From 7fd4aef9dc318093aa3a75fc7f6941beeb304800 Mon Sep 17 00:00:00 2001 From: Eng Zer Jun Date: Thu, 14 Oct 2021 15:53:26 +0800 Subject: [PATCH] feat: add os.ReadFile to G304 (#706) In Go 1.16 or higher, the `io/ioutil` has been deprecated and the `ioutil.ReadFile` function now calls `os.ReadFile`. Signed-off-by: Eng Zer Jun --- rules/readfile.go | 1 + testutils/source.go | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/rules/readfile.go b/rules/readfile.go index 072b016..a4ccb72 100644 --- a/rules/readfile.go +++ b/rules/readfile.go @@ -122,6 +122,7 @@ func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { rule.clean.Add("path/filepath", "Clean") rule.clean.Add("path/filepath", "Rel") rule.Add("io/ioutil", "ReadFile") + rule.Add("os", "ReadFile") rule.Add("os", "Open") rule.Add("os", "OpenFile") return rule, []ast.Node{(*ast.CallExpr)(nil)} diff --git a/testutils/source.go b/testutils/source.go index 50e320a..766becb 100644 --- a/testutils/source.go +++ b/testutils/source.go @@ -1787,6 +1787,22 @@ func main() { }`}, 1, gosec.NewConfig()}, {[]string{` package main +import ( +"os" +"log" +) + +func main() { + f := os.Getenv("tainted_file") + body, err := os.ReadFile(f) + if err != nil { + log.Printf("Error: %v\n", err) + } + log.Print(body) + +}`}, 1, gosec.NewConfig()}, {[]string{` +package main + import ( "fmt" "log"