Fix test cases with invalid sample code

This commit is contained in:
Grant Murphy 2017-01-13 12:40:49 -08:00
parent d3f0a08f0d
commit ab4867bc76
9 changed files with 60 additions and 41 deletions

View file

@ -32,12 +32,13 @@ func TestErrorsMulti(t *testing.T) {
"fmt"
)
func test() (val int, err error) {
func test() (int,error) {
return 0, nil
}
func main() {
v, _ := test()
fmt.Println(v)
}`, analyzer)
checkTestResults(t, issues, 1, "Errors unhandled")
@ -130,6 +131,9 @@ func TestErrorsWhitelisted(t *testing.T) {
var b bytes.Buffer
// Default whitelist
nbytes, _ := b.Write([]byte("Hello "))
if nbytes <= 0 {
os.Exit(1)
}
// Whitelisted via configuration
r, _ := zlib.NewReader(&b)

View file

@ -31,8 +31,8 @@ func TestChmod(t *testing.T) {
func main() {
os.Chmod("/tmp/somefile", 0777)
os.Chmod("/tmp/someotherfile", 0600)
f := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666)
f := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600)
os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666)
os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600)
}`, analyzer)
checkTestResults(t, issues, 2, "Expect file permissions")

View file

@ -90,7 +90,10 @@ func TestHardcodedConstantMulti(t *testing.T) {
import "fmt"
const username, password = "secret"
const (
username = "user"
password = "secret"
)
func main() {
fmt.Println("Doing something with: ", username, password)

View file

@ -29,8 +29,11 @@ func TestHttpoxy(t *testing.T) {
package main
import (
"net/http/cgi"
"net/http"
)
func main() {}`, analyzer)
func main() {
cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
}`, analyzer)
checkTestResults(t, issues, 1, "Go versions < 1.6.3 are vulnerable to Httpoxy")
}

View file

@ -27,13 +27,14 @@ func TestNosec(t *testing.T) {
issues := gasTestRunner(
`package main
import (
"fmt"
"os"
"os/exec"
)
func main() {
cmd := exec.Command("sh", "-c", config.Command) // #nosec
cmd := exec.Command("sh", "-c", os.Getenv("BLAH")) // #nosec
cmd.Run()
}`, analyzer)
checkTestResults(t, issues, 0, "None")
@ -46,15 +47,16 @@ func TestNosecBlock(t *testing.T) {
issues := gasTestRunner(
`package main
import (
"fmt"
"os"
"os/exect"
)
func main() {
// #nosec
if true {
cmd := exec.Command("sh", "-c", config.Command)
cmd := exec.Command("sh", "-c", os.Getenv("BLAH"))
cmd.Run()
}
}`, analyzer)
@ -70,11 +72,13 @@ func TestNosecIgnore(t *testing.T) {
`package main
import (
"fmt"
"os"
"os/exec"
)
func main() {
cmd := exec.Command("sh", "-c", config.Command) // #nosec
cmd := exec.Command("sh", "-c", os.Args[1]) // #nosec
cmd.Run()
}`, analyzer)
checkTestResults(t, issues, 1, "Subprocess launching with variable.")

View file

@ -32,7 +32,8 @@ func TestRandOk(t *testing.T) {
import "crypto/rand"
func main() {
good, err := rand.Read(nil)
good, _ := rand.Read(nil)
println(good)
}`, analyzer)
checkTestResults(t, issues, 0, "Not expected to match")
@ -50,7 +51,9 @@ func TestRandBad(t *testing.T) {
import "math/rand"
func main() {
bad, err := rand.Read(nil)
bad, _ := rand.Read(nil)
println(bad)
}`, analyzer)
checkTestResults(t, issues, 1, "Use of weak random number generator (math/rand instead of crypto/rand)")
@ -72,8 +75,10 @@ func TestRandRenamed(t *testing.T) {
func main() {
good, err := rand.Read(nil)
good, _ := rand.Read(nil)
println(good)
i := mrand.Int()
println(i)
}`, analyzer)
checkTestResults(t, issues, 0, "Not expected to match")

View file

@ -29,8 +29,8 @@ func TestSQLInjectionViaConcatenation(t *testing.T) {
package main
import (
"database/sql"
//_ "github.com/mattn/go-sqlite3"
"os"
_ "github.com/mattn/go-sqlite3"
)
func main(){
db, err := sql.Open("sqlite3", ":memory:")
@ -59,7 +59,7 @@ func TestSQLInjectionViaIntepolation(t *testing.T) {
"database/sql"
"fmt"
"os"
_ "github.com/mattn/go-sqlite3"
//_ "github.com/mattn/go-sqlite3"
)
func main(){
db, err := sql.Open("sqlite3", ":memory:")
@ -91,7 +91,7 @@ func TestSQLInjectionFalsePositiveA(t *testing.T) {
"database/sql"
"fmt"
"os"
_ "github.com/mattn/go-sqlite3"
//_ "github.com/mattn/go-sqlite3"
)
var staticQuery = "SELECT * FROM foo WHERE age < 32"
@ -127,7 +127,7 @@ func TestSQLInjectionFalsePositiveB(t *testing.T) {
"database/sql"
"fmt"
"os"
_ "github.com/mattn/go-sqlite3"
//_ "github.com/mattn/go-sqlite3"
)
var staticQuery = "SELECT * FROM foo WHERE age < 32"
@ -163,7 +163,7 @@ func TestSQLInjectionFalsePositiveC(t *testing.T) {
"database/sql"
"fmt"
"os"
_ "github.com/mattn/go-sqlite3"
//_ "github.com/mattn/go-sqlite3"
)
var staticQuery = "SELECT * FROM foo WHERE age < "
@ -199,7 +199,7 @@ func TestSQLInjectionFalsePositiveD(t *testing.T) {
"database/sql"
"fmt"
"os"
_ "github.com/mattn/go-sqlite3"
//_ "github.com/mattn/go-sqlite3"
)
const age = "32"

View file

@ -58,11 +58,12 @@ func TestSubprocessVar(t *testing.T) {
import (
"log"
"os"
"os/exec"
)
func main() {
run := "sleep" + someFunc()
run := "sleep" + os.Getenv("SOMETHING")
cmd := exec.Command(run, "5")
err := cmd.Start()
if err != nil {
@ -112,8 +113,7 @@ func TestSubprocessSyscall(t *testing.T) {
package main
import (
"log"
"os/exec"
"syscall"
)
func main() {

View file

@ -124,7 +124,7 @@ func TestInsecureCipherSuite(t *testing.T) {
func main() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_DERP,
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
},},
}
@ -136,5 +136,5 @@ func TestInsecureCipherSuite(t *testing.T) {
}
`, analyzer)
checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_DERP")
checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_RSA_WITH_RC4_128_SHA")
}