gosec

mirror of https://github.com/securego/gosec.git synced 2024-11-05 19:45:51 +00:00

Author	SHA1	Message	Date
云微	602ced7e71	Fix wrong location for G109 (#829 ) Before this commit, G109 will report on `strconv.Atoi`. After this, it will report on the convertion like`int32(a)`.	2022-07-06 06:37:11 +02:00
云微	b0f3e78e07	fix ReadTimeout for G112 rule	2022-06-23 14:58:13 +02:00
Vladimir Severov	9c19cb6501	Add check for usage of Rat.SetString in math/big with an overflow error (#819 ) * Add check for usage of Rat.SetString in math/big with an overflow error Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. It is the CVE-2022-23772. * Use ContainsPkgCallExpr instead of manual parsing	2022-06-03 00:19:51 +02:00
云微	34d144b3fa	Add new rule for Slowloris Attack	2022-04-30 12:38:50 +02:00
Calin Capitanu	48bbf96b56	Adds directory traversal for Http.Dir("/")	2022-03-06 10:58:47 +01:00
Cosmin Cojocar	1fbcf10e18	Add a test for tls min version defined in a different file	2022-01-26 19:27:26 +01:00
kaiili	1d909e2687	Add db.Exec and db.Prepare to the sql rule (#763 ) * Add db.Exec and db.Prepare to the sql rule * add test cases for G201,G202	2022-01-17 13:50:37 +01:00
Cosmin Cojocar	7be6d4efb5	Add os.Create to the readfile rule (#761 )	2022-01-12 19:33:17 +01:00
kaiili	75cc7dcd51	Fix false negative for SQL injection when using DB.QueryRow.Scan() (#759 )	2022-01-12 16:33:39 +01:00
kaiili	9d66b0d346	Fix false negatives for SQL injection in multi-line queries	2022-01-05 12:05:53 +01:00
Ville Skyttä	4c1afaa492	Find G303 with filepath.Join'd temp dirs (#754 )	2022-01-04 14:48:02 +01:00
Ville Skyttä	19bda8d15f	Find more tempdirs * Find G303 in string concatenations, with os.TempDir, and in path.Join args * Find G303 with /usr/tmp, too /usr/tmp is commonly found e.g. on Solaris.	2022-01-03 21:58:25 +01:00
Ville Skyttä	d23ab2d997	Remove space between `//` and `#nosec` in examples and internal use Comments intended for machines to read do not have the space by convention.	2021-12-15 19:31:14 +01:00
Lars	6a41fb9e61	Fix https://github.com/securego/gosec/issues/714 (#733 )	2021-11-24 16:34:42 +01:00
Ville Skyttä	40fa36d1de	G303: catch with os.WriteFile, add os.Create test case (#718 ) * Add G303 os.Create test case * Catch G303 with os.WriteFile too	2021-11-09 21:13:45 +01:00
Eng Zer Jun	7fd4aef9dc	feat: add os.ReadFile to G304 (#706 ) In Go 1.16 or higher, the `io/ioutil` has been deprecated and the `ioutil.ReadFile` function now calls `os.ReadFile`. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2021-10-14 09:53:26 +02:00
Matthieu MOREL	bfb0f422fe	chore(lint): enable errorlint and gci (#698 )	2021-09-13 09:40:10 +02:00
Cosmin Cojocar	f285d612b5	Fix formatting issues with gofumpt (#685 ) Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>	2021-08-18 13:16:21 +02:00
Nanik	5a131be2ec	fix: add more rules for G204 (#677 ) * fix: add more rules for G204 * fix: add extra test and comment	2021-08-16 11:31:51 +02:00
Lars	d4dc2d2df5	Improve the G307 rule * Add G307 sample code. The sample should reflect a defered close that leads to data loss. Due to IDE auto-complete people tend at least log errors, but not really care about handling. * Add more G307 sample code. Propose a way to implement * Remove unused code. Add example that should not return an error but does * Remove test for synced closed file for now. Will add this later Co-authored-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2021-07-31 23:03:09 +02:00
Nanik	9535c9e3e1	fix: add variable assignment checking as part of MinVersion (#669 ) * fix: add variable assignment checking as part of MinVersion * fix: add more code to allow assignment with const * fix: rework the code and add more test cases for MinVersion * fix: format linting issue using gofumpt	2021-07-27 22:03:59 +02:00
Nanik	2a4064d45d	feat: adding new keyword for hardcoded credentials (#666 )	2021-07-19 11:23:39 +02:00
Josh Kaufman	514f65f3c3	Add G204 rule for sys/execabs (#660 ) * Add G204 rule for sys/execabs * syntax error in testutils/sources.go	2021-07-01 17:43:25 +02:00
