Commit graph

91 commits

Author SHA1 Message Date
Vladimir Severov
9c19cb6501
Add check for usage of Rat.SetString in math/big with an overflow error (#819)
* Add check for usage of Rat.SetString in math/big with an overflow error

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.

It is the CVE-2022-23772.

* Use ContainsPkgCallExpr instead of manual parsing
2022-06-03 00:19:51 +02:00
云微
34d144b3fa
Add new rule for Slowloris Attack 2022-04-30 12:38:50 +02:00
Calin Capitanu
48bbf96b56
Adds directory traversal for Http.Dir("/") 2022-03-06 10:58:47 +01:00
Cosmin Cojocar
1fbcf10e18 Add a test for tls min version defined in a different file 2022-01-26 19:27:26 +01:00
kaiili
1d909e2687
Add db.Exec and db.Prepare to the sql rule (#763)
* Add db.Exec and db.Prepare to the sql rule

* add test cases for G201,G202
2022-01-17 13:50:37 +01:00
Cosmin Cojocar
7be6d4efb5
Add os.Create to the readfile rule (#761) 2022-01-12 19:33:17 +01:00
kaiili
75cc7dcd51
Fix false negative for SQL injection when using DB.QueryRow.Scan() (#759) 2022-01-12 16:33:39 +01:00
kaiili
9d66b0d346
Fix false negatives for SQL injection in multi-line queries 2022-01-05 12:05:53 +01:00
Ville Skyttä
4c1afaa492
Find G303 with filepath.Join'd temp dirs (#754) 2022-01-04 14:48:02 +01:00
Ville Skyttä
19bda8d15f
Find more tempdirs
* Find G303 in string concatenations, with os.TempDir, and in path.Join args

* Find G303 with /usr/tmp, too

/usr/tmp is commonly found e.g. on Solaris.
2022-01-03 21:58:25 +01:00
Ville Skyttä
d23ab2d997
Remove space between // and #nosec in examples and internal use
Comments intended for machines to read do not have the space by
convention.
2021-12-15 19:31:14 +01:00
Lars
6a41fb9e61
Fix https://github.com/securego/gosec/issues/714 (#733) 2021-11-24 16:34:42 +01:00
Ville Skyttä
40fa36d1de
G303: catch with os.WriteFile, add os.Create test case (#718)
* Add G303 os.Create test case

* Catch G303 with os.WriteFile too
2021-11-09 21:13:45 +01:00
Eng Zer Jun
7fd4aef9dc
feat: add os.ReadFile to G304 (#706)
In Go 1.16 or higher, the `io/ioutil` has been deprecated and the
`ioutil.ReadFile` function now calls `os.ReadFile`.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-10-14 09:53:26 +02:00
Matthieu MOREL
bfb0f422fe
chore(lint): enable errorlint and gci (#698) 2021-09-13 09:40:10 +02:00
Nanik
5a131be2ec
fix: add more rules for G204 (#677)
* fix: add more rules for G204

* fix: add extra test and comment
2021-08-16 11:31:51 +02:00
Lars
d4dc2d2df5
Improve the G307 rule
* Add G307 sample code.
The sample should reflect a defered close that leads to data loss.
Due to IDE auto-complete people tend at least log errors, but not
really care about handling.

* Add more G307 sample code. Propose a way to implement

* Remove unused code. Add example that should not return an error but does

* Remove test for synced closed file for now.
Will add this later

Co-authored-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2021-07-31 23:03:09 +02:00
Nanik
9535c9e3e1
fix: add variable assignment checking as part of MinVersion (#669)
* fix: add variable assignment checking as part of MinVersion

* fix: add more code to allow assignment with const

* fix: rework the code and add more test cases for MinVersion

* fix: format linting issue using gofumpt
2021-07-27 22:03:59 +02:00
Nanik
2a4064d45d
feat: adding new keyword for hardcoded credentials (#666) 2021-07-19 11:23:39 +02:00
Josh Kaufman
514f65f3c3
Add G204 rule for sys/execabs (#660)
* Add G204 rule for sys/execabs

