From 361593394eb2cc15ed9c622c5b1f76aa3b9afcdf Mon Sep 17 00:00:00 2001 From: Tim Kelsey Date: Thu, 21 Jul 2016 10:40:22 +0100 Subject: [PATCH] Adding check for httpoxy Go code running under CGI is vulnerable to httpoxy attack. See https://httpoxy.org/ this checks for an import of net/http/cgi that might indicate code may be run under CGI. closes #1 --- rulelist.go | 1 + rules/httpoxy.go | 50 +++++++++++++++++++++++++++++++++++++++++++ rules/httpoxy_test.go | 37 ++++++++++++++++++++++++++++++++ 3 files changed, 88 insertions(+) create mode 100644 rules/httpoxy.go create mode 100644 rules/httpoxy_test.go diff --git a/rulelist.go b/rulelist.go index 78208dc..c51bdba 100644 --- a/rulelist.go +++ b/rulelist.go @@ -52,6 +52,7 @@ func newRulelist() rulelist { rs.register("templates", rules.NewTemplateCheck) rs.register("exec", rules.NewSubproc) rs.register("errors", rules.NewNoErrorCheck) + rs.register("httpoxy", rules.NewHttpoxyTest) return rs } diff --git a/rules/httpoxy.go b/rules/httpoxy.go new file mode 100644 index 0000000..badb3b1 --- /dev/null +++ b/rules/httpoxy.go @@ -0,0 +1,50 @@ +// (c) Copyright 2016 Hewlett Packard Enterprise Development LP +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package rules + +import ( + "go/ast" + "regexp" + + gas "github.com/HewlettPackard/gas/core" +) + +// Looks for "import net/http/cgi" +type HttpoxyTest struct { + gas.MetaData + pattern *regexp.Regexp +} + +func (r *HttpoxyTest) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) { + if node, ok := n.(*ast.ImportSpec); ok { + if r.pattern.MatchString(node.Path.Value) { + return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil + } + } + return +} + +func NewHttpoxyTest() (r gas.Rule, n ast.Node) { + r = &HttpoxyTest{ + MetaData: gas.MetaData{ + Severity: gas.High, + Confidence: gas.Low, + What: "Go code running under CGI is vulnerable to Httpoxy attack. (CVE-2016-5386)", + }, + pattern: regexp.MustCompile("^\"net/http/cgi\"$"), + } + n = (*ast.ImportSpec)(nil) + return +} diff --git a/rules/httpoxy_test.go b/rules/httpoxy_test.go new file mode 100644 index 0000000..d85a5c1 --- /dev/null +++ b/rules/httpoxy_test.go @@ -0,0 +1,37 @@ +// (c) Copyright 2016 Hewlett Packard Enterprise Development LP +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package rules + +import ( + "testing" + + gas "github.com/HewlettPackard/gas/core" +) + +func TestHttpoxy(t *testing.T) { + analyzer := gas.NewAnalyzer(false, nil) + analyzer.AddRule(NewHttpoxyTest()) + + issues := gasTestRunner(` + package main + import ( + "log" + "net/http/cgi" + ) + func main() { + }`, analyzer) + + checkTestResults(t, issues, 1, "Go code running under CGI is vulnerable to Httpoxy attack.") +}