fileperms: bitwise permission comparison (#883)

* fileperms: extract existing mode comparison logic * fileperms: add failing test * fileperms: bitwise permission comparison
2024-11-05 11:35:51 +00:00 · 2022-10-19 23:48:40 -07:00 · 2022-10-19 23:48:40 -07:00 · cf63541008
commit cf63541008
parent 1af1d5bb49
2 changed files with 20 additions and 1 deletions
--- a/rules/fileperms.go
+++ b/rules/fileperms.go
@ -50,11 +50,15 @@ func getConfiguredMode(conf map[string]interface{}, configKey string, defaultMod
 	return mode
 }

+func modeIsSubset(subset int64, superset int64) bool {
+	return (subset | superset) == superset
+}
+
 func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
 	for _, pkg := range r.pkgs {
 		if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {
 			modeArg := callexpr.Args[len(callexpr.Args)-1]
-			if mode, err := gosec.GetInt(modeArg); err == nil && mode > r.mode {
+			if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) {
 				return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
 			}
 		}
--- a/rules/fileperms_test.go
+++ b/rules/fileperms_test.go
@ -0,0 +1,15 @@
+package rules
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("modeIsSubset", func() {
+	It("it compares modes correctly", func() {
+		Expect(modeIsSubset(0o600, 0o600)).To(BeTrue())
+		Expect(modeIsSubset(0o400, 0o600)).To(BeTrue())
+		Expect(modeIsSubset(0o644, 0o600)).To(BeFalse())
+		Expect(modeIsSubset(0o466, 0o600)).To(BeFalse())
+	})
+})