mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Merge pull request #227 from ccojocar/sha1
Add sha1 to weak crypto primitives
This commit is contained in:
commit
f06a84ebaa
6 changed files with 59 additions and 2 deletions
|
@ -50,7 +50,7 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
|
||||||
- G303: Creating tempfile using a predictable path
|
- G303: Creating tempfile using a predictable path
|
||||||
- G304: File path provided as taint input
|
- G304: File path provided as taint input
|
||||||
- G305: File traversal when extracting zip archive
|
- G305: File traversal when extracting zip archive
|
||||||
- G401: Detect the usage of DES, RC4, or MD5
|
- G401: Detect the usage of DES, RC4, MD5 or SHA1
|
||||||
- G402: Look for bad TLS connection settings
|
- G402: Look for bad TLS connection settings
|
||||||
- G403: Ensure minimum RSA key length of 2048 bits
|
- G403: Ensure minimum RSA key length of 2048 bits
|
||||||
- G404: Insecure random number source (rand)
|
- G404: Insecure random number source (rand)
|
||||||
|
@ -58,6 +58,7 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
|
||||||
- G502: Import blacklist: crypto/des
|
- G502: Import blacklist: crypto/des
|
||||||
- G503: Import blacklist: crypto/rc4
|
- G503: Import blacklist: crypto/rc4
|
||||||
- G504: Import blacklist: net/http/cgi
|
- G504: Import blacklist: net/http/cgi
|
||||||
|
- G505: Import blacklist: crypto/sha1
|
||||||
|
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
|
@ -85,3 +85,10 @@ func NewBlacklistedImportCGI(id string, conf gosec.Config) (gosec.Rule, []ast.No
|
||||||
"net/http/cgi": "Blacklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386)",
|
"net/http/cgi": "Blacklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386)",
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NewBlacklistedImportSHA1 fails if SHA1 is imported
|
||||||
|
func NewBlacklistedImportSHA1(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
||||||
|
return NewBlacklistedImports(id, conf, map[string]string{
|
||||||
|
"crypto/sha1": "Blacklisted import crypto/sha1: weak cryptographic primitive",
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
|
@ -80,7 +80,7 @@ func Generate(filters ...RuleFilter) RuleList {
|
||||||
{"G305", "File path traversal when extracting zip archive", NewArchive},
|
{"G305", "File path traversal when extracting zip archive", NewArchive},
|
||||||
|
|
||||||
// crypto
|
// crypto
|
||||||
{"G401", "Detect the usage of DES, RC4, or MD5", NewUsesWeakCryptography},
|
{"G401", "Detect the usage of DES, RC4, MD5 or SHA1", NewUsesWeakCryptography},
|
||||||
{"G402", "Look for bad TLS connection settings", NewIntermediateTLSCheck},
|
{"G402", "Look for bad TLS connection settings", NewIntermediateTLSCheck},
|
||||||
{"G403", "Ensure minimum RSA key length of 2048 bits", NewWeakKeyStrength},
|
{"G403", "Ensure minimum RSA key length of 2048 bits", NewWeakKeyStrength},
|
||||||
{"G404", "Insecure random number source (rand)", NewWeakRandCheck},
|
{"G404", "Insecure random number source (rand)", NewWeakRandCheck},
|
||||||
|
@ -90,6 +90,7 @@ func Generate(filters ...RuleFilter) RuleList {
|
||||||
{"G502", "Import blacklist: crypto/des", NewBlacklistedImportDES},
|
{"G502", "Import blacklist: crypto/des", NewBlacklistedImportDES},
|
||||||
{"G503", "Import blacklist: crypto/rc4", NewBlacklistedImportRC4},
|
{"G503", "Import blacklist: crypto/rc4", NewBlacklistedImportRC4},
|
||||||
{"G504", "Import blacklist: net/http/cgi", NewBlacklistedImportCGI},
|
{"G504", "Import blacklist: net/http/cgi", NewBlacklistedImportCGI},
|
||||||
|
{"G505", "Import blacklist: crypto/sha1", NewBlacklistedImportSHA1},
|
||||||
}
|
}
|
||||||
|
|
||||||
ruleMap := make(map[string]RuleDefinition)
|
ruleMap := make(map[string]RuleDefinition)
|
||||||
|
|
|
@ -6,6 +6,7 @@ import (
|
||||||
|
|
||||||
. "github.com/onsi/ginkgo"
|
. "github.com/onsi/ginkgo"
|
||||||
