkg.Scope()
|
||||||
|
if scope != nil && scope.Lookup(ident.Name) != nil {
|
||||||
|
// a URL defined in a variable at package scope can be changed at any time
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
if !gosec.TryResolve(ident, c) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -343,8 +343,8 @@ func main() {
|
||||||
}
|
}
|
||||||
fmt.Printf("%s", body)
|
fmt.Printf("%s", body)
|
||||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||||
// A variable value can easily be changed no matter
|
// Variable defined a package level can be changed at any time
|
||||||
// if it's a global or a local one
|
// regardless of the initial value
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -356,7 +356,6 @@ import (
|
||||||
var url string = "https://www.google.com"
|
var url string = "https://www.google.com"
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
|
||||||
resp, err := http.Get(url)
|
resp, err := http.Get(url)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
|
@ -389,7 +388,7 @@ func main() {
|
||||||
}
|
}
|
||||||
fmt.Printf("%s", body)
|
fmt.Printf("%s", body)
|
||||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||||
// Constant variables or harcoded strings are secure
|
// Constant variables or hard-coded strings are secure
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -401,9 +400,96 @@ func main() {
|
||||||
resp, err := http.Get(url)
|
resp, err := http.Get(url)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Println(err)
|
fmt.Println(err)
|
||||||
}
|
}
|
||||||
fmt.Println(resp.Status)
|
fmt.Println(resp.Status)
|
||||||
}`}, 0, gosec.NewConfig()}}
|
}`}, 0, gosec.NewConfig()}, {[]string{`
|
||||||
|
// A variable at function scope which is initialized to
|
||||||
|
// a constant string is secure (e.g. cannot be changed concurrently)
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
)
|
||||||
|
func main() {
|
||||||
|
var url string = "http://127.0.0.1"
|
||||||
|
resp, err := http.Get(url)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Println(err)
|
||||||
|
}
|
||||||
|
fmt.Println(resp.Status)
|
||||||
|
}`}, 0, gosec.NewConfig()}, {[]string{`
|
||||||
|
// A variable at function scope which is initialized to
|
||||||
|
// a constant string is secure (e.g. cannot be changed concurrently)
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
)
|
||||||
|
func main() {
|
||||||
|
url := "http://127.0.0.1"
|
||||||
|
resp, err := http.Get(url)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Println(err)
|
||||||
|
}
|
||||||
|
fmt.Println(resp.Status)
|
||||||
|
}`}, 0, gosec.NewConfig()}, {[]string{`
|
||||||
|
// A variable at function scope which is initialized to
|
||||||
|
// a constant string is secure (e.g. cannot be changed concurrently)
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
)
|
||||||
|
func main() {
|
||||||
|
url1 := "test"
|
||||||
|
var url2 string = "http://127.0.0.1"
|
||||||
|
url2 = url1
|
||||||
|
resp, err := http.Get(url2)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Println(err)
|
||||||
|
}
|
||||||
|
fmt.Println(resp.Status)
|
||||||
|
}`}, 0, gosec.NewConfig()}, {[]string{`
|
||||||
|
// An exported variable declared a packaged scope is not secure
|
||||||
|
// because it can changed at any time
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
)
|
||||||
|
|
||||||
|
var Url string
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
resp, err := http.Get(Url)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Println(err)
|
||||||
|
}
|
||||||
|
fmt.Println(resp.Status)
|
||||||
|
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||||
|
// An url provided as a function argument is not secure
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
)
|
||||||
|
func get(url string) {
|
||||||
|
resp, err := http.Get(url)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Println(err)
|
||||||
|
}
|
||||||
|
fmt.Println(resp.Status)
|
||||||
|
}
|
||||||
|
func main() {
|
||||||
|
url := "http://127.0.0.1"
|
||||||
|
get(url)
|
||||||
|
}`}, 1, gosec.NewConfig()}}
|
||||||
|
|
||||||
// SampleCodeG108 - pprof endpoint automatically exposed
|
// SampleCodeG108 - pprof endpoint automatically exposed
|
||||||
SampleCodeG108 = []CodeSample{{[]string{`
|
SampleCodeG108 = []CodeSample{{[]string{`
|
||||||
package main
|
package main
|
||||||
|
|
Loading…
Reference in a new issue