From cee5fad4c3ef72e5bffedd1c57aaafcd69f29ee1 Mon Sep 17 00:00:00 2001
From: Grant Murphy <grant.murphy@hpe.com>
Date: Sat, 30 Jul 2016 13:29:33 -0700
Subject: [PATCH] Fix incorrect regexp matches

There are some cases where the '.' character would also match any
character and could lead to incorrect results. For example the
regular expression -  `^ioutils.WriteFile$' would match
ioutils.WriteFile, but also ioutils_WriteFile.

Additionally made sure that all regexp were declared using raw
strings to avoid any unnecesary string escaping that potentially
make the regexp difficult to read.
---
 rules/bind.go                  | 2 +-
 rules/fileperms.go             | 4 ++--
 rules/hardcoded_credentials.go | 2 +-
 rules/httpoxy.go               | 2 +-
 rules/rand.go                  | 2 +-
 rules/rsa.go                   | 2 +-
 rules/sql.go                   | 4 ++--
 rules/tempfiles.go             | 4 ++--
 rules/templates.go             | 2 +-
 rules/tls.go                   | 6 +++---
 rules/unsafe.go                | 2 +-
 rules/weakcrypto.go            | 4 ++--
 12 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/rules/bind.go b/rules/bind.go
index ae0b619..4770608 100644
--- a/rules/bind.go
+++ b/rules/bind.go
@@ -40,7 +40,7 @@ func (r *BindsToAllNetworkInterfaces) Match(n ast.Node, c *gas.Context) (gi *gas
 
 func NewBindsToAllNetworkInterfaces() (r gas.Rule, n ast.Node) {
 	r = &BindsToAllNetworkInterfaces{
-		call:    regexp.MustCompile(`^net.Listen$`),
+		call:    regexp.MustCompile(`^net\.Listen$`),
 		pattern: regexp.MustCompile(`^(0.0.0.0|:).*$`),
 		MetaData: gas.MetaData{
 			Severity:   gas.Medium,
diff --git a/rules/fileperms.go b/rules/fileperms.go
index afd1392..1d7bafe 100644
--- a/rules/fileperms.go
+++ b/rules/fileperms.go
@@ -39,7 +39,7 @@ func (r *FilePermissions) Match(n ast.Node, c *gas.Context) (*gas.Issue, error)
 func NewChmodPerms() (r gas.Rule, n ast.Node) {
 	mode := 0600
 	r = &FilePermissions{
-		pattern: regexp.MustCompile(`^os.Chmod$`),
+		pattern: regexp.MustCompile(`^os\.Chmod$`),
 		mode:    (int64)(mode),
 		MetaData: gas.MetaData{
 			Severity:   gas.Medium,
@@ -54,7 +54,7 @@ func NewChmodPerms() (r gas.Rule, n ast.Node) {
 func NewMkdirPerms() (r gas.Rule, n ast.Node) {
 	mode := 0700
 	r = &FilePermissions{
-		pattern: regexp.MustCompile(`^(os.Mkdir|os.MkdirAll)$`),
+		pattern: regexp.MustCompile(`^(os\.Mkdir|os\.MkdirAll)$`),
 		mode:    (int64)(mode),
 		MetaData: gas.MetaData{
 			Severity:   gas.Medium,
diff --git a/rules/hardcoded_credentials.go b/rules/hardcoded_credentials.go
index 83c9f64..eecf85f 100644
--- a/rules/hardcoded_credentials.go
+++ b/rules/hardcoded_credentials.go
@@ -45,7 +45,7 @@ func (r *CredsAssign) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err erro
 
