Commit graph

103 commits

Author SHA1 Message Date
Cosmin Cojocar
50e1fe267d Improve the SSRF rule to report an issue for package scoped variables
Made also the rule to not report an issue when encountering function
scoped variable which terminate in a basic literal such as a string.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 11:56:58 +02:00
Cosmin Cojocar
e680875ea1
Replace the deprecated load mode with more specific flags are recommended in the packages docs (#400)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-02 14:05:14 +02:00
Cosmin Cojocar
29341f6e9c Fix the rule G108/pporf to handle the case when the pporf import has not name
This is causing a crash.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-24 18:16:45 +10:00
Martin Vrachev
b504783a71 Change unit tests to check for one thing (#381)
The unit tests should check for a single thing at a time.
This was not true for some the tests.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-24 10:15:56 +02:00
Cosmin Cojocar
9cee24cccd Add a rule which detects when pprof endpoint is automatically exposed
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-24 09:32:09 +10:00
Martin Vrachev
e7b3ae9c54 Clarify and add new unit tests for rule G107 (#376)
The existing unit tests for G107 didn't have any comments why
a certain code is problematic.
Other than that we need more unit tests for rule G107 for the
different scenarios.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-17 12:22:43 +02:00
Martin Vrachev
709ed1ba65 Change rule G204 to be less restrictive (#339)
Currently, rule G204 warns you about every single use of the
functions syscall.Exec, os.exec.CommandContext and os.Exec.Command.
This can create false positives and it's not accurate because you can
use those functions with perfectly secure arguments like hardcoded
strings for example.

With this change, G204 will warn you in 3 cases when passing arguments
to a function which starts a new process the arguments:
1) are variables initialized by calling another function
2) are functions
3) are command-line arguments or environmental variables

Closes: https://github.com/securego/gosec/issues/338

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 16:15:06 +02:00
Cosmin Cojocar
338b50debb Remove rule G105 which detects the use of math/big#Int.Exp
The big#Int.Exp used to be vulnerable in older versions of Go, but in the
meantime has been fixed (https://github.com/golang/go/issues/15184).

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-10 11:59:05 +10:00
Cosmin Cojocar
81b6dc8872 Regenerate the TLS configuration based on latest Mozilla's recommended ciphers
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-10 11:57:18 +10:00
Cosmin Cojocar
f3445245a2 Fix the whitelist on G104 rule and add a test
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 11:15:11 +02:00
Cosmin Cojocar
ed9934fa48 Refactor the rules tests to be able to configure the analyzer config per test sample
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 10:29:19 +02:00
Ben Bytheway
04dc713f22 One approach for fixing the false positive identified in #325. 2019-06-13 08:22:48 +10:00
Cosmin Cojocar
3e69a8c8a2 Append the package load errors to analyser's errors
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
3af4ae9ddb Fix some lint warnings
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
25b5a1a1ce Add tests to cover the import tracker from file
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 19:34:57 +02:00
Naoya Yoshizawa
85d180848d Go modules support for 1.12 (#297)
* support go module

* fix implement and uncommented out tests

* includes test package

* remove test environment go1.10 or older
2019-04-25 09:25:32 +02:00
Martin Vrachev
9cdfec40ca Change test
I thought that an example where the user inputs a URL is more realistic.
Because if your operating system is already hacked then you are already screwed.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-13 11:47:59 +01:00
Joaquin L. Pereyra
e2752bc191 revert to default GOPATH if necessary (#279)
* revert to default GOPATH if necessary
2019-02-07 09:34:52 +10:00
Cosmin Cojocar
f87af5fa72 Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274)
* Define more explicit the global options in the configuration

* Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 21:37:40 +10:00
Cosmin Cojocar
14ed63d558 Do not flag the unhandled errors which are explicitly ignored
fixes #270
2019-01-14 10:06:30 +01:00
Cosmin Cojocar
24e3094d2a Extend the bind rule to handle the case when the net.Listen address in provided from a const 2018-12-04 09:22:06 +01:00
Cosmin Cojocar
9b32fcac16 Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call 2018-12-04 09:22:06 +01:00
Cosmin Cojocar
2695567487 Build the code sample for string builder only fron Go 1.10 onwards 2018-11-11 09:57:28 +01:00
Cosmin Cojocar
ae82798b9c Fix the WriteSring test by handling the error 2018-11-11 09:57:28 +01:00
Edoardo Tenani
9b966a447e add test case for strings.Builder G104 whitelist inclusion 2018-11-11 09:57:28 +01:00
Yuki Ito
41809946d4 Make G201 ignore CallExpr with no args (#262) 2018-11-05 09:28:47 +01:00
Oleksandr Redko
3116b07de4 Fix typos in comments and rulelist (#256) 2018-10-11 14:45:31 +02:00
Cosmin Cojocar
64d58c2e51 Refactor the test code sample to support multiple files per sample 2018-09-28 11:42:25 +03:00
Delon Wong Her Laang
d3f1980e7a Fix false positives for SQL string concatenation with constants from another file (#247)
* Allow for SQL concatenation of nodes that resolve to literals

If node.Y resolves to a literal, it will not be considered as an issue.

