mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Fix test cases with invalid sample code
This commit is contained in:
parent
d3f0a08f0d
commit
ab4867bc76
9 changed files with 60 additions and 41 deletions
|
@ -32,12 +32,13 @@ func TestErrorsMulti(t *testing.T) {
|
||||||
"fmt"
|
"fmt"
|
||||||
)
|
)
|
||||||
|
|
||||||
func test() (val int, err error) {
|
func test() (int,error) {
|
||||||
return 0, nil
|
return 0, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
v, _ := test()
|
v, _ := test()
|
||||||
|
fmt.Println(v)
|
||||||
}`, analyzer)
|
}`, analyzer)
|
||||||
|
|
||||||
checkTestResults(t, issues, 1, "Errors unhandled")
|
checkTestResults(t, issues, 1, "Errors unhandled")
|
||||||
|
@ -130,6 +131,9 @@ func TestErrorsWhitelisted(t *testing.T) {
|
||||||
var b bytes.Buffer
|
var b bytes.Buffer
|
||||||
// Default whitelist
|
// Default whitelist
|
||||||
nbytes, _ := b.Write([]byte("Hello "))
|
nbytes, _ := b.Write([]byte("Hello "))
|
||||||
|
if nbytes <= 0 {
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
|
|
||||||
// Whitelisted via configuration
|
// Whitelisted via configuration
|
||||||
r, _ := zlib.NewReader(&b)
|
r, _ := zlib.NewReader(&b)
|
||||||
|
|
|
@ -27,12 +27,12 @@ func TestChmod(t *testing.T) {
|
||||||
|
|
||||||
issues := gasTestRunner(`
|
issues := gasTestRunner(`
|
||||||
package main
|
package main
|
||||||
import "os"
|
import "os"
|
||||||
func main() {
|
func main() {
|
||||||
os.Chmod("/tmp/somefile", 0777)
|
os.Chmod("/tmp/somefile", 0777)
|
||||||
os.Chmod("/tmp/someotherfile", 0600)
|
os.Chmod("/tmp/someotherfile", 0600)
|
||||||
f := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666)
|
os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666)
|
||||||
f := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600)
|
os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600)
|
||||||
}`, analyzer)
|
}`, analyzer)
|
||||||
|
|
||||||
checkTestResults(t, issues, 2, "Expect file permissions")
|
checkTestResults(t, issues, 2, "Expect file permissions")
|
||||||
|
|
|
@ -90,7 +90,10 @@ func TestHardcodedConstantMulti(t *testing.T) {
|
||||||
|
|
||||||
import "fmt"
|
import "fmt"
|
||||||
|
|
||||||
const username, password = "secret"
|
const (
|
||||||
|
username = "user"
|
||||||
|
password = "secret"
|
||||||
|
)
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
fmt.Println("Doing something with: ", username, password)
|
fmt.Println("Doing something with: ", username, password)
|
||||||
|
@ -104,7 +107,7 @@ func TestHardecodedVarsNotAssigned(t *testing.T) {
|
||||||
analyzer := gas.NewAnalyzer(config, nil)
|
analyzer := gas.NewAnalyzer(config, nil)
|
||||||
analyzer.AddRule(NewHardcodedCredentials(config))
|
analyzer.AddRule(NewHardcodedCredentials(config))
|
||||||
issues := gasTestRunner(`
|
issues := gasTestRunner(`
|
||||||
package main
|
package main
|
||||||
var password string
|
var password string
|
||||||
func init() {
|
func init() {
|
||||||
password = "this is a secret string"
|
password = "this is a secret string"
|
||||||
|
|
|
@ -29,8 +29,11 @@ func TestHttpoxy(t *testing.T) {
|
||||||
package main
|
package main
|
||||||
import (
|
import (
|
||||||
"net/http/cgi"
|
"net/http/cgi"
|
||||||
|
"net/http"
|
||||||
)
|
)
|
||||||
func main() {}`, analyzer)
|
func main() {
|
||||||
|
cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
|
||||||
|
}`, analyzer)
|
||||||
|
|
||||||
checkTestResults(t, issues, 1, "Go versions < 1.6.3 are vulnerable to Httpoxy")
|
checkTestResults(t, issues, 1, "Go versions < 1.6.3 are vulnerable to Httpoxy")