 func NewHardcodedCredentials() (r gas.Rule, n ast.Node) {
 	r = &CredsAssign{
-		pattern: regexp.MustCompile("(?i)passwd|pass|password|pwd|secret|token"),
+		pattern: regexp.MustCompile(`(?i)passwd|pass|password|pwd|secret|token`),
 		MetaData: gas.MetaData{
 			What:       "Potential hardcoded credentials",
 			Confidence: gas.Low,
diff --git a/rules/httpoxy.go b/rules/httpoxy.go
index badb3b1..1bf8da9 100644
--- a/rules/httpoxy.go
+++ b/rules/httpoxy.go
@@ -43,7 +43,7 @@ func NewHttpoxyTest() (r gas.Rule, n ast.Node) {
 			Confidence: gas.Low,
 			What:       "Go code running under CGI is vulnerable to Httpoxy attack. (CVE-2016-5386)",
 		},
-		pattern: regexp.MustCompile("^\"net/http/cgi\"$"),
+		pattern: regexp.MustCompile(`^"net/http/cgi"$`),
 	}
 	n = (*ast.ImportSpec)(nil)
 	return
diff --git a/rules/rand.go b/rules/rand.go
index eff2204..95c8b47 100644
--- a/rules/rand.go
+++ b/rules/rand.go
@@ -41,7 +41,7 @@ func (w *WeakRand) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
 
 func NewWeakRandCheck() (r gas.Rule, n ast.Node) {
 	r = &WeakRand{
-		pattern:     regexp.MustCompile(`^rand.Read$`),
+		pattern:     regexp.MustCompile(`^rand\.Read$`),
 		packageName: "rand",
 		packagePath: "math/rand",
 		MetaData: gas.MetaData{
diff --git a/rules/rsa.go b/rules/rsa.go
index 7639f66..d2c640c 100644
--- a/rules/rsa.go
+++ b/rules/rsa.go
@@ -40,7 +40,7 @@ func (w *WeakKeyStrength) Match(n ast.Node, c *gas.Context) (*gas.Issue, error)
 func NewWeakKeyStrength() (r gas.Rule, n ast.Node) {
 	bits := 2048
 	r = &WeakKeyStrength{
-		pattern: regexp.MustCompile(`^rsa.GenerateKey$`),
+		pattern: regexp.MustCompile(`^rsa\.GenerateKey$`),
 		bits:    bits,
 		MetaData: gas.MetaData{
 			Severity:   gas.Medium,
diff --git a/rules/sql.go b/rules/sql.go
index 2220668..737f4e2 100644
--- a/rules/sql.go
+++ b/rules/sql.go
@@ -59,7 +59,7 @@ func (s *SqlStrConcat) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
 func NewSqlStrConcat() (r gas.Rule, n ast.Node) {
 	r = &SqlStrConcat{
 		SqlStatement: SqlStatement{
-			pattern: regexp.MustCompile("(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
+			pattern: regexp.MustCompile(`(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) `),
 			MetaData: gas.MetaData{
 				Severity:   gas.Medium,
 				Confidence: gas.High,
@@ -88,7 +88,7 @@ func (s *SqlStrFormat) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err err
 
 func NewSqlStrFormat() (r gas.Rule, n ast.Node) {
 	r = &SqlStrFormat{
-		call: regexp.MustCompile("^fmt.Sprintf$"),
+		call: regexp.MustCompile(`^fmt\.Sprintf$`),
 		SqlStatement: SqlStatement{
 			pattern: regexp.MustCompile("(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
 			MetaData: gas.MetaData{
diff --git a/rules/tempfiles.go b/rules/tempfiles.go
index 0b04a21..c31b556 100644
--- a/rules/tempfiles.go
+++ b/rules/tempfiles.go
@@ -37,8 +37,8 @@ func (t *BadTempFile) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err erro
 
 func NewBadTempFile() (r gas.Rule, n ast.Node) {
 	r = &BadTempFile{
-		call: regexp.MustCompile("ioutil.WriteFile|os.Create"),
-		args: regexp.MustCompile("^/tmp/.*$|^/var/tmp/.*$"),
+		call: regexp.MustCompile(`ioutil\.WriteFile|os\.Create`),
+		args: regexp.MustCompile(`^/tmp/.*$|^/var/tmp/.*$`),
 		MetaData: gas.MetaData{
 			Severity:   gas.Medium,
 			Confidence: gas.High,
diff --git a/rules/templates.go b/rules/templates.go
index eb59cac..5b8a28b 100644
--- a/rules/templates.go
+++ b/rules/templates.go
@@ -38,7 +38,7 @@ func (t *TemplateCheck) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err er
 
