mirror of
https://github.com/securego/gosec.git
synced 2024-12-24 11:35:52 +00:00
Catch os.ModePerm permissions in os.WriteFile
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
This commit is contained in:
parent
dc5e5a99d0
commit
6fbd381238
1 changed files with 13 additions and 1 deletions
|
@ -61,7 +61,7 @@ func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, err
|
|||
for _, pkg := range r.pkgs {
|
||||
if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {
|
||||
modeArg := callexpr.Args[len(callexpr.Args)-1]
|
||||
if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) {
|
||||
if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) || isOsPerm(modeArg) {
|
||||
return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil
|
||||
}
|
||||
}
|
||||
|
@ -69,6 +69,18 @@ func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, err
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
// isOsPerm check if the provide ast node contains a os.PermMode symbol
|
||||
func isOsPerm(n ast.Node) bool {
|
||||
if node, ok := n.(*ast.SelectorExpr); ok {
|
||||
if identX, ok := node.X.(*ast.Ident); ok {
|
||||
if identX.Name == "os" && node.Sel != nil && node.Sel.Name == "ModePerm" {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// NewWritePerms creates a rule to detect file Writes with bad permissions.
|
||||
func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
||||
mode := getConfiguredMode(conf, id, 0o600)
|
||||
|
|
Loading…
Reference in a new issue