mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Track back when a file path was sanitized with filepath.Clean (#912)
* Track back when a file path was sanitized with filepath.Clean * Remove unused argument to fix lint warnings
This commit is contained in:
parent
fd280360cd
commit
5874e63c9e
2 changed files with 44 additions and 15 deletions
|
@ -24,8 +24,9 @@ import (
|
||||||
type readfile struct {
|
type readfile struct {
|
||||||
gosec.MetaData
|
gosec.MetaData
|
||||||
gosec.CallList
|
gosec.CallList
|
||||||
pathJoin gosec.CallList
|
pathJoin gosec.CallList
|
||||||
clean gosec.CallList
|
clean gosec.CallList
|
||||||
|
cleanedVar map[any]ast.Node
|
||||||
}
|
}
|
||||||
|
|
||||||
// ID returns the identifier for this rule
|
// ID returns the identifier for this rule
|
||||||
|
@ -57,24 +58,29 @@ func (r *readfile) isJoinFunc(n ast.Node, c *gosec.Context) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
// isFilepathClean checks if there is a filepath.Clean before assigning to a variable
|
// isFilepathClean checks if there is a filepath.Clean for given variable
|
||||||
func (r *readfile) isFilepathClean(n *ast.Ident, c *gosec.Context) bool {
|
func (r *readfile) isFilepathClean(n *ast.Ident) bool {
|
||||||
if n.Obj.Kind != ast.Var {
|
if _, ok := r.cleanedVar[n.Obj.Decl]; ok {
|
||||||
return false
|
return true
|
||||||
}
|
|
||||||
if node, ok := n.Obj.Decl.(*ast.AssignStmt); ok {
|
|
||||||
if call, ok := node.Rhs[0].(*ast.CallExpr); ok {
|
|
||||||
if clean := r.clean.ContainsPkgCallExpr(call, c, false); clean != nil {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// trackFilepathClean tracks back the declaration of variable from filepath.Clean argument
|
||||||
|
func (r *readfile) trackFilepathClean(n ast.Node) {
|
||||||
|
if clean, ok := n.(*ast.CallExpr); ok && len(clean.Args) > 0 {
|
||||||
|
if ident, ok := clean.Args[0].(*ast.Ident); ok {
|
||||||
|
r.cleanedVar[ident.Obj.Decl] = n
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Match inspects AST nodes to determine if the match the methods `os.Open` or `ioutil.ReadFile`
|
// Match inspects AST nodes to determine if the match the methods `os.Open` or `ioutil.ReadFile`
|
||||||
func (r *readfile) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
|
func (r *readfile) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
|
||||||
if node := r.ContainsPkgCallExpr(n, c, false); node != nil {
|
if node := r.clean.ContainsPkgCallExpr(n, c, false); node != nil {
|
||||||
|
r.trackFilepathClean(n)
|
||||||
|
return nil, nil
|
||||||
|
} else if node := r.ContainsPkgCallExpr(n, c, false); node != nil {
|
||||||
for _, arg := range node.Args {
|
for _, arg := range node.Args {
|
||||||
// handles path joining functions in Arg
|
// handles path joining functions in Arg
|
||||||
// eg. os.Open(filepath.Join("/tmp/", file))
|
// eg. os.Open(filepath.Join("/tmp/", file))
|
||||||
|
@ -95,7 +101,7 @@ func (r *readfile) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
|
||||||
obj := c.Info.ObjectOf(ident)
|
obj := c.Info.ObjectOf(ident)
|
||||||
if _, ok := obj.(*types.Var); ok &&
|
if _, ok := obj.(*types.Var); ok &&
|
||||||
!gosec.TryResolve(ident, c) &&
|
!gosec.TryResolve(ident, c) &&
|
||||||
!r.isFilepathClean(ident, c) {
|
!r.isFilepathClean(ident) {
|
||||||
return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
|
return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -116,6 +122,7 @@ func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
||||||
Severity: gosec.Medium,
|
Severity: gosec.Medium,
|
||||||
Confidence: gosec.High,
|
Confidence: gosec.High,
|
||||||
},
|
},
|
||||||
|
cleanedVar: map[any]ast.Node{},
|
||||||
}
|
}
|
||||||
rule.pathJoin.Add("path/filepath", "Join")
|
rule.pathJoin.Add("path/filepath", "Join")
|
||||||
rule.pathJoin.Add("path", "Join")
|
rule.pathJoin.Add("path", "Join")
|
||||||
|
|
|
@ -2463,6 +2463,28 @@ import (
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func openFile(dir string, filePath string) {
|
||||||
|
fp := filepath.Join(dir, filePath)
|
||||||
|
fp = filepath.Clean(fp)
|
||||||
|
_, err := os.OpenFile(fp, os.O_RDONLY, 0600)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
repoFile := "path_of_file"
|
||||||
|
dir := "path_of_dir"
|
||||||
|
openFile(dir, repoFile)
|
||||||
|
}
|
||||||
|
`}, 0, gosec.NewConfig()}, {[]string{`
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
)
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
repoFile := "path_of_file"
|
repoFile := "path_of_file"
|
||||||
relFile, err := filepath.Rel("./", repoFile)
|
relFile, err := filepath.Rel("./", repoFile)
|
||||||
|
|
Loading…
Reference in a new issue