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,14 +27,15 @@ func TestNosec(t *testing.T) {
|
||||||
|
|
||||||
issues := gasTestRunner(
|
issues := gasTestRunner(
|
||||||
`package main
|
`package main
|
||||||
|
import (
|
||||||
|
"os"
|
||||||
|
"os/exec"
|
||||||
|
)
|
||||||
|
|
||||||
import (
|
func main() {
|
||||||
"fmt"
|
cmd := exec.Command("sh", "-c", os.Getenv("BLAH")) // #nosec
|
||||||
)
|
cmd.Run()
|
||||||
|
}`, analyzer)
|
||||||
func main() {
|
|
||||||
cmd := exec.Command("sh", "-c", config.Command) // #nosec
|
|
||||||
}`, analyzer)
|
|
||||||
|
|
||||||
checkTestResults(t, issues, 0, "None")
|
checkTestResults(t, issues, 0, "None")
|
||||||
}
|
}
|
||||||
|
@ -46,17 +47,18 @@ func TestNosecBlock(t *testing.T) {
|
||||||
|
|
||||||
issues := gasTestRunner(
|
issues := gasTestRunner(
|
||||||
`package main
|
`package main
|
||||||
|
import (
|
||||||
|
"os"
|
||||||
|
"os/exect"
|
||||||
|
)
|
||||||
|
|
||||||
import (
|
func main() {
|
||||||
"fmt"
|
|
||||||
)
|
|
||||||
|
|
||||||
func main() {
|
|
||||||
// #nosec
|
// #nosec
|
||||||
if true {
|
if true {
|
||||||
cmd := exec.Command("sh", "-c", config.Command)
|
cmd := exec.Command("sh", "-c", os.Getenv("BLAH"))
|
||||||
|
cmd.Run()
|
||||||
}
|
}
|
||||||
}`, analyzer)
|
}`, analyzer)
|
||||||
|
|
||||||
checkTestResults(t, issues, 0, "None")
|
checkTestResults(t, issues, 0, "None")
|
||||||
}
|
}
|
||||||
|
@ -69,13 +71,15 @@ func TestNosecIgnore(t *testing.T) {
|
||||||
issues := gasTestRunner(
|
issues := gasTestRunner(
|
||||||
`package main
|
`package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"os"
|
||||||
)
|
"os/exec"
|
||||||
|
)
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
cmd := exec.Command("sh", "-c", config.Command) // #nosec
|
cmd := exec.Command("sh", "-c", os.Args[1]) // #nosec
|
||||||
}`, analyzer)
|
cmd.Run()
|
||||||
|
}`, analyzer)
|
||||||
|
|
||||||
checkTestResults(t, issues, 1, "Subprocess launching with variable.")
|
checkTestResults(t, issues, 1, "Subprocess launching with variable.")
|
||||||
}
|
}
|
||||||
|
|
|
@ -32,7 +32,8 @@ func TestRandOk(t *testing.T) {
|
||||||
import "crypto/rand"
|
import "crypto/rand"
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
good, err := rand.Read(nil)
|
good, _ := rand.Read(nil)
|
||||||
|
println(good)
|
||||||
}`, analyzer)
|
}`, analyzer)
|
||||||
|
|
||||||
checkTestResults(t, issues, 0, "Not expected to match")
|
checkTestResults(t, issues, 0, "Not expected to match")
|
||||||
|
@ -50,7 +51,9 @@ func TestRandBad(t *testing.T) {
|
||||||
import "math/rand"
|
import "math/rand"
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
bad, err := rand.Read(nil)
|
bad, _ := rand.Read(nil)
|
||||||
|
println(bad)
|
||||||
|
|
||||||
}`, analyzer)
|
}`, analyzer)
|
||||||
|
|
||||||
checkTestResults(t, issues, 1, "Use of weak random number generator (math/rand instead of crypto/rand)")
|
checkTestResults(t, issues, 1, "Use of weak random number generator (math/rand instead of crypto/rand)")
|
||||||
|
@ -72,8 +75,10 @@ func TestRandRenamed(t *testing.T) {
|
||||||
|
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
good, err := rand.Read(nil)
|
good, _ := rand.Read(nil)
|
||||||
|
println(good)
|
||||||
i := mrand.Int()
|
i := mrand.Int()
|
||||||
|
println(i)
|
||||||
}`, analyzer)
|
}`, analyzer)
|
||||||
|
|
||||||
checkTestResults(t, issues, 0, "Not expected to match")
|
checkTestResults(t, issues, 0, "Not expected to match")
|
||||||
|
|
|
@ -29,8 +29,8 @@ func TestSQLInjectionViaConcatenation(t *testing.T) {
|
||||||
package main
|
package main
|
||||||
import (
|
import (
|
||||||
"database/sql"
|
"database/sql"
|
||||||
|
