From d3c3cd641921d6da8199acd1c662a578e751d9d6 Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Tue, 6 Feb 2018 16:56:26 +0100 Subject: [PATCH] Add a rule to detect the usage of ssh InsecureIgnoreHostKey function --- rules/rulelist.go | 1 + rules/rules_test.go | 4 ++++ rules/ssh.go | 47 +++++++++++++++++++++++++++++++++++++++++++++ testutils/source.go | 9 +++++++++ 4 files changed, 61 insertions(+) create mode 100644 rules/ssh.go diff --git a/rules/rulelist.go b/rules/rulelist.go index 833b742..6cc3ee6 100644 --- a/rules/rulelist.go +++ b/rules/rulelist.go @@ -65,6 +65,7 @@ func Generate(filters ...RuleFilter) RuleList { "G103": RuleDefinition{"Audit the use of unsafe block", NewUsingUnsafe}, "G104": RuleDefinition{"Audit errors not checked", NewNoErrorCheck}, "G105": RuleDefinition{"Audit the use of big.Exp function", NewUsingBigExp}, + "G106": RuleDefinition{"Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey}, // injection "G201": RuleDefinition{"SQL query construction using format string", NewSQLStrFormat}, diff --git a/rules/rules_test.go b/rules/rules_test.go index c42902f..a7dca95 100644 --- a/rules/rules_test.go +++ b/rules/rules_test.go @@ -65,6 +65,10 @@ var _ = Describe("gas rules", func() { runner("G105", testutils.SampleCodeG105) }) + It("should detect of ssh.InsecureIgnoreHostKey function", func() { + runner("G106", testutils.SampleCodeG106) + }) + It("should detect sql injection via format strings", func() { runner("G201", testutils.SampleCodeG201) }) diff --git a/rules/ssh.go b/rules/ssh.go new file mode 100644 index 0000000..857ac46 --- /dev/null +++ b/rules/ssh.go @@ -0,0 +1,47 @@ +// (c) Copyright 2016 Hewlett Packard Enterprise Development LP +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package rules + +import ( + "go/ast" + + "github.com/GoASTScanner/gas" +) + +type sshHostKey struct { + gas.MetaData + pkg string + calls []string +} + +func (r *sshHostKey) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) { + if _, matches := gas.MatchCallByPackage(n, c, r.pkg, r.calls...); matches { + return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil + } + return nil, nil +} + +// NewSSHHostKey rule detects the use of insecure ssh HostKeyCallback. +func NewSSHHostKey(conf gas.Config) (gas.Rule, []ast.Node) { + return &sshHostKey{ + pkg: "golang.org/x/crypto/ssh", + calls: []string{"InsecureIgnoreHostKey"}, + MetaData: gas.MetaData{ + What: "Use of ssh InsecureIgnoreHostKey should be audited", + Severity: gas.Medium, + Confidence: gas.High, + }, + }, []ast.Node{(*ast.CallExpr)(nil)} +} diff --git a/testutils/source.go b/testutils/source.go index f606e4a..6338763 100644 --- a/testutils/source.go +++ b/testutils/source.go @@ -183,6 +183,15 @@ func main() { z = z.Exp(x, y, m) }`, 1}} + // SampleCodeG106 - ssh InsecureIgnoreHostKey + SampleCodeG106 = []CodeSample{{` +package main +import ( + "golang.org/x/crypto/ssh" +) +func main() { + _ := ssh.InsecureIgnoreHostKey() +}`, 1}} // SampleCodeG201 - SQL injection via format string SampleCodeG201 = []CodeSample{ {`