Commit graph

140 commits

Author SHA1 Message Date
Cosmin Cojocar
ac75d44f56 Fix nosec when applied to a block
Handle properly nosec directive when applied to a block or as a single
line on a multi-line issue.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-28 12:54:05 +02:00
Cosmin Cojocar
4bf5667f66 Add a new rule to detect integer overflow on integer types conversion
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-27 13:03:01 +02:00
Cosmin Cojocar
dc5e5a99d0 Add a unit test to detect the false negative in rule G306 for os.ModePerm permissions
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-14 15:33:23 +02:00
Hiroki Yorimitsu
be378e682f Add support for math/rand/v2 added in Go 1.22 2024-03-07 16:33:18 +01:00
Cosmin Cojocar
2aad3f02a5 Fix lint warnings by properly formatting the files
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-12-08 14:46:36 +01:00
Adam Kaplan
0e2a61899a chore: Refactor Sample Code to Separate Files
Split the code in `source.go` to individual sample files, one per rule.
This will help contributors submit samples for new rules, or
improvements to existing rules. The cgo sample was all that was left
after refactoring, which resulted in its own sample file.

Sample code was also formatted to have some level of consistency.
Each sample go "file" attempts to keep the formatting of `gofmt`, and
each code sample is in its own section in the sample file.

Signed-off-by: Adam Kaplan <adam@adambkaplan.com>
2023-12-08 14:46:36 +01:00
Cosmin Cojocar
3188e3fb8e Ensure ignores are handled properly for multi-line issues
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-11-10 10:48:04 +01:00
Cosmin Cojocar
0ec6cd95d7 Refactor how ignored issues are tracked
Track ignored issues using file location instead of a AST node. There are issues linked to a different AST node than the original node used to start the scan.

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-13 14:11:08 +02:00
Cosmin Cojocar
616520f44f
Update the list of unsafe functions detected by the unsafe rule (#1033)
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-10 09:47:36 +02:00
Cosmin Cojocar
0d332a1027 Add a new rule which detects when a file is created with os.Create but the configured permissions are less than 0666
It seems that the os.Create will create by default a file with 0666 permissions.

This should be detected when the configured permissions are less than 0666. By default will not detect this case
unless the more restrictive mode is configured.

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-25 13:24:34 +02:00
Cosmin Cojocar
e02e2f6d5b Redesign and reimplement the slice out of bounds check using SSA code representation
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-20 10:19:51 +02:00
Cosmin Cojocar
6c93653a29
Fix hardcoded_credentials rule to only match on more specific patterns (#1009)
* Fix hardcoded_credentials rule to only match on more specific patterns

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>

* Fix lint warnings

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>

* Fix double escape in regexps

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>

---------

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-05 18:00:02 +02:00
Cosmin Cojocar
beef1250a4
Exclude maps from slince bounce check rule (#1006)
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-08-23 17:17:14 +02:00
Alexander Yastrebov
21d13c9a9b
Ignore struct pointers in G601 (#1003)
Updates https://github.com/securego/gosec/issues/966

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
2023-08-18 17:05:17 +02:00
Audun
bf7feda2b9
fix: correctly identify infixed concats as potential SQL injections (#987) 2023-07-25 17:13:07 +02:00
Morgen Malinoski
a018cf0fbb
Feature: G602 Slice Bound Checking (#973)
* Added slice bounds testing for slice expressions.

* Added checking slice index.

* Added test for reassigning slice.

* Store capacities on reslicing.

* Scope change clears map. Func name used to track slices.

* Map CallExpr to check bounds when passing to functions.

* Fixed linter errors.

* Updated rulelist with CWE mapping.

* Added comment for NewSliceBoundCheck.

* Addressed nil cap runtime error.

* Replaced usage of nil in call arg map with dummy callexprs.

* Updated comments, wrapped error return, addressed other review concerns.
2023-06-21 09:56:36 +02:00
Morgen Malinoski
abeab1092d
Feature: G101 match variable values and names (#971)
* G101 now checks LHS of ValueAssignments for patternValue.

* Added matching string literals in equality check.

* Added patternValue matching for ValueSpec.

* Ran gci to fix linter error.

* Added tests and updated regex to be more inclusive.

* Addressed short-circuit eval for isHighEntropy and non-standard ok variable.

* Resolved unhandled error and added more tests.

* Flattened code to make it more readable.

* Added better comments.

* Added new regex for Google API Key, GitHub PAT, and GoogleOAuth.

* Gofmt'ed the test cases.
2023-06-15 10:18:03 +02:00
futuretea
bd58600acf Recognize struct field in G601
Signed-off-by: futuretea <1913508671@qq.com>
2023-06-02 17:17:10 +02:00
Oleksandr Redko
1f689968ec Fix typos in comments, vars and tests 2023-05-30 08:26:41 +02:00
Matthieu MOREL
d6aeaad931
correct gci linter (#946)
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
2023-03-30 09:31:24 +02:00
Rick Moran
f823a7e92b
Check nil pointer when variable is declared in a different file 2023-03-08 14:42:45 +01:00
Cosmin Cojocar
d5a9c73723
Remove rule G307 which checks when an error is not handled when a file or socket connection is closed (#935)
* Remove read only types from unsafe defer rules

* Remove rule G307 which checks when an error is not handled when a file or socket connection is closed

This doesn't seem to bring much value from security perspective, and it caused a lot of controversy since
is a very common pattern in Go.

