From cf63541008c411ba0b4b182bb2b1c058290d6ddb Mon Sep 17 00:00:00 2001
From: pro-wh <w@oasislabs.com>
Date: Wed, 19 Oct 2022 23:48:40 -0700
Subject: [PATCH] fileperms: bitwise permission comparison (#883)

* fileperms: extract existing mode comparison logic

* fileperms: add failing test

* fileperms: bitwise permission comparison
---
 rules/fileperms.go      |  6 +++++-
 rules/fileperms_test.go | 15 +++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 rules/fileperms_test.go

diff --git a/rules/fileperms.go b/rules/fileperms.go
index a379a8c..e89b563 100644
--- a/rules/fileperms.go
+++ b/rules/fileperms.go
@@ -50,11 +50,15 @@ func getConfiguredMode(conf map[string]interface{}, configKey string, defaultMod
 	return mode
 }
 
+func modeIsSubset(subset int64, superset int64) bool {
+	return (subset | superset) == superset
+}
+
 func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
 	for _, pkg := range r.pkgs {
 		if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {
 			modeArg := callexpr.Args[len(callexpr.Args)-1]
-			if mode, err := gosec.GetInt(modeArg); err == nil && mode > r.mode {
+			if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) {
 				return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
 			}
 		}
diff --git a/rules/fileperms_test.go b/rules/fileperms_test.go
new file mode 100644
index 0000000..cd49e75
--- /dev/null
+++ b/rules/fileperms_test.go
@@ -0,0 +1,15 @@
+package rules
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("modeIsSubset", func() {
+	It("it compares modes correctly", func() {
+		Expect(modeIsSubset(0o600, 0o600)).To(BeTrue())
+		Expect(modeIsSubset(0o400, 0o600)).To(BeTrue())
+		Expect(modeIsSubset(0o644, 0o600)).To(BeFalse())
+		Expect(modeIsSubset(0o466, 0o600)).To(BeFalse())
+	})
+})