mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 12:05:52 +00:00
Merge pull request #29 from HewlettPackard/fix_regexp
Fix incorrect regexp matches
This commit is contained in:
commit
8261ee58d6
12 changed files with 18 additions and 18 deletions
|
@ -40,7 +40,7 @@ func (r *BindsToAllNetworkInterfaces) Match(n ast.Node, c *gas.Context) (gi *gas
|
||||||
|
|
||||||
func NewBindsToAllNetworkInterfaces() (r gas.Rule, n ast.Node) {
|
func NewBindsToAllNetworkInterfaces() (r gas.Rule, n ast.Node) {
|
||||||
r = &BindsToAllNetworkInterfaces{
|
r = &BindsToAllNetworkInterfaces{
|
||||||
call: regexp.MustCompile(`^net.Listen$`),
|
call: regexp.MustCompile(`^net\.Listen$`),
|
||||||
pattern: regexp.MustCompile(`^(0.0.0.0|:).*$`),
|
pattern: regexp.MustCompile(`^(0.0.0.0|:).*$`),
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
Severity: gas.Medium,
|
Severity: gas.Medium,
|
||||||
|
|
|
@ -39,7 +39,7 @@ func (r *FilePermissions) Match(n ast.Node, c *gas.Context) (*gas.Issue, error)
|
||||||
func NewChmodPerms() (r gas.Rule, n ast.Node) {
|
func NewChmodPerms() (r gas.Rule, n ast.Node) {
|
||||||
mode := 0600
|
mode := 0600
|
||||||
r = &FilePermissions{
|
r = &FilePermissions{
|
||||||
pattern: regexp.MustCompile(`^os.Chmod$`),
|
pattern: regexp.MustCompile(`^os\.Chmod$`),
|
||||||
mode: (int64)(mode),
|
mode: (int64)(mode),
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
Severity: gas.Medium,
|
Severity: gas.Medium,
|
||||||
|
@ -54,7 +54,7 @@ func NewChmodPerms() (r gas.Rule, n ast.Node) {
|
||||||
func NewMkdirPerms() (r gas.Rule, n ast.Node) {
|
func NewMkdirPerms() (r gas.Rule, n ast.Node) {
|
||||||
mode := 0700
|
mode := 0700
|
||||||
r = &FilePermissions{
|
r = &FilePermissions{
|
||||||
pattern: regexp.MustCompile(`^(os.Mkdir|os.MkdirAll)$`),
|
pattern: regexp.MustCompile(`^(os\.Mkdir|os\.MkdirAll)$`),
|
||||||
mode: (int64)(mode),
|
mode: (int64)(mode),
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
Severity: gas.Medium,
|
Severity: gas.Medium,
|
||||||
|
|
|
@ -45,7 +45,7 @@ func (r *CredsAssign) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err erro
|
||||||
|
|
||||||
func NewHardcodedCredentials() (r gas.Rule, n ast.Node) {
|
func NewHardcodedCredentials() (r gas.Rule, n ast.Node) {
|
||||||
r = &CredsAssign{
|
r = &CredsAssign{
|
||||||
pattern: regexp.MustCompile("(?i)passwd|pass|password|pwd|secret|token"),
|
pattern: regexp.MustCompile(`(?i)passwd|pass|password|pwd|secret|token`),
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
What: "Potential hardcoded credentials",
|
What: "Potential hardcoded credentials",
|
||||||
Confidence: gas.Low,
|
Confidence: gas.Low,
|
||||||
|
|
|
@ -43,7 +43,7 @@ func NewHttpoxyTest() (r gas.Rule, n ast.Node) {
|
||||||
Confidence: gas.Low,
|
Confidence: gas.Low,
|
||||||
What: "Go code running under CGI is vulnerable to Httpoxy attack. (CVE-2016-5386)",
|
What: "Go code running under CGI is vulnerable to Httpoxy attack. (CVE-2016-5386)",
|
||||||
},
|
},
|
||||||
pattern: regexp.MustCompile("^\"net/http/cgi\"$"),
|
pattern: regexp.MustCompile(`^"net/http/cgi"$`),
|
||||||
}
|
}
|
||||||
n = (*ast.ImportSpec)(nil)
|
n = (*ast.ImportSpec)(nil)
|
||||||
return
|
return
|
||||||
|
|
|
@ -41,7 +41,7 @@ func (w *WeakRand) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
|
||||||
|
|
||||||
func NewWeakRandCheck() (r gas.Rule, n ast.Node) {
|
func NewWeakRandCheck() (r gas.Rule, n ast.Node) {
|
||||||
r = &WeakRand{
|
r = &WeakRand{
|
||||||
pattern: regexp.MustCompile(`^rand.Read$`),
|
pattern: regexp.MustCompile(`^rand\.Read$`),
|
||||||
packageName: "rand",
|
packageName: "rand",
|
||||||
packagePath: "math/rand",
|
packagePath: "math/rand",
