Cosmin Cojocar
e02e2f6d5b
Redesign and reimplement the slice out of bounds check using SSA code representation
...
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-20 10:19:51 +02:00
Cosmin Cojocar
6c93653a29
Fix hardcoded_credentials rule to only match on more specific patterns ( #1009 )
...
* Fix hardcoded_credentials rule to only match on more specific patterns
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
* Fix lint warnings
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
* Fix double escape in regexps
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
---------
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-05 18:00:02 +02:00
Cosmin Cojocar
beef1250a4
Exclude maps from slince bounce check rule ( #1006 )
...
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-08-23 17:17:14 +02:00
Alexander Yastrebov
21d13c9a9b
Ignore struct pointers in G601 ( #1003 )
...
Updates https://github.com/securego/gosec/issues/966
Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
2023-08-18 17:05:17 +02:00
Audun
bf7feda2b9
fix: correctly identify infixed concats as potential SQL injections ( #987 )
2023-07-25 17:13:07 +02:00
Cosmin Cojocar
36f69332a4
Switch to a maintained fork of zxcvbn module ( #984 )
...
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-07-17 12:47:26 +02:00
Morgen Malinoski
a018cf0fbb
Feature: G602 Slice Bound Checking ( #973 )
...
* Added slice bounds testing for slice expressions.
* Added checking slice index.
* Added test for reassigning slice.
* Store capacities on reslicing.
* Scope change clears map. Func name used to track slices.
* Map CallExpr to check bounds when passing to functions.
* Fixed linter errors.
* Updated rulelist with CWE mapping.
* Added comment for NewSliceBoundCheck.
* Addressed nil cap runtime error.
* Replaced usage of nil in call arg map with dummy callexprs.
* Updated comments, wrapped error return, addressed other review concerns.
2023-06-21 09:56:36 +02:00
Morgen Malinoski
abeab1092d
Feature: G101 match variable values and names ( #971 )
...
* G101 now checks LHS of ValueAssignments for patternValue.
* Added matching string literals in equality check.
* Added patternValue matching for ValueSpec.
* Ran gci to fix linter error.
* Added tests and updated regex to be more inclusive.
* Addressed short-circuit eval for isHighEntropy and non-standard ok variable.
* Resolved unhandled error and added more tests.
* Flattened code to make it more readable.
* Added better comments.
* Added new regex for Google API Key, GitHub PAT, and GoogleOAuth.
* Gofmt'ed the test cases.
2023-06-15 10:18:03 +02:00
futuretea
bd58600acf
Recognize struct field in G601
...
Signed-off-by: futuretea <1913508671@qq.com>
2023-06-02 17:17:10 +02:00
Oleksandr Redko
1f689968ec
Fix typos in comments, vars and tests
2023-05-30 08:26:41 +02:00
Matthieu MOREL
d6aeaad931
correct gci linter ( #946 )
...
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
2023-03-30 09:31:24 +02:00
Cosmin Cojocar
6a73248135
Fix some linting warnings
2023-03-20 10:25:45 +01:00
Rick Moran
f823a7e92b
Check nil pointer when variable is declared in a different file
2023-03-08 14:42:45 +01:00
Cosmin Cojocar
d5a9c73723
Remove rule G307 which checks when an error is not handled when a file or socket connection is closed ( #935 )
...
* Remove read only types from unsafe defer rules
* Remove rule G307 which checks when an error is not handled when a file or socket connection is closed
This doesn't seem to bring much value from security perspective, and it caused a lot of controversy since
is a very common pattern in Go.
* Mentioned in documentation that rule G307 is retired
* Clean up the test for rule G307
2023-02-24 14:04:13 +01:00
Cosmin Cojocar
de2c6a36fa
Extract the issue in its own package
2023-02-16 09:45:28 +01:00
bean.zhang
a624254e39
Update hardcoded_credentials.go fix: adaper equal expr which const value at left ( #917 )
...
* Update hardcoded_credentials.go
adaper equal expr which const value at left.
```
if "Tr0ub4dour_UPL&&LOlo" == pwd
```
* Update hardcoded_credentials.go
check ident not equal nil
* adapter const == key hardcoded, add testcases
2023-01-31 09:52:37 +01:00
Cosmin Cojocar
c5d217da7a
Update Go version in CI script ( #913 )
...
* Update Go version in CI script
* Introduce back an additional check for filepath clean to fix the unit tests
2023-01-09 16:49:02 +01:00
Cosmin Cojocar
5874e63c9e
Track back when a file path was sanitized with filepath.Clean ( #912 )
...
* Track back when a file path was sanitized with filepath.Clean
* Remove unused argument to fix lint warnings
2023-01-09 16:26:20 +01:00
Cosmin Cojocar
fd280360cd
Fix the TLS config rule when parsing the settings from a variable ( #911 )
2023-01-09 15:10:44 +01:00
Alexey Ivanov
dabc7dc27e
Auto-detect TLS MinVersion integer base ( #903 )
2022-12-12 09:30:06 +01:00
Dmitry Golushko
44f484fdc7
Additional types for bad defer check ( #897 )
...