* Mentioned in documentation that rule G307 is retired

* Clean up the test for rule G307
2023-02-24 14:04:13 +01:00
bean.zhang
a624254e39
Update hardcoded_credentials.go fix: adaper equal expr which const value at left (#917)
* Update hardcoded_credentials.go

adaper equal expr which const value at left.
```
if "Tr0ub4dour_UPL&&LOlo" == pwd
```

* Update hardcoded_credentials.go

check ident not equal nil

* adapter const == key hardcoded, add testcases
2023-01-31 09:52:37 +01:00
Cosmin Cojocar
5874e63c9e
Track back when a file path was sanitized with filepath.Clean (#912)
* Track back when a file path was sanitized with filepath.Clean

* Remove unused argument to fix lint warnings
2023-01-09 16:26:20 +01:00
Cosmin Cojocar
fd280360cd
Fix the TLS config rule when parsing the settings from a variable (#911) 2023-01-09 15:10:44 +01:00
Dmitry Golushko
44f484fdc7
Additional types for bad defer check (#897)
* Additional types for bad defer check

* Ignore new check in tlsconfig.go
2022-11-30 09:38:46 +01:00
Sebastiaan van Stijn
0ae0174c25
Refactor to support duplicate imports with different aliases (#865)
The existing code assumed imports to be either imported, or imported with an
alias. Badly formatted files may have duplicate imports for a package, using
different aliases.

This patch refactors the code, and;

Introduces a new `GetImportedNames` function, which returns all name(s) and
aliase(s) for a package, which effectively combines `GetAliasedName` and
`GetImportedName`, but adding support for duplicate imports.

The old `GetAliasedName` and `GetImportedName` functions have been rewritten to
use the new function and marked deprecated, but could be removed if there are no
external consumers.

With this patch, the linter is able to detect issues in files such as;

    package main

    import (
        crand "crypto/rand"
        "math/big"
        "math/rand"
        rand2 "math/rand"
        rand3 "math/rand"
    )

    func main() {
        _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good

        _ = rand.Intn(2) // bad
        _ = rand2.Intn(2)  // bad
        _ = rand3.Intn(2)  // bad
    }

Before this patch, only a single issue would be detected:

    gosec --quiet .

    [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        13:
      > 14: 	_ = rand.Intn(2) // bad
        15: 	_ = rand2.Intn(2)  // bad

With this patch, all issues are identified:

    gosec --quiet .

    [main.go:16] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        15: 	_ = rand2.Intn(2)  // bad
      > 16: 	_ = rand3.Intn(2)  // bad
        17: }

    [main.go:15] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        14: 	_ = rand.Intn(2) // bad
      > 15: 	_ = rand2.Intn(2)  // bad
        16: 	_ = rand3.Intn(2)  // bad

    [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        13:
      > 14: 	_ = rand.Intn(2) // bad
        15: 	_ = rand2.Intn(2)  // bad

While working on this change, I noticed that ImportTracker.TrackFile() was not able
to find import aliases;  Analyser.Check() called both ImportTracker.TrackFile() and
ast.Walk(), which (with the updated ImportTracker) resulted in importes to be in-
correctly included multiple times (once with the correct alias, once with the default).

I updated ImportTracker.TrackFile() to fix this, but with the updated ImportTracker,
Analyser.Check() no longer has to call ImportTracker.TrackFile() separately, as ast.Walk()
already handles the file, and will find all imports.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 10:59:18 +02:00
Sebastiaan van Stijn
dfde579243 Fix false positives for G404 with aliased packages
It appears that `GetImportedName` returns _both_ aliased and non-aliased imports.
As a result, a file having both crypto/rand and math/rand (but aliased) would
trigger false positives on G404. Given the following file;

```go
package main

import (
	"crypto/rand"
	"math/big"
	rnd "math/rand"
)

func main() {
	_, _ = rand.Int(rand.Reader, big.NewInt(int64(2)))
	_ = rnd.Intn(2)
}
```

And patching for debugging;

```patch
diff --git a/helpers.go b/helpers.go
index 437d032..80f4233 100644
--- a/helpers.go
+++ b/helpers.go
@@ -250,6 +250,8 @@ func GetBinaryExprOperands(be *ast.BinaryExpr) []ast.Node {
 // GetImportedName returns the name used for the package within the
 // code. It will ignore initialization only imports.
 func GetImportedName(path string, ctx *Context) (string, bool) {
+       fmt.Printf("%+v", ctx.Imports.Imported)
+       os.Exit(1)
        importName, imported := ctx.Imports.Imported[path]
        if !imported {
                return "", false
```

Would show that `math/rand` was included in the list, using it's non-aliased
name (`:rand`).

    gosec -quiet .
    map[crypto/rand:rand math/big:big math/rand:rand]

This patch works around this problem by reversing the order in which imports
are resolved in `MatchCallByPackage()`. Aliased packages are tried first, after
which non-aliased imports are tried.

