Add os.Create to the readfile rule (#761)

This commit is contained in:
Cosmin Cojocar 2022-01-12 19:33:17 +01:00 committed by GitHub
parent 75cc7dcd51
commit 7be6d4efb5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 3 deletions

View file

@ -246,7 +246,7 @@ func printReport(format string, color bool, rootPaths []string, reportInfo *gose
} }
func saveReport(filename, format string, rootPaths []string, reportInfo *gosec.ReportInfo) error { func saveReport(filename, format string, rootPaths []string, reportInfo *gosec.ReportInfo) error {
outfile, err := os.Create(filename) outfile, err := os.Create(filename) //#nosec G304
if err != nil { if err != nil {
return err return err
} }

View file

@ -125,5 +125,6 @@ func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
rule.Add("os", "ReadFile") rule.Add("os", "ReadFile")
rule.Add("os", "Open") rule.Add("os", "Open")
rule.Add("os", "OpenFile") rule.Add("os", "OpenFile")
rule.Add("os", "Create")
return rule, []ast.Node{(*ast.CallExpr)(nil)} return rule, []ast.Node{(*ast.CallExpr)(nil)}
} }

View file

@ -1891,7 +1891,8 @@ func main() {
}`}, 9, gosec.NewConfig()}} }`}, 9, gosec.NewConfig()}}
// SampleCodeG304 - potential file inclusion vulnerability // SampleCodeG304 - potential file inclusion vulnerability
SampleCodeG304 = []CodeSample{{[]string{` SampleCodeG304 = []CodeSample{
{[]string{`
package main package main
import ( import (
@ -2086,7 +2087,38 @@ func main() {
} }
} }
`}, 0, gosec.NewConfig()}} `}, 0, gosec.NewConfig()}, {[]string{`
package main
import (
"io"
"os"
)
func createFile(file string) *os.File {
f, err := os.Create(file)
if err != nil {
panic(err)
}
return f
}
func main() {
s, err := os.Open("src")
if err != nil {
panic(err)
}
defer s.Close()
d := createFile("dst")
defer d.Close()
_, err = io.Copy(d, s)
if err != nil {
panic(err)
}
}`}, 1, gosec.NewConfig()},
}
// SampleCodeG305 - File path traversal when extracting zip/tar archives // SampleCodeG305 - File path traversal when extracting zip/tar archives
SampleCodeG305 = []CodeSample{{[]string{` SampleCodeG305 = []CodeSample{{[]string{`