 func NewTemplateCheck() (r gas.Rule, n ast.Node) {
 	r = &TemplateCheck{
-		call: regexp.MustCompile("^template.(HTML|JS|URL)$"),
+		call: regexp.MustCompile(`^template\.(HTML|JS|URL)$`),
 		MetaData: gas.MetaData{
 			Severity:   gas.Medium,
 			Confidence: gas.Low,
diff --git a/rules/tls.go b/rules/tls.go
index 3faafd9..3d8b521 100644
--- a/rules/tls.go
+++ b/rules/tls.go
@@ -112,7 +112,7 @@ func (t *InsecureConfigTLS) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, er
 func NewModernTlsCheck() (r gas.Rule, n ast.Node) {
 	// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
 	r = &InsecureConfigTLS{
-		pattern:    regexp.MustCompile("^tls.Config$"),
+		pattern:    regexp.MustCompile(`^tls\.Config$`),
 		MinVersion: 0x0303, // TLS 1.2 only
 		MaxVersion: 0x0303,
 		goodCiphers: []string{
@@ -129,7 +129,7 @@ func NewModernTlsCheck() (r gas.Rule, n ast.Node) {
 func NewIntermediateTlsCheck() (r gas.Rule, n ast.Node) {
 	// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
 	r = &InsecureConfigTLS{
-		pattern:    regexp.MustCompile("^tls.Config$"),
+		pattern:    regexp.MustCompile(`^tls\.Config$`),
 		MinVersion: 0x0301, // TLS 1.2, 1.1, 1.0
 		MaxVersion: 0x0303,
 		goodCiphers: []string{
@@ -157,7 +157,7 @@ func NewIntermediateTlsCheck() (r gas.Rule, n ast.Node) {
 func NewCompatTlsCheck() (r gas.Rule, n ast.Node) {
 	// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_compatibility_.28default.29
 	r = &InsecureConfigTLS{
-		pattern:    regexp.MustCompile("^tls.Config$"),
+		pattern:    regexp.MustCompile(`^tls\.Config$`),
 		MinVersion: 0x0301, // TLS 1.2, 1.1, 1.0
 		MaxVersion: 0x0303,
 		goodCiphers: []string{
diff --git a/rules/unsafe.go b/rules/unsafe.go
index bf0313c..186db9c 100644
--- a/rules/unsafe.go
+++ b/rules/unsafe.go
@@ -34,7 +34,7 @@ func (r *UsingUnsafe) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err erro
 
 func NewUsingUnsafe() (r gas.Rule, n ast.Node) {
 	r = &UsingUnsafe{
-		pattern: regexp.MustCompile("unsafe.*"),
+		pattern: regexp.MustCompile(`unsafe.*`),
 		MetaData: gas.MetaData{
 			What:       "Use of unsafe calls should be audited",
 			Severity:   gas.Low,
diff --git a/rules/weakcrypto.go b/rules/weakcrypto.go
index 59886b2..c5db192 100644
--- a/rules/weakcrypto.go
+++ b/rules/weakcrypto.go
@@ -40,7 +40,7 @@ func (r *ImportsWeakCryptography) Match(n ast.Node, c *gas.Context) (gi *gas.Iss
 // Imports crypto/md5, crypto/des crypto/rc4
 func NewImportsWeakCryptography() (r gas.Rule, n ast.Node) {
 	r = &ImportsWeakCryptography{
-		pattern: regexp.MustCompile("crypto/md5|crypto/des|crypto/rc4"),
+		pattern: regexp.MustCompile(`crypto/md5|crypto/des|crypto/rc4`),
 		MetaData: gas.MetaData{
 			Severity:   gas.Medium,
 			Confidence: gas.High,
@@ -66,7 +66,7 @@ func (r *UsesWeakCryptography) Match(n ast.Node, c *gas.Context) (*gas.Issue, er
 // Uses des.* md5.* or rc4.*
 func NewUsesWeakCryptography() (r gas.Rule, n ast.Node) {
 	r = &UsesWeakCryptography{
-		pattern: regexp.MustCompile("des.NewCipher|des.NewTripleDESCipher|md5.New|md5.Sum|rc4.NewCipher"),
+		pattern: regexp.MustCompile(`des\.NewCipher|des\.NewTripleDESCipher|md5\.New|md5\.Sum|rc4\.NewCipher`),
 		MetaData: gas.MetaData{
 			Severity:   gas.Medium,
 			Confidence: gas.High,