From f97f86103cf191291301ce7223eeda12cbd7124d Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Wed, 11 Mar 2020 14:00:30 +0100 Subject: [PATCH] Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls Also add the corresponding tests for this. Signed-off-by: Cosmin Cojocar --- rules/subproc.go | 2 ++ testutils/source.go | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/rules/subproc.go b/rules/subproc.go index 2513ec1..be100ad 100644 --- a/rules/subproc.go +++ b/rules/subproc.go @@ -62,5 +62,7 @@ func NewSubproc(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { rule.Add("os/exec", "Command") rule.Add("os/exec", "CommandContext") rule.Add("syscall", "Exec") + rule.Add("syscall", "ForkExec") + rule.Add("syscall", "StartProcess") return rule, []ast.Node{(*ast.CallExpr)(nil)} } diff --git a/testutils/source.go b/testutils/source.go index af69b27..66cb814 100644 --- a/testutils/source.go +++ b/testutils/source.go @@ -1066,6 +1066,44 @@ func main() { } }`}, 0, gosec.NewConfig()}, {[]string{` +package main + +import ( + "fmt" + "syscall" +) + +func RunCmd(command string) { + _, err := syscall.ForkExec(command, []string{}, nil) + if err != nil { + fmt.Printf("Error: %v\n", err) + } +} + +func main() { + RunCmd("sleep") +}`}, 1, gosec.NewConfig(), + }, + {[]string{` +package main + +import ( + "fmt" + "syscall" +) + +func RunCmd(command string) { + _, err := syscall.StartProcess(command, []string{}, nil) + if err != nil { + fmt.Printf("Error: %v\n", err) + } +} + +func main() { + RunCmd("sleep") +}`}, 1, gosec.NewConfig(), + }, + {[]string{` // starting a process with a variable as an argument // even if not constant is not considered as dangerous // because it has harcoded value