mirror of
https://github.com/securego/gosec.git
synced 2024-12-24 11:35:52 +00:00
Small update to G201 and added ConcatString Function (#228)
This commit is contained in:
parent
1c438e36af
commit
a7cff91312
2 changed files with 35 additions and 0 deletions
25
helpers.go
25
helpers.go
|
@ -256,3 +256,28 @@ func GetPkgAbsPath(pkgPath string) (string, error) {
|
|||
}
|
||||
return absPath, nil
|
||||
}
|
||||
|
||||
// ConcatString recusively concatenates strings from a binary expression
|
||||
func ConcatString(n *ast.BinaryExpr) (string, bool) {
|
||||
var s string
|
||||
// sub expressions are found in X object, Y object is always last BasicLit
|
||||
if rightOperand, ok := n.Y.(*ast.BasicLit); ok {
|
||||
if str, err := GetString(rightOperand); err == nil {
|
||||
s = str + s
|
||||
}
|
||||
} else {
|
||||
return "", false
|
||||
}
|
||||
if leftOperand, ok := n.X.(*ast.BinaryExpr); ok {
|
||||
if recursion, ok := ConcatString(leftOperand); ok {
|
||||
s = recursion + s
|
||||
}
|
||||
} else if leftOperand, ok := n.X.(*ast.BasicLit); ok {
|
||||
if str, err := GetString(leftOperand); err == nil {
|
||||
s = str + s
|
||||
}
|
||||
} else {
|
||||
return "", false
|
||||
}
|
||||
return s, true
|
||||
}
|
||||
|
|
10
rules/sql.go
10
rules/sql.go
|
@ -106,6 +106,16 @@ func (s *sqlStrFormat) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error)
|
|||
|
||||
// TODO(gm) improve confidence if database/sql is being used
|
||||
if node := s.calls.ContainsCallExpr(n, c); node != nil {
|
||||
// concats callexpr arg strings together if needed before regex evaluation
|
||||
if argExpr, ok := node.Args[0].(*ast.BinaryExpr); ok {
|
||||
if fullStr, ok := gosec.ConcatString(argExpr); ok {
|
||||
if s.MatchPatterns(fullStr) {
|
||||
return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence),
|
||||
nil
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if arg, e := gosec.GetString(node.Args[0]); s.MatchPatterns(arg) && e == nil {
|
||||
return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue