mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls
Also add the corresponding tests for this. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
This commit is contained in:
parent
c998389da2
commit
f97f86103c
2 changed files with 40 additions and 0 deletions
|
@ -62,5 +62,7 @@ func NewSubproc(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
|||
rule.Add("os/exec", "Command")
|
||||
rule.Add("os/exec", "CommandContext")
|
||||
rule.Add("syscall", "Exec")
|
||||
rule.Add("syscall", "ForkExec")
|
||||
rule.Add("syscall", "StartProcess")
|
||||
return rule, []ast.Node{(*ast.CallExpr)(nil)}
|
||||
}
|
||||
|
|
|
@ -1066,6 +1066,44 @@ func main() {
|
|||
}
|
||||
}`}, 0, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"syscall"
|
||||
)
|
||||
|
||||
func RunCmd(command string) {
|
||||
_, err := syscall.ForkExec(command, []string{}, nil)
|
||||
if err != nil {
|
||||
fmt.Printf("Error: %v\n", err)
|
||||
}
|
||||
}
|
||||
|
||||
func main() {
|
||||
RunCmd("sleep")
|
||||
}`}, 1, gosec.NewConfig(),
|
||||
},
|
||||
{[]string{`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"syscall"
|
||||
)
|
||||
|
||||
func RunCmd(command string) {
|
||||
_, err := syscall.StartProcess(command, []string{}, nil)
|
||||
if err != nil {
|
||||
fmt.Printf("Error: %v\n", err)
|
||||
}
|
||||
}
|
||||
|
||||
func main() {
|
||||
RunCmd("sleep")
|
||||
}`}, 1, gosec.NewConfig(),
|
||||
},
|
||||
{[]string{`
|
||||
// starting a process with a variable as an argument
|
||||
// even if not constant is not considered as dangerous
|
||||
// because it has harcoded value
|
||||
|
|
Loading…
Reference in a new issue