* syntax error in testutils/sources.go
2021-07-01 17:43:25 +02:00
Matthieu MOREL
1256f16f33
Fix lint and fail on error in the ci build 2021-05-31 10:44:12 +02:00
Matthieu MOREL
4df7f1c3e9
Fix typos, Go Report link and Gofmt 2021-05-07 18:04:01 +02:00
Cosmin Cojocar
897c203e62
Reset the state of TLS rule after each version check (#570)
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-02-11 10:52:16 +01:00
Cosmin Cojocar
a5911ad7bb Fix compilation errors in the test samples
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-01-04 09:28:00 +01:00
Chris Bandy
23ef7009f9 Fix some typos in rules tests 2021-01-04 09:28:00 +01:00
Cosmin Cojocar
f13b8bc639 Add also filepath.Rel as a sanitization method for input argument in the G304 rule
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
Cosmin Cojocar
047729a84f Fix the rule G304 to handle the case when the input is cleaned as a variable assignment
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
ggkitsas
b60ddc21ba feat: adds support for path.Join and for tar archives in G305 2020-08-03 09:17:45 +02:00
Cosmin Cojocar
110b62b05f Add io.CopyBuffer function to rule G110
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-29 14:25:45 +02:00
evalphobia
03f12f3f5d Change naming rule from blacklist to blocklist 2020-06-29 13:45:44 +02:00
Cosmin Cojocar
55d368f2e5 Improve the TLS version checking
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-25 09:21:14 +02:00
Cosmin Cojocar
1d2c951f2c Extend the rule G304 with os.OpenFile and add a test to cover it
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-17 13:14:08 +02:00
Cosmin Cojocar
0c1a71b8a1 Add more tests samples to increase coverage
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 15:12:02 +02:00
Cosmin Cojocar
fe07fcf276 Fix unit test when checking a mix of good and bad random functions
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 15:12:02 +02:00
Cosmin Cojocar
30e93bf865 Improve the SQL strings concat rules to handle multiple string concatenation
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00
Cosmin Cojocar
68bce94323 Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context
In addition makes pattern matching used by the rules cases insensitive.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00
Grant Murphy
8630c43b66 Add null pointer check in G601
fixes: #475
2020-05-21 05:51:45 +02:00
Caccavale
ee3146e637 Rule which detects aliasing of values in RangeStmt 2020-04-24 07:46:25 -07:00
Cosmin Cojocar
fb44007c6e Enhance the hardcoded credentials rule to check the equality and non-equality of strings
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-20 03:08:39 -07:00
Cosmin Cojocar
c6e10af40f Handle properly the gosec module version v2
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-06 09:06:23 -07:00
Cosmin Cojocar
7da9f46445 Fix the call list info to handle selector expressions
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-16 09:44:57 +01:00
Cosmin Cojocar
cf2590442c Fix the subproc rule to handle correctly the CommandContext check
In this case, we need to skip the first argument because it is the context.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-13 13:25:35 +01:00
Cosmin Cojocar
f97f86103c Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls
Also add the corresponding tests for this.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-13 13:25:35 +01:00
Sam Caccavale
7525fe4bb7
Rule for defering methods which return errors (#441) 2020-03-01 21:45:37 +01:00
Sam Caccavale
a305f10eb9
Fileperms (#442) 2020-02-28 12:48:18 +01:00
Cosmin Cojocar
3e069e7756 Fix the errors rule whitelist to work on types methods
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-29 09:41:46 +01:00
Hiroki Suezawa
459e2d3e91 Modify rule for integer overflow to have more acurate results (#434)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-21 10:13:11 +01:00
Hiroki Suezawa
a4d7b3628b Add G110(Potential DoS vulnerability via decompression bomb)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-20 10:37:56 +01:00
Cosmin Cojocar
3d5c97b418 Add a test sample for Cgo files
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-16 09:06:23 +01:00
Hiroki Suezawa
9cb83e10af Add a rule which detects when there is potential integer overflow (#422)
* Add G109(Potential Integer OverFlow Detection)

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

* add CWE to G109(Potential Integer Overflow)

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

* Modify G109 to use gosec.Context

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-06 09:55:52 +01:00