Matthieu MOREL	1256f16f33	Fix lint and fail on error in the ci build	2021-05-31 10:44:12 +02:00
Matthieu MOREL	4df7f1c3e9	Fix typos, Go Report link and Gofmt	2021-05-07 18:04:01 +02:00
Cosmin Cojocar	897c203e62	Reset the state of TLS rule after each version check (#570 ) Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>	2021-02-11 10:52:16 +01:00
Cosmin Cojocar	a5911ad7bb	Fix compilation errors in the test samples Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>	2021-01-04 09:28:00 +01:00
Chris Bandy	23ef7009f9	Fix some typos in rules tests	2021-01-04 09:28:00 +01:00
Chris Bandy	e100f6b862	Assert that sample code compiles	2021-01-04 09:28:00 +01:00
Cosmin Cojocar	f13b8bc639	Add also filepath.Rel as a sanitization method for input argument in the G304 rule Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>	2020-08-19 09:40:07 +02:00
Cosmin Cojocar	047729a84f	Fix the rule G304 to handle the case when the input is cleaned as a variable assignment Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>	2020-08-19 09:40:07 +02:00
ggkitsas	b60ddc21ba	feat: adds support for path.Join and for tar archives in G305	2020-08-03 09:17:45 +02:00
Cosmin Cojocar	110b62b05f	Add io.CopyBuffer function to rule G110 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-07-29 14:25:45 +02:00
evalphobia	03f12f3f5d	Change naming rule from blacklist to blocklist	2020-06-29 13:45:44 +02:00
Cosmin Cojocar	55d368f2e5	Improve the TLS version checking Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-06-25 09:21:14 +02:00
Cosmin Cojocar	1d2c951f2c	Extend the rule G304 with os.OpenFile and add a test to cover it Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-06-17 13:14:08 +02:00
Cosmin Cojocar	0c1a71b8a1	Add more tests samples to increase coverage Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-06-15 15:12:02 +02:00
Cosmin Cojocar	fe07fcf276	Fix unit test when checking a mix of good and bad random functions Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-06-15 15:12:02 +02:00
Cosmin Cojocar	30e93bf865	Improve the SQL strings concat rules to handle multiple string concatenation Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-05-27 10:16:56 +02:00
Cosmin Cojocar	68bce94323	Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-05-27 10:16:56 +02:00
Grant Murphy	8630c43b66	Add null pointer check in G601 fixes: #475	2020-05-21 05:51:45 +02:00
Lukas Aron	1418b856ea	ondisk -> onDisk	2020-05-19 11:34:34 +02:00
Caccavale	ee3146e637	Rule which detects aliasing of values in RangeStmt	2020-04-24 07:46:25 -07:00
Cosmin Cojocar	fb44007c6e	Enhance the hardcoded credentials rule to check the equality and non-equality of strings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-04-20 03:08:39 -07:00
Cosmin Cojocar	c6e10af40f	Handle properly the gosec module version v2 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-04-06 09:06:23 -07:00
Cosmin Cojocar	7da9f46445	Fix the call list info to handle selector expressions Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-03-16 09:44:57 +01:00
Cosmin Cojocar	cf2590442c	Fix the subproc rule to handle correctly the CommandContext check In this case, we need to skip the first argument because it is the context. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-03-13 13:25:35 +01:00
Cosmin Cojocar	f97f86103c	Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls Also add the corresponding tests for this. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-03-13 13:25:35 +01:00
Sam Caccavale	7525fe4bb7	Rule for defering methods which return errors (#441 )	2020-03-01 21:45:37 +01:00
Sam Caccavale	a305f10eb9	Fileperms (#442 )	2020-02-28 12:48:18 +01:00
Cosmin Cojocar	3e069e7756	Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-01-29 09:41:46 +01:00
Hiroki Suezawa	459e2d3e91	Modify rule for integer overflow to have more acurate results (#434 ) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>	2020-01-21 10:13:11 +01:00
