diff --git a/go.mod b/go.mod index 7b934aa..c1abe8a 100644 --- a/go.mod +++ b/go.mod @@ -10,6 +10,7 @@ require ( github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d github.com/onsi/ginkgo v1.12.0 github.com/onsi/gomega v1.9.0 + github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f github.com/stretchr/testify v1.4.0 // indirect golang.org/x/text v0.3.2 // indirect golang.org/x/tools v0.0.0-20200331202046-9d5940d49312 diff --git a/go.sum b/go.sum index ba3641a..857470d 100644 --- a/go.sum +++ b/go.sum @@ -31,6 +31,8 @@ github.com/onsi/gomega v1.9.0 h1:R1uwffexN6Pr340GtYRIdZmAiN4J+iw6WG4wog1DUXg= github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f h1:tygelZueB1EtXkPI6mQ4o9DQ0+FKW41hTbunoXZCTqk= +github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f/go.mod h1:AuYgA5Kyo4c7HfUmvRGs/6rGlMMV/6B1bVnB9JxJEEg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk= diff --git a/rules/hardcoded_credentials.go b/rules/hardcoded_credentials.go index 65ddd56..6b360c5 100644 --- a/rules/hardcoded_credentials.go +++ b/rules/hardcoded_credentials.go @@ -16,6 +16,7 @@ package rules import ( "go/ast" + "go/token" "regexp" "strconv" @@ -58,6 +59,8 @@ func (r *credentials) Match(n ast.Node, ctx *gosec.Context) (*gosec.Issue, error return r.matchAssign(node, ctx) case *ast.ValueSpec: return r.matchValueSpec(node, ctx) + case *ast.BinaryExpr: + return r.matchEqualityCheck(node, ctx) } return nil, nil } @@ -96,6 +99,21 @@ func (r *credentials) matchValueSpec(valueSpec *ast.ValueSpec, ctx *gosec.Contex return nil, nil } +func (r *credentials) matchEqualityCheck(binaryExpr *ast.BinaryExpr, ctx *gosec.Context) (*gosec.Issue, error) { + if binaryExpr.Op == token.EQL || binaryExpr.Op == token.NEQ { + if ident, ok := binaryExpr.X.(*ast.Ident); ok { + if r.pattern.MatchString(ident.Name) { + if val, err := gosec.GetString(binaryExpr.Y); err == nil { + if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) { + return gosec.NewIssue(ctx, binaryExpr, r.ID(), r.What, r.Severity, r.Confidence), nil + } + } + } + } + } + return nil, nil +} + // NewHardcodedCredentials attempts to find high entropy string constants being // assigned to variables that appear to be related to credentials. func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { @@ -151,5 +169,5 @@ func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.No Confidence: gosec.Low, Severity: gosec.High, }, - }, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ValueSpec)(nil)} + }, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ValueSpec)(nil), (*ast.BinaryExpr)(nil)} } diff --git a/testutils/source.go b/testutils/source.go index dd900c1..069771c 100644 --- a/testutils/source.go +++ b/testutils/source.go @@ -69,7 +69,34 @@ const ( ) func main() { println(ATNStateTokenStart) -}`}, 1, gosec.NewConfig()}} +}`}, 1, gosec.NewConfig()}, + {[]string{` +package main +import "fmt" +func main() { + var password string + if password == "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" { + fmt.Println("password equality") + } +}`}, 1, gosec.NewConfig()}, + {[]string{` +package main +import "fmt" +func main() { + var password string + if password != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" { + fmt.Println("password equality") + } +}`}, 1, gosec.NewConfig()}, + {[]string{` +package main +import "fmt" +func main() { + var p string + if p != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" { + fmt.Println("password equality") + } +}`}, 0, gosec.NewConfig()}} // SampleCodeG102 code snippets for network binding SampleCodeG102 = []CodeSample{