Add also filepath.Rel as a sanitization method for input argument in the G304 rule

Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
This commit is contained in:
Cosmin Cojocar 2020-08-19 08:39:55 +02:00
parent 047729a84f
commit f13b8bc639
2 changed files with 18 additions and 0 deletions

View file

@ -120,6 +120,7 @@ func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
rule.pathJoin.Add("path/filepath", "Join")
rule.pathJoin.Add("path", "Join")
rule.clean.Add("path/filepath", "Clean")
rule.clean.Add("path/filepath", "Rel")
rule.Add("io/ioutil", "ReadFile")
rule.Add("os", "Open")
rule.Add("os", "OpenFile")

View file

@ -1621,6 +1621,23 @@ func main() {
repoFile := "path_of_file"
openFile(repoFile)
}
`}, 0, gosec.NewConfig()}, {[]string{`
package main
import (
"os"
"path/filepath"
)
func main() {
repoFile := "path_of_file"
relFile := filepath.Rel(repoFile)
byContext, err := os.OpenFile(relFile, os.O_RDONLY, 0600)
if err != nil {
panic(err)
}
}
`}, 0, gosec.NewConfig()}}
// SampleCodeG305 - File path traversal when extracting zip/tar archives