* Fix typo in comment.

* Go through all files in package to resolve that identifier

* Refactor code and added comments.

* Changed checking to not var or func.

* Allow for supporting code for test cases.

* Resolve merge conflict changes.
2018-09-28 10:46:59 +03:00
Dale Hui
762ff3a709 Allow quoted strings to be used to format SQL queries (#240)
* Support stripping vendor paths when matching calls

* Factor out matching of formatter string

* Quoted strings are safe to use with SQL str formatted strings

* Add test for allowing quoted strings with string formatters

* Install the pq package for tests to pass
2018-09-25 10:40:05 +03:00
cschoenduve-splunk
145f1a0bf4 Removed wrapping feature (#238) 2018-09-04 18:08:37 +02:00
cschoenduve-splunk
419c9292c8 G107 - SSRF (#236)
* Initial SSRF Rule

* Added Selector evaluation

* Added source code tests

* Fixed spacing issues

* Fixed Spacingv2

* Removed resty test
2018-09-04 08:55:03 +02:00
cschoenduve-splunk
7fd94463ed update to G304 which adds binary expressions and file joining (#233)
* Added features to G304

* Linted

* Added path selectors

* Used better solution

* removed debugging lines

* fixed comments

* Added test code

* fixed a spacing change
2018-08-28 14:34:07 +10:00
Cosmin Cojocar
fb0dc73a96 Add sha1 to weak crypto primitives 2018-08-08 16:38:57 +02:00
Will Roden
1f9d09d456 remove extra bracket from test source 2018-07-26 09:27:39 -05:00
Will Roden
6a156e2695 Merge branch 'master' into commandcontext 2018-07-26 09:13:43 -05:00
Cosmin Cojocar
893b87b343 Replace gas with gosec everywhere in the project 2018-07-19 18:42:25 +02:00
Grant Murphy
da26f64208
Rename github org (#214) 2018-07-19 17:40:28 +10:00
Cosmin Cojocar
1923b6d18e Rule which detects a potential path traversal when extracting zip archives (#208)
* Add a rule which detects file path traversal when extracting zip archive

* Detect if any argument is derived from zip.File

* Drop support for Go version 1.8
2018-07-18 22:31:07 +10:00
Will Roden
d7ec2fce7a add CommandContext as subprocess launcher 2018-06-03 16:43:28 -05:00
cosmincojocar
4ae8c95b40 Add an option for Go build tags (#201)
* Add an option for Go build tags

* Update README with a section for Go build tags
2018-04-20 09:45:03 +10:00
Grant Murphy
7116c4d3a1 fix fmt errors 2018-03-09 15:36:31 +10:00
Grant Murphy
ff2b30ff5d Cleanup test output 2018-03-09 15:28:56 +10:00
coredefend
e76b258456 New Rule Tainted file (#183)
* Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178)

* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration

* Update README

* Remove trailing space in README

* Update dependencies

* Fix the commends of the generated functions

* Add nil pointer check to rule. (#181)

TypeOf returns the type of expression e, or nil if not found. We are
calling .String() on a value that may be nil in this clause.

Relates to #174

* Add support for YAML output format (#177)

* Add YAML output format

* Update README

* added rule to check for tainted file path

* added #nosec to main/issue.go

* updated test case import
2018-03-09 09:23:27 +10:00
Grant Murphy
ac4622d395
Merge pull request #165 from cosmincojocar/fix_gas_warnings
Fix some gas warnings
2018-02-08 11:54:16 +10:00
Cosmin Cojocar
c2c21553a3 Fix some gas warnings 2018-02-07 14:07:24 +01:00
Cosmin Cojocar
179c178924 Add some review fixes 2018-02-07 09:23:52 +01:00
Cosmin Cojocar
d3c3cd6419 Add a rule to detect the usage of ssh InsecureIgnoreHostKey function 2018-02-06 16:56:26 +01:00
Jon McClintock
1ca335016a Rebase to master 2018-01-22 18:45:07 +00:00
Grant Murphy
867d3009e8 Fix lint issues 2018-01-05 21:56:42 +10:00
Grant Murphy
e925d3c347 Migrated old test cases. 2017-12-28 16:54:10 +10:00
Grant Murphy
cfa432729c fix hound-ci errors 2017-12-13 17:39:00 +10:00
Grant Murphy
6943f9e5e4 Major rework of codebase
- Get rid of 'core' and move CLI to cmd/gas directory
- Migrate (most) tests to use Ginkgo and testutils framework
- GAS now expects package to reside in $GOPATH
- GAS now can resolve dependencies for better type checking (if package
  on GOPATH)
- Simplified public API
2017-07-19 15:17:00 -06:00