Hiroki Suezawa	a4d7b3628b	Add G110(Potential DoS vulnerability via decompression bomb) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>	2020-01-20 10:37:56 +01:00
Cosmin Cojocar	3d5c97b418	Add a test sample for Cgo files Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-01-16 09:06:23 +01:00
Hiroki Suezawa	9cb83e10af	Add a rule which detects when there is potential integer overflow (#422 ) * Add G109(Potential Integer OverFlow Detection) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * add CWE to G109(Potential Integer Overflow) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * Modify G109 to use gosec.Context Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>	2020-01-06 09:55:52 +01:00
Cosmin Cojocar	50e1fe267d	Improve the SSRF rule to report an issue for package scoped variables Made also the rule to not report an issue when encountering function scoped variable which terminate in a basic literal such as a string. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2019-10-08 11:56:58 +02:00
Cosmin Cojocar	e680875ea1	Replace the deprecated load mode with more specific flags are recommended in the packages docs (#400 ) Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2019-10-02 14:05:14 +02:00
Cosmin Cojocar	29341f6e9c	Fix the rule G108/pporf to handle the case when the pporf import has not name This is causing a crash. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2019-09-24 18:16:45 +10:00
Martin Vrachev	b504783a71	Change unit tests to check for one thing (#381 ) The unit tests should check for a single thing at a time. This was not true for some the tests. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>	2019-09-24 10:15:56 +02:00
Cosmin Cojocar	9cee24cccd	Add a rule which detects when pprof endpoint is automatically exposed Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2019-09-24 09:32:09 +10:00
Martin Vrachev	e7b3ae9c54	Clarify and add new unit tests for rule G107 (#376 ) The existing unit tests for G107 didn't have any comments why a certain code is problematic. Other than that we need more unit tests for rule G107 for the different scenarios. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>	2019-09-17 12:22:43 +02:00
Martin Vrachev	709ed1ba65	Change rule G204 to be less restrictive (#339 ) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>	2019-09-16 16:15:06 +02:00
Cosmin Cojocar	338b50debb	Remove rule G105 which detects the use of math/big#Int.Exp The big#Int.Exp used to be vulnerable in older versions of Go, but in the meantime has been fixed (https://github.com/golang/go/issues/15184). Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2019-09-10 11:59:05 +10:00
Cosmin Cojocar	81b6dc8872	Regenerate the TLS configuration based on latest Mozilla's recommended ciphers Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2019-09-10 11:57:18 +10:00
Cosmin Cojocar	f3445245a2	Fix the whitelist on G104 rule and add a test Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2019-06-25 11:15:11 +02:00
Cosmin Cojocar	ed9934fa48	Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2019-06-25 10:29:19 +02:00
Ben Bytheway	04dc713f22	One approach for fixing the false positive identified in #325 .	2019-06-13 08:22:48 +10:00
Cosmin Cojocar	3e69a8c8a2	Append the package load errors to analyser's errors Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2019-05-01 08:52:23 +02:00
Cosmin Cojocar	3af4ae9ddb	Fix some lint warnings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2019-05-01 08:52:23 +02:00
Cosmin Cojocar	25b5a1a1ce	Add tests to cover the import tracker from file Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2019-04-29 19:34:57 +02:00
Naoya Yoshizawa	85d180848d	Go modules support for 1.12 (#297 ) * support go module * fix implement and uncommented out tests * includes test package * remove test environment go1.10 or older	2019-04-25 09:25:32 +02:00
Martin Vrachev	9cdfec40ca	Change test I thought that an example where the user inputs a URL is more realistic. Because if your operating system is already hacked then you are already screwed. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>	2019-02-13 11:47:59 +01:00
