Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls

Also add the corresponding tests for this.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
This commit is contained in:
Cosmin Cojocar 2020-03-11 14:00:30 +01:00 committed by Cosmin Cojocar
parent c998389da2
commit f97f86103c
2 changed files with 40 additions and 0 deletions

View file

@ -62,5 +62,7 @@ func NewSubproc(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
rule.Add("os/exec", "Command") rule.Add("os/exec", "Command")
rule.Add("os/exec", "CommandContext") rule.Add("os/exec", "CommandContext")
rule.Add("syscall", "Exec") rule.Add("syscall", "Exec")
rule.Add("syscall", "ForkExec")
rule.Add("syscall", "StartProcess")
return rule, []ast.Node{(*ast.CallExpr)(nil)} return rule, []ast.Node{(*ast.CallExpr)(nil)}
} }

View file

@ -1066,6 +1066,44 @@ func main() {
} }
}`}, 0, gosec.NewConfig()}, }`}, 0, gosec.NewConfig()},
{[]string{` {[]string{`
package main
import (
"fmt"
"syscall"
)
func RunCmd(command string) {
_, err := syscall.ForkExec(command, []string{}, nil)
if err != nil {
fmt.Printf("Error: %v\n", err)
}
}
func main() {
RunCmd("sleep")
}`}, 1, gosec.NewConfig(),
},
{[]string{`
package main
import (
"fmt"
"syscall"
)
func RunCmd(command string) {
_, err := syscall.StartProcess(command, []string{}, nil)
if err != nil {
fmt.Printf("Error: %v\n", err)
}
}
func main() {
RunCmd("sleep")
}`}, 1, gosec.NewConfig(),
},
{[]string{`
// starting a process with a variable as an argument // starting a process with a variable as an argument
// even if not constant is not considered as dangerous // even if not constant is not considered as dangerous
// because it has harcoded value // because it has harcoded value