From aecbc873ef6fb473c2d6b84cd96682756b118fc4 Mon Sep 17 00:00:00 2001 From: Grant Murphy Date: Fri, 5 Jan 2018 23:05:53 +1000 Subject: [PATCH] Use explicit packages in call lists By allowing partial matches of selectors there are chances of collisions such as those in issue #145, this removes it to expect explicit packages for each rule. Closes #145 --- call_list.go | 16 ++++++++++------ call_list_test.go | 2 +- rules/bind.go | 2 +- rules/rsa.go | 2 +- rules/subproc.go | 2 +- rules/tempfiles.go | 2 +- rules/templates.go | 8 ++++---- 7 files changed, 19 insertions(+), 15 deletions(-) diff --git a/call_list.go b/call_list.go index b0e9855..e277950 100644 --- a/call_list.go +++ b/call_list.go @@ -61,14 +61,18 @@ func (c CallList) ContainsCallExpr(n ast.Node, ctx *Context) *ast.CallExpr { return nil } - // Try direct resolution - if c.Contains(selector, ident) { - return n.(*ast.CallExpr) - } - - // Also support explicit path + // Use only explicit path to reduce conflicts if path, ok := GetImportPath(selector, ctx); ok && c.Contains(path, ident) { return n.(*ast.CallExpr) } + + /* + // Try direct resolution + if c.Contains(selector, ident) { + log.Printf("c.Contains == true, %s, %s.", selector, ident) + return n.(*ast.CallExpr) + } + */ + return nil } diff --git a/call_list_test.go b/call_list_test.go index a2ce2b9..f949cfd 100644 --- a/call_list_test.go +++ b/call_list_test.go @@ -66,7 +66,7 @@ var _ = Describe("call list", func() { ctx := pkg.CreateContext("md5.go") // Search for md5.New() - calls.Add("md5", "New") + calls.Add("crypto/md5", "New") // Stub out visitor and count number of matched call expr matched := 0 diff --git a/rules/bind.go b/rules/bind.go index fac0568..62518eb 100644 --- a/rules/bind.go +++ b/rules/bind.go @@ -46,7 +46,7 @@ func (r *bindsToAllNetworkInterfaces) Match(n ast.Node, c *gas.Context) (*gas.Is func NewBindsToAllNetworkInterfaces(conf gas.Config) (gas.Rule, []ast.Node) { calls := gas.NewCallList() calls.Add("net", "Listen") - calls.Add("tls", "Listen") + calls.Add("crypto/tls", "Listen") return &bindsToAllNetworkInterfaces{ calls: calls, pattern: regexp.MustCompile(`^(0.0.0.0|:).*$`), diff --git a/rules/rsa.go b/rules/rsa.go index 02e9d91..1394da4 100644 --- a/rules/rsa.go +++ b/rules/rsa.go @@ -39,7 +39,7 @@ func (w *weakKeyStrength) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) // NewWeakKeyStrength builds a rule that detects RSA keys < 2048 bits func NewWeakKeyStrength(conf gas.Config) (gas.Rule, []ast.Node) { calls := gas.NewCallList() - calls.Add("rsa", "GenerateKey") + calls.Add("crypto/rsa", "GenerateKey") bits := 2048 return &weakKeyStrength{ calls: calls, diff --git a/rules/subproc.go b/rules/subproc.go index b6b0ea0..4ddd8bd 100644 --- a/rules/subproc.go +++ b/rules/subproc.go @@ -52,7 +52,7 @@ func (r *subprocess) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) { // NewSubproc detects cases where we are forking out to an external process func NewSubproc(conf gas.Config) (gas.Rule, []ast.Node) { rule := &subprocess{gas.NewCallList()} - rule.Add("exec", "Command") + rule.Add("os/exec", "Command") rule.Add("syscall", "Exec") return rule, []ast.Node{(*ast.CallExpr)(nil)} } diff --git a/rules/tempfiles.go b/rules/tempfiles.go index 335ef0d..9af500d 100644 --- a/rules/tempfiles.go +++ b/rules/tempfiles.go @@ -39,7 +39,7 @@ func (t *badTempFile) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err erro // NewBadTempFile detects direct writes to predictable path in temporary directory func NewBadTempFile(conf gas.Config) (gas.Rule, []ast.Node) { calls := gas.NewCallList() - calls.Add("ioutil", "WriteFile") + calls.Add("io/ioutil", "WriteFile") calls.Add("os", "Create") return &badTempFile{ calls: calls, diff --git a/rules/templates.go b/rules/templates.go index eae3503..4c09ad9 100644 --- a/rules/templates.go +++ b/rules/templates.go @@ -41,10 +41,10 @@ func (t *templateCheck) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) { func NewTemplateCheck(conf gas.Config) (gas.Rule, []ast.Node) { calls := gas.NewCallList() - calls.Add("template", "HTML") - calls.Add("template", "HTMLAttr") - calls.Add("template", "JS") - calls.Add("template", "URL") + calls.Add("html/template", "HTML") + calls.Add("html/template", "HTMLAttr") + calls.Add("html/template", "JS") + calls.Add("html/template", "URL") return &templateCheck{ calls: calls, MetaData: gas.MetaData{