actions/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2024-12-26 04:25:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #112 from GoASTScanner/bugfix

Browse source 
Report a failure and exit if type checking fails
This commit is contained in:
Grant Murphy 2017-01-13 13:34:33 -08:00 committed by GitHub
commit cc52ef5b26
12 changed files with 78 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
core/analyzer.go
View file

@ -16,6 +16,7 @@
package core package core
import ( import (
"fmt"
"go/ast" "go/ast"
"go/importer" "go/importer"
"go/parser" "go/parser"
@ -123,10 +124,9 @@ func (gas *Analyzer) process(filename string, source interface{}) error {
} }
conf := types.Config{Importer: importer.Default()} conf := types.Config{Importer: importer.Default()}
gas.context.Pkg, _ = conf.Check("pkg", gas.context.FileSet, []*ast.File{root}, gas.context.Info) gas.context.Pkg, err = conf.Check("pkg", gas.context.FileSet, []*ast.File{root}, gas.context.Info)
if err != nil { if err != nil {
gas.logger.Println("failed to check imports") return fmt.Errorf(`Error during type checking: "%s"`, err)
return err
} }
gas.context.Imports = NewImportInfo() gas.context.Imports = NewImportInfo()

8
main.go
View file

@ -176,7 +176,7 @@ func main() {
// Ensure at least one file was specified // Ensure at least one file was specified
if flag.NArg() == 0 { if flag.NArg() == 0 {
fmt.Fprintf(os.Stderr, "\nerror: FILE [FILE...] or './...' expected\n") fmt.Fprintf(os.Stderr, "\nError: FILE [FILE...] or './...' expected\n")
flag.Usage() flag.Usage()
os.Exit(1) os.Exit(1)
} }
@ -195,9 +195,11 @@ func main() {
toAnalyze := getFilesToAnalyze(flag.Args(), excluded) toAnalyze := getFilesToAnalyze(flag.Args(), excluded)
for _, file := range toAnalyze { for _, file := range toAnalyze {
logger.Printf("scanning \"%s\"\n", file) logger.Printf(`Processing "%s"...`, file)
if err := analyzer.Process(file); err != nil { if err := analyzer.Process(file); err != nil {
logger.Fatal(err) logger.Printf(`Failed to process: "%s"`, file)
logger.Println(err)
logger.Fatalf(`Halting execution.`)
} }
} }

6
rules/errors_test.go
View file

@ -32,12 +32,13 @@ func TestErrorsMulti(t *testing.T) {
"fmt" "fmt"
) )
func test() (val int, err error) { func test() (int,error) {
return 0, nil return 0, nil
} }
func main() { func main() {
v, _ := test() v, _ := test()
fmt.Println(v)
}`, analyzer) }`, analyzer)
checkTestResults(t, issues, 1, "Errors unhandled") checkTestResults(t, issues, 1, "Errors unhandled")
@ -130,6 +131,9 @@ func TestErrorsWhitelisted(t *testing.T) {
var b bytes.Buffer var b bytes.Buffer
// Default whitelist // Default whitelist
nbytes, _ := b.Write([]byte("Hello ")) nbytes, _ := b.Write([]byte("Hello "))
if nbytes <= 0 {
os.Exit(1)
}
// Whitelisted via configuration // Whitelisted via configuration
r, _ := zlib.NewReader(&b) r, _ := zlib.NewReader(&b)

4
rules/fileperms_test.go
View file

@ -31,8 +31,8 @@ func TestChmod(t *testing.T) {
func main() { func main() {
os.Chmod("/tmp/somefile", 0777) os.Chmod("/tmp/somefile", 0777)
os.Chmod("/tmp/someotherfile", 0600) os.Chmod("/tmp/someotherfile", 0600)
f := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666) os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666)
f := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600) os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600)
}`, analyzer) }`, analyzer)
checkTestResults(t, issues, 2, "Expect file permissions") checkTestResults(t, issues, 2, "Expect file permissions")

5
rules/hardcoded_credentials_test.go
View file

@ -90,7 +90,10 @@ func TestHardcodedConstantMulti(t *testing.T) {
import "fmt" import "fmt"
const username, password = "secret" const (
username = "user"
password = "secret"
)
func main() { func main() {
fmt.Println("Doing something with: ", username, password) fmt.Println("Doing something with: ", username, password)