//_ "github.com/mattn/go-sqlite3"
|
||||||
"os"
|
"os"
|
||||||
_ "github.com/mattn/go-sqlite3"
|
|
||||||
)
|
)
|
||||||
func main(){
|
func main(){
|
||||||
db, err := sql.Open("sqlite3", ":memory:")
|
db, err := sql.Open("sqlite3", ":memory:")
|
||||||
|
@ -59,7 +59,7 @@ func TestSQLInjectionViaIntepolation(t *testing.T) {
|
||||||
"database/sql"
|
"database/sql"
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
_ "github.com/mattn/go-sqlite3"
|
//_ "github.com/mattn/go-sqlite3"
|
||||||
)
|
)
|
||||||
func main(){
|
func main(){
|
||||||
db, err := sql.Open("sqlite3", ":memory:")
|
db, err := sql.Open("sqlite3", ":memory:")
|
||||||
|
@ -91,7 +91,7 @@ func TestSQLInjectionFalsePositiveA(t *testing.T) {
|
||||||
"database/sql"
|
"database/sql"
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
_ "github.com/mattn/go-sqlite3"
|
//_ "github.com/mattn/go-sqlite3"
|
||||||
)
|
)
|
||||||
|
|
||||||
var staticQuery = "SELECT * FROM foo WHERE age < 32"
|
var staticQuery = "SELECT * FROM foo WHERE age < 32"
|
||||||
|
@ -127,7 +127,7 @@ func TestSQLInjectionFalsePositiveB(t *testing.T) {
|
||||||
"database/sql"
|
"database/sql"
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
_ "github.com/mattn/go-sqlite3"
|
//_ "github.com/mattn/go-sqlite3"
|
||||||
)
|
)
|
||||||
|
|
||||||
var staticQuery = "SELECT * FROM foo WHERE age < 32"
|
var staticQuery = "SELECT * FROM foo WHERE age < 32"
|
||||||
|
@ -163,7 +163,7 @@ func TestSQLInjectionFalsePositiveC(t *testing.T) {
|
||||||
"database/sql"
|
"database/sql"
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
_ "github.com/mattn/go-sqlite3"
|
//_ "github.com/mattn/go-sqlite3"
|
||||||
)
|
)
|
||||||
|
|
||||||
var staticQuery = "SELECT * FROM foo WHERE age < "
|
var staticQuery = "SELECT * FROM foo WHERE age < "
|
||||||
|
@ -199,7 +199,7 @@ func TestSQLInjectionFalsePositiveD(t *testing.T) {
|
||||||
"database/sql"
|
"database/sql"
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
_ "github.com/mattn/go-sqlite3"
|
//_ "github.com/mattn/go-sqlite3"
|
||||||
)
|
)
|
||||||
|
|
||||||
const age = "32"
|
const age = "32"
|
||||||
|
|
|
@ -58,11 +58,12 @@ func TestSubprocessVar(t *testing.T) {
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"log"
|
"log"
|
||||||
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
)
|
)
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
run := "sleep" + someFunc()
|
run := "sleep" + os.Getenv("SOMETHING")
|
||||||
cmd := exec.Command(run, "5")
|
cmd := exec.Command(run, "5")
|
||||||
err := cmd.Start()
|
err := cmd.Start()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -112,8 +113,7 @@ func TestSubprocessSyscall(t *testing.T) {
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"log"
|
"syscall"
|
||||||
"os/exec"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
|
|
@ -124,7 +124,7 @@ func TestInsecureCipherSuite(t *testing.T) {
|
||||||
func main() {
|
func main() {
|
||||||
tr := &http.Transport{
|
tr := &http.Transport{
|
||||||
TLSClientConfig: &tls.Config{CipherSuites: []uint16{
|
TLSClientConfig: &tls.Config{CipherSuites: []uint16{
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_DERP,
|
tls.TLS_RSA_WITH_RC4_128_SHA,
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
},},
|
},},
|
||||||
}
|
}
|
||||||
|
@ -136,5 +136,5 @@ func TestInsecureCipherSuite(t *testing.T) {
|
||||||
}
|
}
|
||||||
`, analyzer)
|
`, analyzer)
|
||||||
|
|
||||||
checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_DERP")
|
checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_RSA_WITH_RC4_128_SHA")
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue