Small update to G201 and added ConcatString Function (#228)

This commit is contained in:
cschoenduve-splunk 2018-08-19 10:57:36 -07:00 committed by Cosmin Cojocar
parent 1c438e36af
commit a7cff91312
2 changed files with 35 additions and 0 deletions

View file

@ -256,3 +256,28 @@ func GetPkgAbsPath(pkgPath string) (string, error) {
} }
return absPath, nil return absPath, nil
} }
// ConcatString recusively concatenates strings from a binary expression
func ConcatString(n *ast.BinaryExpr) (string, bool) {
var s string
// sub expressions are found in X object, Y object is always last BasicLit
if rightOperand, ok := n.Y.(*ast.BasicLit); ok {
if str, err := GetString(rightOperand); err == nil {
s = str + s
}
} else {
return "", false
}
if leftOperand, ok := n.X.(*ast.BinaryExpr); ok {
if recursion, ok := ConcatString(leftOperand); ok {
s = recursion + s
}
} else if leftOperand, ok := n.X.(*ast.BasicLit); ok {
if str, err := GetString(leftOperand); err == nil {
s = str + s
}
} else {
return "", false
}
return s, true
}

View file

@ -106,6 +106,16 @@ func (s *sqlStrFormat) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error)
// TODO(gm) improve confidence if database/sql is being used // TODO(gm) improve confidence if database/sql is being used
if node := s.calls.ContainsCallExpr(n, c); node != nil { if node := s.calls.ContainsCallExpr(n, c); node != nil {
// concats callexpr arg strings together if needed before regex evaluation
if argExpr, ok := node.Args[0].(*ast.BinaryExpr); ok {
if fullStr, ok := gosec.ConcatString(argExpr); ok {
if s.MatchPatterns(fullStr) {
return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence),
nil
}
}
}
if arg, e := gosec.GetString(node.Args[0]); s.MatchPatterns(arg) && e == nil { if arg, e := gosec.GetString(node.Args[0]); s.MatchPatterns(arg) && e == nil {
return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil
} }