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
|
|
|
@ -40,7 +40,7 @@ func (w *WeakKeyStrength) Match(n ast.Node, c *gas.Context) (*gas.Issue, error)
|
||||||
func NewWeakKeyStrength() (r gas.Rule, n ast.Node) {
|
func NewWeakKeyStrength() (r gas.Rule, n ast.Node) {
|
||||||
bits := 2048
|
bits := 2048
|
||||||
r = &WeakKeyStrength{
|
r = &WeakKeyStrength{
|
||||||
pattern: regexp.MustCompile(`^rsa.GenerateKey$`),
|
pattern: regexp.MustCompile(`^rsa\.GenerateKey$`),
|
||||||
bits: bits,
|
bits: bits,
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
Severity: gas.Medium,
|
Severity: gas.Medium,
|
||||||
|
|
|
@ -59,7 +59,7 @@ func (s *SqlStrConcat) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
|
||||||
func NewSqlStrConcat() (r gas.Rule, n ast.Node) {
|
func NewSqlStrConcat() (r gas.Rule, n ast.Node) {
|
||||||
r = &SqlStrConcat{
|
r = &SqlStrConcat{
|
||||||
SqlStatement: SqlStatement{
|
SqlStatement: SqlStatement{
|
||||||
pattern: regexp.MustCompile("(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
|
pattern: regexp.MustCompile(`(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) `),
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
Severity: gas.Medium,
|
Severity: gas.Medium,
|
||||||
Confidence: gas.High,
|
Confidence: gas.High,
|
||||||
|
@ -88,7 +88,7 @@ func (s *SqlStrFormat) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err err
|
||||||
|
|
||||||
func NewSqlStrFormat() (r gas.Rule, n ast.Node) {
|
func NewSqlStrFormat() (r gas.Rule, n ast.Node) {
|
||||||
r = &SqlStrFormat{
|
r = &SqlStrFormat{
|
||||||
call: regexp.MustCompile("^fmt.Sprintf$"),
|
call: regexp.MustCompile(`^fmt\.Sprintf$`),
|
||||||
SqlStatement: SqlStatement{
|
SqlStatement: SqlStatement{
|
||||||
pattern: regexp.MustCompile("(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
|
pattern: regexp.MustCompile("(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
|
|
|
@ -37,8 +37,8 @@ func (t *BadTempFile) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err erro
|
||||||
|
|
||||||
func NewBadTempFile() (r gas.Rule, n ast.Node) {
|
func NewBadTempFile() (r gas.Rule, n ast.Node) {
|
||||||
r = &BadTempFile{
|
r = &BadTempFile{
|
||||||
call: regexp.MustCompile("ioutil.WriteFile|os.Create"),
|
call: regexp.MustCompile(`ioutil\.WriteFile|os\.Create`),
|
||||||
args: regexp.MustCompile("^/tmp/.*$|^/var/tmp/.*$"),
|
args: regexp.MustCompile(`^/tmp/.*$|^/var/tmp/.*$`),
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
Severity: gas.Medium,
|
Severity: gas.Medium,
|
||||||
Confidence: gas.High,
|
Confidence: gas.High,
|
||||||
|
|
|
@ -38,7 +38,7 @@ func (t *TemplateCheck) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err er
|
||||||
|
|
||||||
func NewTemplateCheck() (r gas.Rule, n ast.Node) {
|
func NewTemplateCheck() (r gas.Rule, n ast.Node) {
|
||||||
r = &TemplateCheck{
|
r = &TemplateCheck{
|
||||||
call: regexp.MustCompile("^template.(HTML|JS|URL)$"),
|
call: regexp.MustCompile(`^template\.(HTML|JS|URL)$`),
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
Severity: gas.Medium,
|
Severity: gas.Medium,
|
||||||
Confidence: gas.Low,
|
Confidence: gas.Low,
|
||||||
|
|
|
@ -112,7 +112,7 @@ func (t *InsecureConfigTLS) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, er
|
||||||
func NewModernTlsCheck() (r gas.Rule, n ast.Node) {
|
func NewModernTlsCheck() (r gas.Rule, n ast.Node) {
|
||||||
// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
|
// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
|
||||||
r = &InsecureConfigTLS{
|
r = &InsecureConfigTLS{
|
||||||
pattern: regexp.MustCompile("^tls.Config$"),
|
pattern: regexp.MustCompile(`^tls\.Config$`),
|
||||||
