From e7b3ae9c541f8a7020631e36fb991f262b7f27fe Mon Sep 17 00:00:00 2001 From: Martin Vrachev Date: Tue, 17 Sep 2019 13:22:43 +0300 Subject: [PATCH] Clarify and add new unit tests for rule G107 (#376) The existing unit tests for G107 didn't have any comments why a certain code is problematic. Other than that we need more unit tests for rule G107 for the different scenarios. Signed-off-by: Martin Vrachev --- testutils/source.go | 48 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/testutils/source.go b/testutils/source.go index 0b12d5e..964f8ca 100644 --- a/testutils/source.go +++ b/testutils/source.go @@ -317,6 +317,7 @@ func main() { // SampleCodeG107 - SSRF via http requests with variable url SampleCodeG107 = []CodeSample{{[]string{` +// Input from the std in is considered insecure package main import ( "net/http" @@ -342,6 +343,53 @@ func main() { } fmt.Printf("%s", body) }`}, 1, gosec.NewConfig()}, {[]string{` +// A variable value can easily be changed no matter +// if it's a global or a local one +package main + +import ( + "fmt" + "io/ioutil" + "net/http" +) + +var url string = "https://www.google.com" + +func main() { + + resp, err := http.Get(url) + if err != nil { + panic(err) + } + defer resp.Body.Close() + body, err := ioutil.ReadAll(resp.Body) + if err != nil { + panic(err) + } + fmt.Printf("%s", body) +}`}, 1, gosec.NewConfig()}, {[]string{` +// Environmental variables are not considered as secure source +package main +import ( + "net/http" + "io/ioutil" + "fmt" + "os" +) +func main() { + url := os.Getenv("tainted_url") + resp, err := http.Get(url) + if err != nil { + panic(err) + } + defer resp.Body.Close() + body, err := ioutil.ReadAll(resp.Body) + if err != nil { + panic(err) + } + fmt.Printf("%s", body) +}`}, 1, gosec.NewConfig()}, {[]string{` +// Constant variables or harcoded strings are secure package main import (