5
rules/httpoxy_test.go
View file

@ -29,8 +29,11 @@ func TestHttpoxy(t *testing.T) {
package main package main
import ( import (
"net/http/cgi" "net/http/cgi"
"net/http"
) )
func main() {}`, analyzer) func main() {
cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
}`, analyzer)
checkTestResults(t, issues, 1, "Go versions < 1.6.3 are vulnerable to Httpoxy") checkTestResults(t, issues, 1, "Go versions < 1.6.3 are vulnerable to Httpoxy")
} }

20
rules/nosec_test.go
View file

@ -27,13 +27,14 @@ func TestNosec(t *testing.T) {
issues := gasTestRunner( issues := gasTestRunner(
`package main `package main
import ( import (
"fmt" "os"
"os/exec"
) )
func main() { func main() {
cmd := exec.Command("sh", "-c", config.Command) // #nosec cmd := exec.Command("sh", "-c", os.Getenv("BLAH")) // #nosec
cmd.Run()
}`, analyzer) }`, analyzer)
checkTestResults(t, issues, 0, "None") checkTestResults(t, issues, 0, "None")
@ -46,15 +47,16 @@ func TestNosecBlock(t *testing.T) {
issues := gasTestRunner( issues := gasTestRunner(
`package main `package main
import ( import (
"fmt" "os"
"os/exect"
) )
func main() { func main() {
// #nosec // #nosec
if true { if true {
cmd := exec.Command("sh", "-c", config.Command) cmd := exec.Command("sh", "-c", os.Getenv("BLAH"))
cmd.Run()
} }
}`, analyzer) }`, analyzer)
@ -70,11 +72,13 @@ func TestNosecIgnore(t *testing.T) {
`package main `package main
import ( import (
"fmt" "os"
"os/exec"
) )
func main() { func main() {
cmd := exec.Command("sh", "-c", config.Command) // #nosec cmd := exec.Command("sh", "-c", os.Args[1]) // #nosec
cmd.Run()
}`, analyzer) }`, analyzer)
checkTestResults(t, issues, 1, "Subprocess launching with variable.") checkTestResults(t, issues, 1, "Subprocess launching with variable.")

8
rules/rand.go
View file

@ -22,21 +22,23 @@ import (
type WeakRand struct { type WeakRand struct {
gas.MetaData gas.MetaData
funcName string funcNames []string
packagePath string packagePath string
} }
func (w *WeakRand) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) { func (w *WeakRand) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
if _, matched := gas.MatchCallByPackage(n, c, w.packagePath, w.funcName); matched { for _, funcName := range w.funcNames {
if _, matched := gas.MatchCallByPackage(n, c, w.packagePath, funcName); matched {
return gas.NewIssue(c, n, w.What, w.Severity, w.Confidence), nil return gas.NewIssue(c, n, w.What, w.Severity, w.Confidence), nil
} }
}
return nil, nil return nil, nil
} }
func NewWeakRandCheck(conf map[string]interface{}) (gas.Rule, []ast.Node) { func NewWeakRandCheck(conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &WeakRand{ return &WeakRand{
funcName: "Read", funcNames: []string{"Read", "Int"},
packagePath: "math/rand", packagePath: "math/rand",
MetaData: gas.MetaData{ MetaData: gas.MetaData{
Severity: gas.High, Severity: gas.High,

19
rules/rand_test.go
View file

@ -27,12 +27,13 @@ func TestRandOk(t *testing.T) {
issues := gasTestRunner( issues := gasTestRunner(
` `
package samples package main
import "crypto/rand" import "crypto/rand"
func main() { func main() {
good, err := rand.Read(nil) good, _ := rand.Read(nil)
println(good)
}`, analyzer) }`, analyzer)
checkTestResults(t, issues, 0, "Not expected to match") checkTestResults(t, issues, 0, "Not expected to match")
@ -45,12 +46,14 @@ func TestRandBad(t *testing.T) {
issues := gasTestRunner( issues := gasTestRunner(
` `
package samples package main
import "math/rand" import "math/rand"
func main() { func main() {
bad, err := rand.Read(nil) bad := rand.Int()
println(bad)
}`, analyzer) }`, analyzer)
checkTestResults(t, issues, 1, "Use of weak random number generator (math/rand instead of crypto/rand)") checkTestResults(t, issues, 1, "Use of weak random number generator (math/rand instead of crypto/rand)")
@ -63,7 +66,7 @@ func TestRandRenamed(t *testing.T) {
issues := gasTestRunner( issues := gasTestRunner(
` `
package samples package main
import ( import (
"crypto/rand" "crypto/rand"
@ -72,8 +75,10 @@ func TestRandRenamed(t *testing.T) {
func main() { func main() {
good, err := rand.Read(nil) good, _ := rand.Read(nil)
i := mrand.Int() println(good)
i := mrand.Int31()
println(i)
}`, analyzer) }`, analyzer)
checkTestResults(t, issues, 0, "Not expected to match") checkTestResults(t, issues, 0, "Not expected to match")

