From f13b8bc63970f558528e8c21dbff530bbbd57c02 Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Wed, 19 Aug 2020 08:39:55 +0200 Subject: [PATCH] Add also filepath.Rel as a sanitization method for input argument in the G304 rule Signed-off-by: Cosmin Cojocar --- rules/readfile.go | 1 + testutils/source.go | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/rules/readfile.go b/rules/readfile.go index 3d40ddb..072b016 100644 --- a/rules/readfile.go +++ b/rules/readfile.go @@ -120,6 +120,7 @@ func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { rule.pathJoin.Add("path/filepath", "Join") rule.pathJoin.Add("path", "Join") rule.clean.Add("path/filepath", "Clean") + rule.clean.Add("path/filepath", "Rel") rule.Add("io/ioutil", "ReadFile") rule.Add("os", "Open") rule.Add("os", "OpenFile") diff --git a/testutils/source.go b/testutils/source.go index d7a88b2..2686840 100644 --- a/testutils/source.go +++ b/testutils/source.go @@ -1621,6 +1621,23 @@ func main() { repoFile := "path_of_file" openFile(repoFile) } +`}, 0, gosec.NewConfig()}, {[]string{` +package main + +import ( + "os" + "path/filepath" +) + +func main() { + repoFile := "path_of_file" + relFile := filepath.Rel(repoFile) + byContext, err := os.OpenFile(relFile, os.O_RDONLY, 0600) + if err != nil { + panic(err) + } +} + `}, 0, gosec.NewConfig()}} // SampleCodeG305 - File path traversal when extracting zip/tar archives