Joaquin L. Pereyra	e2752bc191	revert to default GOPATH if necessary (#279 ) * revert to default GOPATH if necessary	2019-02-07 09:34:52 +10:00
Cosmin Cojocar	f87af5fa72	Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274 ) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored	2019-01-14 21:37:40 +10:00
Cosmin Cojocar	14ed63d558	Do not flag the unhandled errors which are explicitly ignored fixes #270	2019-01-14 10:06:30 +01:00
Cosmin Cojocar	24e3094d2a	Extend the bind rule to handle the case when the net.Listen address in provided from a const	2018-12-04 09:22:06 +01:00
Cosmin Cojocar	9b32fcac16	Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call	2018-12-04 09:22:06 +01:00
Cosmin Cojocar	2695567487	Build the code sample for string builder only fron Go 1.10 onwards	2018-11-11 09:57:28 +01:00
Cosmin Cojocar	ae82798b9c	Fix the WriteSring test by handling the error	2018-11-11 09:57:28 +01:00
Edoardo Tenani	9b966a447e	add test case for strings.Builder G104 whitelist inclusion	2018-11-11 09:57:28 +01:00
Yuki Ito	41809946d4	Make G201 ignore CallExpr with no args (#262 )	2018-11-05 09:28:47 +01:00
Oleksandr Redko	3116b07de4	Fix typos in comments and rulelist (#256 )	2018-10-11 14:45:31 +02:00
Cosmin Cojocar	64d58c2e51	Refactor the test code sample to support multiple files per sample	2018-09-28 11:42:25 +03:00
Delon Wong Her Laang	d3f1980e7a	Fix false positives for SQL string concatenation with constants from another file (#247 ) * Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes.	2018-09-28 10:46:59 +03:00
Dale Hui	762ff3a709	Allow quoted strings to be used to format SQL queries (#240 ) * Support stripping vendor paths when matching calls * Factor out matching of formatter string * Quoted strings are safe to use with SQL str formatted strings * Add test for allowing quoted strings with string formatters * Install the pq package for tests to pass	2018-09-25 10:40:05 +03:00
cschoenduve-splunk	145f1a0bf4	Removed wrapping feature (#238 )	2018-09-04 18:08:37 +02:00
cschoenduve-splunk	419c9292c8	G107 - SSRF (#236 ) * Initial SSRF Rule * Added Selector evaluation * Added source code tests * Fixed spacing issues * Fixed Spacingv2 * Removed resty test	2018-09-04 08:55:03 +02:00
cschoenduve-splunk	7fd94463ed	update to G304 which adds binary expressions and file joining (#233 ) * Added features to G304 * Linted * Added path selectors * Used better solution * removed debugging lines * fixed comments * Added test code * fixed a spacing change	2018-08-28 14:34:07 +10:00
Cosmin Cojocar	fb0dc73a96	Add sha1 to weak crypto primitives	2018-08-08 16:38:57 +02:00
Will Roden	1f9d09d456	remove extra bracket from test source	2018-07-26 09:27:39 -05:00
Will Roden	6a156e2695	Merge branch 'master' into commandcontext	2018-07-26 09:13:43 -05:00
Cosmin Cojocar	893b87b343	Replace gas with gosec everywhere in the project	2018-07-19 18:42:25 +02:00
Grant Murphy	da26f64208	Rename github org (#214 )	2018-07-19 17:40:28 +10:00
Cosmin Cojocar	1923b6d18e	Rule which detects a potential path traversal when extracting zip archives (#208 ) * Add a rule which detects file path traversal when extracting zip archive * Detect if any argument is derived from zip.File * Drop support for Go version 1.8	2018-07-18 22:31:07 +10:00
Will Roden	d7ec2fce7a	add CommandContext as subprocess launcher	2018-06-03 16:43:28 -05:00
cosmincojocar	4ae8c95b40	Add an option for Go build tags (#201 ) * Add an option for Go build tags * Update README with a section for Go build tags	2018-04-20 09:45:03 +10:00
Grant Murphy	7116c4d3a1	fix fmt errors	2018-03-09 15:36:31 +10:00
Grant Murphy	ff2b30ff5d	Cleanup test output	2018-03-09 15:28:56 +10:00
coredefend	e76b258456	New Rule Tainted file (#183 ) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import	2018-03-09 09:23:27 +10:00
Grant Murphy	ac4622d395	Merge pull request #165 from cosmincojocar/fix_gas_warnings Fix some gas warnings	2018-02-08 11:54:16 +10:00

1 2 3 4

158 commits