12
rules/sql_test.go
View file

@ -29,8 +29,8 @@ func TestSQLInjectionViaConcatenation(t *testing.T) {
package main package main
import ( import (
"database/sql" "database/sql"
//_ "github.com/mattn/go-sqlite3"
"os" "os"
_ "github.com/mattn/go-sqlite3"
) )
func main(){ func main(){
db, err := sql.Open("sqlite3", ":memory:") db, err := sql.Open("sqlite3", ":memory:")
@ -59,7 +59,7 @@ func TestSQLInjectionViaIntepolation(t *testing.T) {
"database/sql" "database/sql"
"fmt" "fmt"
"os" "os"
_ "github.com/mattn/go-sqlite3" //_ "github.com/mattn/go-sqlite3"
) )
func main(){ func main(){
db, err := sql.Open("sqlite3", ":memory:") db, err := sql.Open("sqlite3", ":memory:")
@ -91,7 +91,7 @@ func TestSQLInjectionFalsePositiveA(t *testing.T) {
"database/sql" "database/sql"
"fmt" "fmt"
"os" "os"
_ "github.com/mattn/go-sqlite3" //_ "github.com/mattn/go-sqlite3"
) )
var staticQuery = "SELECT * FROM foo WHERE age < 32" var staticQuery = "SELECT * FROM foo WHERE age < 32"
@ -127,7 +127,7 @@ func TestSQLInjectionFalsePositiveB(t *testing.T) {
"database/sql" "database/sql"
"fmt" "fmt"
"os" "os"
_ "github.com/mattn/go-sqlite3" //_ "github.com/mattn/go-sqlite3"
) )
var staticQuery = "SELECT * FROM foo WHERE age < 32" var staticQuery = "SELECT * FROM foo WHERE age < 32"
@ -163,7 +163,7 @@ func TestSQLInjectionFalsePositiveC(t *testing.T) {
"database/sql" "database/sql"
"fmt" "fmt"
"os" "os"
_ "github.com/mattn/go-sqlite3" //_ "github.com/mattn/go-sqlite3"
) )
var staticQuery = "SELECT * FROM foo WHERE age < " var staticQuery = "SELECT * FROM foo WHERE age < "
@ -199,7 +199,7 @@ func TestSQLInjectionFalsePositiveD(t *testing.T) {
"database/sql" "database/sql"
"fmt" "fmt"
"os" "os"
_ "github.com/mattn/go-sqlite3" //_ "github.com/mattn/go-sqlite3"
) )
const age = "32" const age = "32"

6
rules/subproc_test.go
View file

@ -58,11 +58,12 @@ func TestSubprocessVar(t *testing.T) {
import ( import (
"log" "log"
"os"
"os/exec" "os/exec"
) )
func main() { func main() {
run := "sleep" + someFunc() run := "sleep" + os.Getenv("SOMETHING")
cmd := exec.Command(run, "5") cmd := exec.Command(run, "5")
err := cmd.Start() err := cmd.Start()
if err != nil { if err != nil {
@ -112,8 +113,7 @@ func TestSubprocessSyscall(t *testing.T) {
package main package main
import ( import (
"log" "syscall"
"os/exec"
) )
func main() { func main() {

4
rules/tls_test.go
View file

@ -124,7 +124,7 @@ func TestInsecureCipherSuite(t *testing.T) {
func main() { func main() {
tr := &http.Transport{ tr := &http.Transport{
TLSClientConfig: &tls.Config{CipherSuites: []uint16{ TLSClientConfig: &tls.Config{CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_DERP, tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
},}, },},
} }
@ -136,5 +136,5 @@ func TestInsecureCipherSuite(t *testing.T) {
} }
`, analyzer) `, analyzer)
checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_DERP") checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_RSA_WITH_RC4_128_SHA")
} }