mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 12:05:52 +00:00
Enhance the hardcoded credentials rule to check the equality and non-equality of strings
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
This commit is contained in:
parent
a2a40de847
commit
fb44007c6e
4 changed files with 50 additions and 2 deletions
1
go.mod
1
go.mod
|
@ -10,6 +10,7 @@ require (
|
||||||
github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d
|
github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d
|
||||||
github.com/onsi/ginkgo v1.12.0
|
github.com/onsi/ginkgo v1.12.0
|
||||||
github.com/onsi/gomega v1.9.0
|
github.com/onsi/gomega v1.9.0
|
||||||
|
github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f
|
||||||
github.com/stretchr/testify v1.4.0 // indirect
|
github.com/stretchr/testify v1.4.0 // indirect
|
||||||
golang.org/x/text v0.3.2 // indirect
|
golang.org/x/text v0.3.2 // indirect
|
||||||
golang.org/x/tools v0.0.0-20200331202046-9d5940d49312
|
golang.org/x/tools v0.0.0-20200331202046-9d5940d49312
|
||||||
|
|
2
go.sum
2
go.sum
|
@ -31,6 +31,8 @@ github.com/onsi/gomega v1.9.0 h1:R1uwffexN6Pr340GtYRIdZmAiN4J+iw6WG4wog1DUXg=
|
||||||
github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
|
github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
|
||||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||||
|
github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f h1:tygelZueB1EtXkPI6mQ4o9DQ0+FKW41hTbunoXZCTqk=
|
||||||
|
github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f/go.mod h1:AuYgA5Kyo4c7HfUmvRGs/6rGlMMV/6B1bVnB9JxJEEg=
|
||||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||||
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
||||||
github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
|
github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
|
||||||
|
|
|
@ -16,6 +16,7 @@ package rules
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"go/ast"
|
"go/ast"
|
||||||
|
"go/token"
|
||||||
"regexp"
|
"regexp"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
|
||||||
|
@ -58,6 +59,8 @@ func (r *credentials) Match(n ast.Node, ctx *gosec.Context) (*gosec.Issue, error
|
||||||
return r.matchAssign(node, ctx)
|
return r.matchAssign(node, ctx)
|
||||||
case *ast.ValueSpec:
|
case *ast.ValueSpec:
|
||||||
return r.matchValueSpec(node, ctx)
|
return r.matchValueSpec(node, ctx)
|
||||||
|
case *ast.BinaryExpr:
|
||||||
|
return r.matchEqualityCheck(node, ctx)
|
||||||
}
|
}
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
@ -96,6 +99,21 @@ func (r *credentials) matchValueSpec(valueSpec *ast.ValueSpec, ctx *gosec.Contex
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (r *credentials) matchEqualityCheck(binaryExpr *ast.BinaryExpr, ctx *gosec.Context) (*gosec.Issue, error) {
|
||||||
|
if binaryExpr.Op == token.EQL || binaryExpr.Op == token.NEQ {
|
||||||
|
if ident, ok := binaryExpr.X.(*ast.Ident); ok {
|
||||||
|
if r.pattern.MatchString(ident.Name) {
|
||||||
|
if val, err := gosec.GetString(binaryExpr.Y); err == nil {
|
||||||
|
if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) {
|
||||||
|
return gosec.NewIssue(ctx, binaryExpr, r.ID(), r.What, r.Severity, r.Confidence), nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
// NewHardcodedCredentials attempts to find high entropy string constants being
|
// NewHardcodedCredentials attempts to find high entropy string constants being
|
||||||
// assigned to variables that appear to be related to credentials.
|
// assigned to variables that appear to be related to credentials.
|
||||||
func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
||||||
|
@ -151,5 +169,5 @@ func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.No
|
||||||
Confidence: gosec.Low,
|
Confidence: gosec.Low,
|
||||||
Severity: gosec.High,
|
Severity: gosec.High,
|
||||||
},
|
},
|
||||||
}, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ValueSpec)(nil)}
|
}, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ValueSpec)(nil), (*ast.BinaryExpr)(nil)}
|
||||||
}
|
}
|
||||||
|
|
|
@ -69,7 +69,34 @@ const (
|
||||||
)
|
)
|
||||||
func main() {
|
func main() {
|
||||||
println(ATNStateTokenStart)
|
println(ATNStateTokenStart)
|
||||||
}`}, 1, gosec.NewConfig()}}
|
}`}, 1, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
|
package main
|
||||||
|
import "fmt"
|
||||||
|
func main() {
|
||||||
|
var password string
|
||||||
|
if password == "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
|
||||||
|
fmt.Println("password equality")
|
||||||
|
}
|
||||||
|
}`}, 1, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
|
package main
|
||||||
|
import "fmt"
|
||||||
|
func main() {
|
||||||
|
var password string
|
||||||
|
if password != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
|
||||||
|
fmt.Println("password equality")
|
||||||
|
}
|
||||||
|
}`}, 1, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
|
package main
|
||||||
|
import "fmt"
|
||||||
|
func main() {
|
||||||
|
var p string
|
||||||
|
if p != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
|
||||||
|
fmt.Println("password equality")
|
||||||
|
}
|
||||||
|
}`}, 0, gosec.NewConfig()}}
|
||||||
|
|
||||||
// SampleCodeG102 code snippets for network binding
|
// SampleCodeG102 code snippets for network binding
|
||||||
SampleCodeG102 = []CodeSample{
|
SampleCodeG102 = []CodeSample{
|
||||||
|
|
Loading…
Reference in a new issue