mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 12:05:52 +00:00
Add a rule which detects when pprof endpoint is automatically exposed
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
This commit is contained in:
parent
73fbc9ba49
commit
9cee24cccd
4 changed files with 64 additions and 0 deletions
42
rules/pprof.go
Normal file
42
rules/pprof.go
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
package rules
|
||||||
|
|
||||||
|
import (
|
||||||
|
"go/ast"
|
||||||
|
|
||||||
|
"github.com/securego/gosec"
|
||||||
|
)
|
||||||
|
|
||||||
|
type pprofCheck struct {
|
||||||
|
gosec.MetaData
|
||||||
|
importPath string
|
||||||
|
importName string
|
||||||
|
}
|
||||||
|
|
||||||
|
// ID returns the ID of the check
|
||||||
|
func (p *pprofCheck) ID() string {
|
||||||
|
return p.MetaData.ID
|
||||||
|
}
|
||||||
|
|
||||||
|
// Match checks for pprof imports
|
||||||
|
func (p *pprofCheck) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
|
||||||
|
if node, ok := n.(*ast.ImportSpec); ok {
|
||||||
|
if p.importPath == unquote(node.Path.Value) && p.importName == node.Name.Name {
|
||||||
|
return gosec.NewIssue(c, node, p.ID(), p.What, p.Severity, p.Confidence), nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewPprofCheck detects when the profiling endpoint is automatically exposed
|
||||||
|
func NewPprofCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
||||||
|
return &pprofCheck{
|
||||||
|
MetaData: gosec.MetaData{
|
||||||
|
ID: id,
|
||||||
|
Severity: gosec.High,
|
||||||
|
Confidence: gosec.High,
|
||||||
|
What: "Profiling endpoint is automatically exposed on /debug/pprof",
|
||||||
|
},
|
||||||
|
importPath: "net/http/pprof",
|
||||||
|
importName: "_",
|
||||||
|
}, []ast.Node{(*ast.ImportSpec)(nil)}
|
||||||
|
}
|
|
@ -65,6 +65,7 @@ func Generate(filters ...RuleFilter) RuleList {
|
||||||
{"G104", "Audit errors not checked", NewNoErrorCheck},
|
{"G104", "Audit errors not checked", NewNoErrorCheck},
|
||||||
{"G106", "Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey},
|
{"G106", "Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey},
|
||||||
{"G107", "Url provided to HTTP request as taint input", NewSSRFCheck},
|
{"G107", "Url provided to HTTP request as taint input", NewSSRFCheck},
|
||||||
|
{"G108", "Profiling endpoint is automatically exposed", NewPprofCheck},
|
||||||
|
|
||||||
// injection
|
// injection
|
||||||
{"G201", "SQL query construction using format string", NewSQLStrFormat},
|
{"G201", "SQL query construction using format string", NewSQLStrFormat},
|
||||||
|
|
|
@ -79,6 +79,10 @@ var _ = Describe("gosec rules", func() {
|
||||||
runner("G107", testutils.SampleCodeG107)
|
runner("G107", testutils.SampleCodeG107)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
It("should detect pprof endpoint", func() {
|
||||||
|
runner("G108", testutils.SampleCodeG108)
|
||||||
|
})
|
||||||
|
|
||||||
It("should detect sql injection via format strings", func() {
|
It("should detect sql injection via format strings", func() {
|
||||||
runner("G201", testutils.SampleCodeG201)
|
runner("G201", testutils.SampleCodeG201)
|
||||||
})
|
})
|
||||||
|
|
|
@ -404,6 +404,23 @@ func main() {
|
||||||
}
|
}
|
||||||
fmt.Println(resp.Status)
|
fmt.Println(resp.Status)
|
||||||
}`}, 0, gosec.NewConfig()}}
|
}`}, 0, gosec.NewConfig()}}
|
||||||
|
// SampleCodeG108 - pprof endpoint automatically exposed
|
||||||
|
SampleCodeG108 = []CodeSample{{[]string{`
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
|
"net/http"
|
||||||
|
_ "net/http/pprof"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
fmt.Fprintf(w, "Hello World!")
|
||||||
|
})
|
||||||
|
log.Fatal(http.ListenAndServe(":8080", nil))
|
||||||
|
}`}, 1, gosec.NewConfig()}}
|
||||||
// SampleCodeG201 - SQL injection via format string
|
// SampleCodeG201 - SQL injection via format string
|
||||||
SampleCodeG201 = []CodeSample{
|
SampleCodeG201 = []CodeSample{
|
||||||
{[]string{`
|
{[]string{`
|
||||||
|
|
Loading…
Reference in a new issue