MinVersion: 0x0303, // TLS 1.2 only
|
MinVersion: 0x0303, // TLS 1.2 only
|
||||||
MaxVersion: 0x0303,
|
MaxVersion: 0x0303,
|
||||||
goodCiphers: []string{
|
goodCiphers: []string{
|
||||||
|
@ -129,7 +129,7 @@ func NewModernTlsCheck() (r gas.Rule, n ast.Node) {
|
||||||
func NewIntermediateTlsCheck() (r gas.Rule, n ast.Node) {
|
func NewIntermediateTlsCheck() (r gas.Rule, n ast.Node) {
|
||||||
// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
|
// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
|
||||||
r = &InsecureConfigTLS{
|
r = &InsecureConfigTLS{
|
||||||
pattern: regexp.MustCompile("^tls.Config$"),
|
pattern: regexp.MustCompile(`^tls\.Config$`),
|
||||||
MinVersion: 0x0301, // TLS 1.2, 1.1, 1.0
|
MinVersion: 0x0301, // TLS 1.2, 1.1, 1.0
|
||||||
MaxVersion: 0x0303,
|
MaxVersion: 0x0303,
|
||||||
goodCiphers: []string{
|
goodCiphers: []string{
|
||||||
|
@ -157,7 +157,7 @@ func NewIntermediateTlsCheck() (r gas.Rule, n ast.Node) {
|
||||||
func NewCompatTlsCheck() (r gas.Rule, n ast.Node) {
|
func NewCompatTlsCheck() (r gas.Rule, n ast.Node) {
|
||||||
// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_compatibility_.28default.29
|
// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_compatibility_.28default.29
|
||||||
r = &InsecureConfigTLS{
|
r = &InsecureConfigTLS{
|
||||||
pattern: regexp.MustCompile("^tls.Config$"),
|
pattern: regexp.MustCompile(`^tls\.Config$`),
|
||||||
MinVersion: 0x0301, // TLS 1.2, 1.1, 1.0
|
MinVersion: 0x0301, // TLS 1.2, 1.1, 1.0
|
||||||
MaxVersion: 0x0303,
|
MaxVersion: 0x0303,
|
||||||
goodCiphers: []string{
|
goodCiphers: []string{
|
||||||
|
|
|
@ -34,7 +34,7 @@ func (r *UsingUnsafe) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err erro
|
||||||
|
|
||||||
func NewUsingUnsafe() (r gas.Rule, n ast.Node) {
|
func NewUsingUnsafe() (r gas.Rule, n ast.Node) {
|
||||||
r = &UsingUnsafe{
|
r = &UsingUnsafe{
|
||||||
pattern: regexp.MustCompile("unsafe.*"),
|
pattern: regexp.MustCompile(`unsafe.*`),
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
What: "Use of unsafe calls should be audited",
|
What: "Use of unsafe calls should be audited",
|
||||||
Severity: gas.Low,
|
Severity: gas.Low,
|
||||||
|
|
|
@ -40,7 +40,7 @@ func (r *ImportsWeakCryptography) Match(n ast.Node, c *gas.Context) (gi *gas.Iss
|
||||||
// Imports crypto/md5, crypto/des crypto/rc4
|
// Imports crypto/md5, crypto/des crypto/rc4
|
||||||
func NewImportsWeakCryptography() (r gas.Rule, n ast.Node) {
|
func NewImportsWeakCryptography() (r gas.Rule, n ast.Node) {
|
||||||
r = &ImportsWeakCryptography{
|
r = &ImportsWeakCryptography{
|
||||||
pattern: regexp.MustCompile("crypto/md5|crypto/des|crypto/rc4"),
|
pattern: regexp.MustCompile(`crypto/md5|crypto/des|crypto/rc4`),
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
Severity: gas.Medium,
|
Severity: gas.Medium,
|
||||||
Confidence: gas.High,
|
Confidence: gas.High,
|
||||||
|
@ -66,7 +66,7 @@ func (r *UsesWeakCryptography) Match(n ast.Node, c *gas.Context) (*gas.Issue, er
|
||||||
// Uses des.* md5.* or rc4.*
|
// Uses des.* md5.* or rc4.*
|
||||||
func NewUsesWeakCryptography() (r gas.Rule, n ast.Node) {
|
func NewUsesWeakCryptography() (r gas.Rule, n ast.Node) {
|
||||||
r = &UsesWeakCryptography{
|
r = &UsesWeakCryptography{
|
||||||
pattern: regexp.MustCompile("des.NewCipher|des.NewTripleDESCipher|md5.New|md5.Sum|rc4.NewCipher"),
|
pattern: regexp.MustCompile(`des\.NewCipher|des\.NewTripleDESCipher|md5\.New|md5\.Sum|rc4\.NewCipher`),
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
Severity: gas.Medium,
|
Severity: gas.Medium,
|
||||||
Confidence: gas.High,
|
Confidence: gas.High,
|
||||||
|
|
Loading…
Reference in a new issue