Enhance the hardcoded credentials rule to check the equality and non-equality of strings

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
This commit is contained in:
Cosmin Cojocar 2020-04-17 15:47:27 +02:00 committed by Cosmin Cojocar
parent a2a40de847
commit fb44007c6e
4 changed files with 50 additions and 2 deletions

1
go.mod
View file

@ -10,6 +10,7 @@ require (
github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d
github.com/onsi/ginkgo v1.12.0
github.com/onsi/gomega v1.9.0
github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f
github.com/stretchr/testify v1.4.0 // indirect
golang.org/x/text v0.3.2 // indirect
golang.org/x/tools v0.0.0-20200331202046-9d5940d49312

2
go.sum
View file

@ -31,6 +31,8 @@ github.com/onsi/gomega v1.9.0 h1:R1uwffexN6Pr340GtYRIdZmAiN4J+iw6WG4wog1DUXg=
github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f h1:tygelZueB1EtXkPI6mQ4o9DQ0+FKW41hTbunoXZCTqk=
github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f/go.mod h1:AuYgA5Kyo4c7HfUmvRGs/6rGlMMV/6B1bVnB9JxJEEg=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=

View file

@ -16,6 +16,7 @@ package rules
import (
"go/ast"
"go/token"
"regexp"
"strconv"
@ -58,6 +59,8 @@ func (r *credentials) Match(n ast.Node, ctx *gosec.Context) (*gosec.Issue, error
return r.matchAssign(node, ctx)
case *ast.ValueSpec:
return r.matchValueSpec(node, ctx)
case *ast.BinaryExpr:
return r.matchEqualityCheck(node, ctx)
}
return nil, nil
}
@ -96,6 +99,21 @@ func (r *credentials) matchValueSpec(valueSpec *ast.ValueSpec, ctx *gosec.Contex
return nil, nil
}
func (r *credentials) matchEqualityCheck(binaryExpr *ast.BinaryExpr, ctx *gosec.Context) (*gosec.Issue, error) {
if binaryExpr.Op == token.EQL || binaryExpr.Op == token.NEQ {
if ident, ok := binaryExpr.X.(*ast.Ident); ok {
if r.pattern.MatchString(ident.Name) {
if val, err := gosec.GetString(binaryExpr.Y); err == nil {
if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) {
return gosec.NewIssue(ctx, binaryExpr, r.ID(), r.What, r.Severity, r.Confidence), nil
}
}
}
}
}
return nil, nil
}
// NewHardcodedCredentials attempts to find high entropy string constants being
// assigned to variables that appear to be related to credentials.
func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
@ -151,5 +169,5 @@ func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.No
Confidence: gosec.Low,
Severity: gosec.High,
},
}, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ValueSpec)(nil)}
}, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ValueSpec)(nil), (*ast.BinaryExpr)(nil)}
}

View file

@ -69,7 +69,34 @@ const (
)
func main() {
println(ATNStateTokenStart)
}`}, 1, gosec.NewConfig()}}
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
import "fmt"
func main() {
var password string
if password == "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
fmt.Println("password equality")
}
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
import "fmt"
func main() {
var password string
if password != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
fmt.Println("password equality")
}
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
import "fmt"
func main() {
var p string
if p != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
fmt.Println("password equality")
}
}`}, 0, gosec.NewConfig()}}
// SampleCodeG102 code snippets for network binding
SampleCodeG102 = []CodeSample{