Add a rule which detects when pprof endpoint is automatically exposed

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
This commit is contained in:
Cosmin Cojocar 2019-09-20 10:46:06 +02:00 committed by Grant Murphy
parent 73fbc9ba49
commit 9cee24cccd
4 changed files with 64 additions and 0 deletions

42
rules/pprof.go Normal file
View file

@ -0,0 +1,42 @@
package rules
import (
"go/ast"
"github.com/securego/gosec"
)
type pprofCheck struct {
gosec.MetaData
importPath string
importName string
}
// ID returns the ID of the check
func (p *pprofCheck) ID() string {
return p.MetaData.ID
}
// Match checks for pprof imports
func (p *pprofCheck) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
if node, ok := n.(*ast.ImportSpec); ok {
if p.importPath == unquote(node.Path.Value) && p.importName == node.Name.Name {
return gosec.NewIssue(c, node, p.ID(), p.What, p.Severity, p.Confidence), nil
}
}
return nil, nil
}
// NewPprofCheck detects when the profiling endpoint is automatically exposed
func NewPprofCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
return &pprofCheck{
MetaData: gosec.MetaData{
ID: id,
Severity: gosec.High,
Confidence: gosec.High,
What: "Profiling endpoint is automatically exposed on /debug/pprof",
},
importPath: "net/http/pprof",
importName: "_",
}, []ast.Node{(*ast.ImportSpec)(nil)}
}

View file

@ -65,6 +65,7 @@ func Generate(filters ...RuleFilter) RuleList {
{"G104", "Audit errors not checked", NewNoErrorCheck},
{"G106", "Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey},
{"G107", "Url provided to HTTP request as taint input", NewSSRFCheck},
{"G108", "Profiling endpoint is automatically exposed", NewPprofCheck},
// injection
{"G201", "SQL query construction using format string", NewSQLStrFormat},

View file

@ -79,6 +79,10 @@ var _ = Describe("gosec rules", func() {
runner("G107", testutils.SampleCodeG107)
})
It("should detect pprof endpoint", func() {
runner("G108", testutils.SampleCodeG108)
})
It("should detect sql injection via format strings", func() {
runner("G201", testutils.SampleCodeG201)
})

View file

@ -404,6 +404,23 @@ func main() {
}
fmt.Println(resp.Status)
}`}, 0, gosec.NewConfig()}}
// SampleCodeG108 - pprof endpoint automatically exposed
SampleCodeG108 = []CodeSample{{[]string{`
package main
import (
"fmt"
"log"
"net/http"
_ "net/http/pprof"
)
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello World!")
})
log.Fatal(http.ListenAndServe(":8080", nil))
}`}, 1, gosec.NewConfig()}}
// SampleCodeG201 - SQL injection via format string
SampleCodeG201 = []CodeSample{
{[]string{`