. "github.com/onsi/gomega"
|
. "github.com/onsi/gomega"
|
||||||
|
|
||||||
"github.com/securego/gosec"
|
"github.com/securego/gosec"
|
||||||
"github.com/securego/gosec/rules"
|
"github.com/securego/gosec/rules"
|
||||||
"github.com/securego/gosec/testutils"
|
"github.com/securego/gosec/testutils"
|
||||||
|
@ -110,6 +111,10 @@ var _ = Describe("gosec rules", func() {
|
||||||
runner("G401", testutils.SampleCodeG401)
|
runner("G401", testutils.SampleCodeG401)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
It("should detect weak crypto algorithms", func() {
|
||||||
|
runner("G401", testutils.SampleCodeG401b)
|
||||||
|
})
|
||||||
|
|
||||||
It("should find insecure tls settings", func() {
|
It("should find insecure tls settings", func() {
|
||||||
runner("G402", testutils.SampleCodeG402)
|
runner("G402", testutils.SampleCodeG402)
|
||||||
})
|
})
|
||||||
|
@ -137,6 +142,9 @@ var _ = Describe("gosec rules", func() {
|
||||||
It("should detect blacklisted imports - CGI (httpoxy)", func() {
|
It("should detect blacklisted imports - CGI (httpoxy)", func() {
|
||||||
runner("G504", testutils.SampleCodeG504)
|
runner("G504", testutils.SampleCodeG504)
|
||||||
})
|
})
|
||||||
|
It("should detect blacklisted imports - SHA1", func() {
|
||||||
|
runner("G505", testutils.SampleCodeG505)
|
||||||
|
})
|
||||||
|
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|
|
@ -43,6 +43,7 @@ func NewUsesWeakCryptography(id string, conf gosec.Config) (gosec.Rule, []ast.No
|
||||||
calls := make(map[string][]string)
|
calls := make(map[string][]string)
|
||||||
calls["crypto/des"] = []string{"NewCipher", "NewTripleDESCipher"}
|
calls["crypto/des"] = []string{"NewCipher", "NewTripleDESCipher"}
|
||||||
calls["crypto/md5"] = []string{"New", "Sum"}
|
calls["crypto/md5"] = []string{"New", "Sum"}
|
||||||
|
calls["crypto/sha1"] = []string{"New", "Sum"}
|
||||||
calls["crypto/rc4"] = []string{"NewCipher"}
|
calls["crypto/rc4"] = []string{"NewCipher"}
|
||||||
rule := &usesWeakCryptography{
|
rule := &usesWeakCryptography{
|
||||||
blacklist: calls,
|
blacklist: calls,
|
||||||
|
|
|
@ -633,6 +633,31 @@ func main() {
|
||||||
fmt.Printf("%x", h.Sum(nil))
|
fmt.Printf("%x", h.Sum(nil))
|
||||||
}`, 1}}
|
}`, 1}}
|
||||||
|
|
||||||
|
// SampleCodeG401b - Use of weak crypto SHA1
|
||||||
|
SampleCodeG401b = []CodeSample{
|
||||||
|
{`
|
||||||
|
package main
|
||||||
|
import (
|
||||||
|
"crypto/sha1"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"log"
|
||||||
|
"os"
|
||||||
|
)
|
||||||
|
func main() {
|
||||||
|
f, err := os.Open("file.txt")
|
||||||
|
if err != nil {
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
defer f.Close()
|
||||||
|
|
||||||
|
h := sha1.New()
|
||||||
|
if _, err := io.Copy(h, f); err != nil {
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
fmt.Printf("%x", h.Sum(nil))
|
||||||
|
}`, 1}}
|
||||||
|
|
||||||
// SampleCodeG402 - TLS settings
|
// SampleCodeG402 - TLS settings
|
||||||
SampleCodeG402 = []CodeSample{{`
|
SampleCodeG402 = []CodeSample{{`
|
||||||
// InsecureSkipVerify
|
// InsecureSkipVerify
|
||||||
|
@ -827,6 +852,20 @@ import (
|
||||||
)
|
)
|
||||||
func main() {
|
func main() {
|
||||||
cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
|
cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
|
||||||
|
}`, 1}}
|
||||||
|
// SampleCodeG505 - Blacklisted import SHA1
|
||||||
|
SampleCodeG505 = []CodeSample{
|
||||||
|
{`
|
||||||
|
package main
|
||||||
|
import (
|
||||||
|
"crypto/sha1"
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
)
|
||||||
|
func main() {
|
||||||
|
for _, arg := range os.Args {
|
||||||
|
fmt.Printf("%x - %s\n", sha1.Sum([]byte(arg)), arg)
|
||||||
|
}
|
||||||
}`, 1}}
|
}`, 1}}
|
||||||
// SampleCode601 - Go build tags
|
// SampleCode601 - Go build tags
|
||||||
SampleCode601 = []CodeSample{{`
|
SampleCode601 = []CodeSample{{`
|
||||||
|
|
Loading…
Reference in a new issue