Given the example application mentioned above:

Before this patch:

```bash
gosec -quiet .
Results:

[/Users/sebastiaan/Projects/test/gosec-issue/main.go:10] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    9: func main() {
  > 10: 	_, _ = rand.Int(rand.Reader, big.NewInt(int64(2)))
    11: 	_ = rnd.Intn(2)
```

With this patch applied:

```bash
    gosec --quiet .
    Results:

    [/Users/sebastiaan/Projects/test/gosec-issue/main.go:11] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        10: 	_, _ = rand.Int(rand.Reader, big.NewInt(int64(2)))
      > 11: 	_ = rnd.Intn(2)
        12: }
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-05 09:49:02 +02:00
Cosmin Cojocar
0ba05e160a chore: fix lint warnings
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-08-08 10:56:19 +02:00
Ville Skyttä
0c8e63ed86
Detect use of net/http functions that have no support for setting timeouts (#842)
https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/
https://blog.cloudflare.com/exposing-go-on-the-internet/

Closes https://github.com/securego/gosec/issues/833
2022-08-02 17:16:44 +02:00
Dmitry Golushko
a5982fb6a6
Fix for G402. Check package path instead of package name (#838) 2022-07-28 08:51:30 +02:00
Ziqi Zhao
ea6d49d1b5
fix G204 bugs (#835)
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>
2022-07-26 11:08:43 +02:00
云微
602ced7e71
Fix wrong location for G109 (#829)
Before this commit, G109 will report on `strconv.Atoi`.
After this, it will report on the convertion like`int32(a)`.
2022-07-06 06:37:11 +02:00
云微
b0f3e78e07
fix ReadTimeout for G112 rule 2022-06-23 14:58:13 +02:00
Vladimir Severov
9c19cb6501
Add check for usage of Rat.SetString in math/big with an overflow error (#819)
* Add check for usage of Rat.SetString in math/big with an overflow error

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.

It is the CVE-2022-23772.

* Use ContainsPkgCallExpr instead of manual parsing
2022-06-03 00:19:51 +02:00
云微
34d144b3fa
Add new rule for Slowloris Attack 2022-04-30 12:38:50 +02:00
Calin Capitanu
48bbf96b56
Adds directory traversal for Http.Dir("/") 2022-03-06 10:58:47 +01:00
Cosmin Cojocar
1fbcf10e18 Add a test for tls min version defined in a different file 2022-01-26 19:27:26 +01:00
kaiili
1d909e2687
Add db.Exec and db.Prepare to the sql rule (#763)
* Add db.Exec and db.Prepare to the sql rule

* add test cases for G201,G202
2022-01-17 13:50:37 +01:00
Cosmin Cojocar
7be6d4efb5
Add os.Create to the readfile rule (#761) 2022-01-12 19:33:17 +01:00
kaiili
75cc7dcd51
Fix false negative for SQL injection when using DB.QueryRow.Scan() (#759) 2022-01-12 16:33:39 +01:00
kaiili
9d66b0d346
Fix false negatives for SQL injection in multi-line queries 2022-01-05 12:05:53 +01:00
Ville Skyttä
4c1afaa492
Find G303 with filepath.Join'd temp dirs (#754) 2022-01-04 14:48:02 +01:00
Ville Skyttä
19bda8d15f
Find more tempdirs
* Find G303 in string concatenations, with os.TempDir, and in path.Join args

* Find G303 with /usr/tmp, too

/usr/tmp is commonly found e.g. on Solaris.
2022-01-03 21:58:25 +01:00
Ville Skyttä
d23ab2d997
Remove space between // and #nosec in examples and internal use
Comments intended for machines to read do not have the space by
convention.
2021-12-15 19:31:14 +01:00
Lars
6a41fb9e61
Fix https://github.com/securego/gosec/issues/714 (#733) 2021-11-24 16:34:42 +01:00
Ville Skyttä
40fa36d1de
G303: catch with os.WriteFile, add os.Create test case (#718)
* Add G303 os.Create test case

* Catch G303 with os.WriteFile too
2021-11-09 21:13:45 +01:00
Eng Zer Jun
7fd4aef9dc
feat: add os.ReadFile to G304 (#706)
In Go 1.16 or higher, the `io/ioutil` has been deprecated and the
`ioutil.ReadFile` function now calls `os.ReadFile`.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-10-14 09:53:26 +02:00
Matthieu MOREL
bfb0f422fe
chore(lint): enable errorlint and gci (#698) 2021-09-13 09:40:10 +02:00
Cosmin Cojocar
f285d612b5
Fix formatting issues with gofumpt (#685)
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-08-18 13:16:21 +02:00