mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Check nil pointer when variable is declared in a different file
This commit is contained in:
parent
cdd3476f91
commit
f823a7e92b
3 changed files with 60 additions and 12 deletions
|
@ -81,10 +81,14 @@ func (r *readfile) isFilepathClean(n *ast.Ident, c *gosec.Context) bool {
|
||||||
func (r *readfile) trackFilepathClean(n ast.Node) {
|
func (r *readfile) trackFilepathClean(n ast.Node) {
|
||||||
if clean, ok := n.(*ast.CallExpr); ok && len(clean.Args) > 0 {
|
if clean, ok := n.(*ast.CallExpr); ok && len(clean.Args) > 0 {
|
||||||
if ident, ok := clean.Args[0].(*ast.Ident); ok {
|
if ident, ok := clean.Args[0].(*ast.Ident); ok {
|
||||||
|
// ident.Obj may be nil if the referenced declaration is in another file. It also may be incorrect.
|
||||||
|
// if it is nil, do not follow it.
|
||||||
|
if ident.Obj != nil {
|
||||||
r.cleanedVar[ident.Obj.Decl] = n
|
r.cleanedVar[ident.Obj.Decl] = n
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Match inspects AST nodes to determine if the match the methods `os.Open` or `ioutil.ReadFile`
|
// Match inspects AST nodes to determine if the match the methods `os.Open` or `ioutil.ReadFile`
|
||||||
func (r *readfile) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) {
|
func (r *readfile) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) {
|
||||||
|
|
|
@ -2330,7 +2330,8 @@ func main() {
|
||||||
}
|
}
|
||||||
log.Print(body)
|
log.Print(body)
|
||||||
|
|
||||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
}`}, 1, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -2346,7 +2347,8 @@ func main() {
|
||||||
}
|
}
|
||||||
log.Print(body)
|
log.Print(body)
|
||||||
|
|
||||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
}`}, 1, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -2370,7 +2372,8 @@ func main() {
|
||||||
fmt.Fprintf(w, "%s", body)
|
fmt.Fprintf(w, "%s", body)
|
||||||
})
|
})
|
||||||
log.Fatal(http.ListenAndServe(":3000", nil))
|
log.Fatal(http.ListenAndServe(":3000", nil))
|
||||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
}`}, 1, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -2394,7 +2397,8 @@ func main() {
|
||||||
fmt.Fprintf(w, "%s", body)
|
fmt.Fprintf(w, "%s", body)
|
||||||
})
|
})
|
||||||
log.Fatal(http.ListenAndServe(":3000", nil))
|
log.Fatal(http.ListenAndServe(":3000", nil))
|
||||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
}`}, 1, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -2410,7 +2414,8 @@ import (
|
||||||
log.Printf("Error: %v\n", err)
|
log.Printf("Error: %v\n", err)
|
||||||
}
|
}
|
||||||
log.Print(body)
|
log.Print(body)
|
||||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
}`}, 1, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -2434,7 +2439,8 @@ func main() {
|
||||||
fmt.Printf("Error: %v\n", err)
|
fmt.Printf("Error: %v\n", err)
|
||||||
}
|
}
|
||||||
fmt.Println(string(contents))
|
fmt.Println(string(contents))
|
||||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
}`}, 1, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -2453,7 +2459,8 @@ func main() {
|
||||||
log.Printf("Error: %v\n", err)
|
log.Printf("Error: %v\n", err)
|
||||||
}
|
}
|
||||||
log.Print(body)
|
log.Print(body)
|
||||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
}`}, 1, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -2469,7 +2476,8 @@ func main() {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
`}, 0, gosec.NewConfig()}, {[]string{`
|
`}, 0, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -2488,7 +2496,8 @@ func main() {
|
||||||
repoFile := "path_of_file"
|
repoFile := "path_of_file"
|
||||||
openFile(repoFile)
|
openFile(repoFile)
|
||||||
}
|
}
|
||||||
`}, 0, gosec.NewConfig()}, {[]string{`
|
`}, 0, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -2510,7 +2519,8 @@ func main() {
|
||||||
dir := "path_of_dir"
|
dir := "path_of_dir"
|
||||||
openFile(dir, repoFile)
|
openFile(dir, repoFile)
|
||||||
}
|
}
|
||||||
`}, 0, gosec.NewConfig()}, {[]string{`
|
`}, 0, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -2530,7 +2540,8 @@ func main() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
`}, 0, gosec.NewConfig()}, {[]string{`
|
`}, 0, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -2561,6 +2572,38 @@ func main() {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
}`}, 1, gosec.NewConfig()},
|
}`}, 1, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"path/filepath"
|
||||||
|
)
|
||||||
|
|
||||||
|
type foo struct {
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *foo) doSomething(silly string) error {
|
||||||
|
whoCares, err := filepath.Rel(THEWD, silly)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
fmt.Printf("%s", whoCares)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
f := &foo{}
|
||||||
|
|
||||||
|
if err := f.doSomething("irrelevant"); err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
`, `
|
||||||
|
package main
|
||||||
|
|
||||||
|
var THEWD string
|
||||||
|
`}, 0, gosec.NewConfig()},
|
||||||
}
|
}
|
||||||
|
|
||||||
// SampleCodeG305 - File path traversal when extracting zip/tar archives
|
// SampleCodeG305 - File path traversal when extracting zip/tar archives
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
//go:build tools
|
||||||
// +build tools
|
// +build tools
|
||||||
|
|
||||||
package tools
|
package tools
|
||||||
|
|
Loading…
Reference in a new issue