* Additional types for bad defer check
* Ignore new check in tlsconfig.go
2022-11-30 09:38:46 +01:00
pro-wh
cf63541008
fileperms: bitwise permission comparison ( #883 )
...
* fileperms: extract existing mode comparison logic
* fileperms: add failing test
* fileperms: bitwise permission comparison
2022-10-20 08:48:40 +02:00
Ville Skyttä
0c8e63ed86
Detect use of net/http functions that have no support for setting timeouts ( #842 )
...
https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/
https://blog.cloudflare.com/exposing-go-on-the-internet/
Closes https://github.com/securego/gosec/issues/833
2022-08-02 17:16:44 +02:00
Ville Skyttä
6a26c231fc
Refactor SQL rules for better extensibility ( #841 )
...
Remove hardwired assumption and heuristics on index of arg taking a SQL
string, be explicit about it instead.
2022-08-02 15:25:30 +02:00
Dmitry Golushko
a5982fb6a6
Fix for G402. Check package path instead of package name ( #838 )
2022-07-28 08:51:30 +02:00
Ziqi Zhao
ea6d49d1b5
fix G204 bugs ( #835 )
...
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>
2022-07-26 11:08:43 +02:00
云微
602ced7e71
Fix wrong location for G109 ( #829 )
...
Before this commit, G109 will report on `strconv.Atoi`.
After this, it will report on the convertion like`int32(a)`.
2022-07-06 06:37:11 +02:00
云微
b0f3e78e07
fix ReadTimeout for G112 rule
2022-06-23 14:58:13 +02:00
Vladimir Severov
9c19cb6501
Add check for usage of Rat.SetString in math/big with an overflow error ( #819 )
...
* Add check for usage of Rat.SetString in math/big with an overflow error
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.
It is the CVE-2022-23772.
* Use ContainsPkgCallExpr instead of manual parsing
2022-06-03 00:19:51 +02:00
云微
34d144b3fa
Add new rule for Slowloris Attack
2022-04-30 12:38:50 +02:00
Cosmin Cojocar
89dfdc0c97
Update the description message of template rule ( #803 )
2022-04-05 07:41:36 +02:00
robot-5
afc9903ba9
Fix use rule IDs to retrieve the rule config
2022-03-28 20:28:02 +02:00
Calin Capitanu
48bbf96b56
Adds directory traversal for Http.Dir("/")
2022-03-06 10:58:47 +01:00
kruskal
7d539ed494
feat: add concurrency option to parallelize package loading ( #778 )
...
* feat: add concurrency option to parallelize package loading
* refactor: move wg.add inside the for loop
* fix: gracefully stop the workers on error
* test: add test for concurrent scan
2022-02-16 18:23:37 +01:00
Cosmin Cojocar
2fad8a4193
Resolve the TLS min version when is declarted in the same package but in a different file
2022-01-26 19:27:26 +01:00
Cosmin Cojocar
1fbcf10e18
Add a test for tls min version defined in a different file
2022-01-26 19:27:26 +01:00
kaiili
1d909e2687
Add db.Exec and db.Prepare to the sql rule ( #763 )
...
* Add db.Exec and db.Prepare to the sql rule
* add test cases for G201,G202
2022-01-17 13:50:37 +01:00
Cosmin Cojocar
7be6d4efb5
Add os.Create to the readfile rule ( #761 )
2022-01-12 19:33:17 +01:00
kaiili
75cc7dcd51
Fix false negative for SQL injection when using DB.QueryRow.Scan() ( #759 )
2022-01-12 16:33:39 +01:00
kaiili
9d66b0d346
Fix false negatives for SQL injection in multi-line queries
2022-01-05 12:05:53 +01:00
Ville Skyttä
4c1afaa492
Find G303 with filepath.Join'd temp dirs ( #754 )
2022-01-04 14:48:02 +01:00
Ville Skyttä
19bda8d15f
Find more tempdirs
...
* Find G303 in string concatenations, with os.TempDir, and in path.Join args
* Find G303 with /usr/tmp, too
/usr/tmp is commonly found e.g. on Solaris.
2022-01-03 21:58:25 +01:00
Cosmin Cojocar
ad5d74d5a1
Update to ginkgo v2 ( #753 )
2022-01-03 18:11:35 +01:00
Yiwei Ding
b45f95f6ad
Add support for suppressing the findings
2021-12-09 11:53:36 +01:00
Lars
6a41fb9e61
Fix https://github.com/securego/gosec/issues/714 ( #733 )
2021-11-24 16:34:42 +01:00
Cosmin Cojocar
e57efa8482
Fix a panic in suproc rule when the declaration of the variable is not available in the AST ( #728 )
2021-11-16 21:41:26 +01:00
Cosmin Cojocar
55c6ceaaa6
Fix crash when parsing the TLS min version value ( #724 )
2021-11-09 21:59:53 +01:00
Ville Skyttä
40fa36d1de
G303: catch with os.WriteFile, add os.Create test case ( #718 )
...
* Add G303 os.Create test case
* Catch G303 with os.WriteFile too
2021-11-09 21:13:45 +01:00
Eng Zer Jun
7fd4aef9dc
feat: add os.ReadFile to G304 ( #706 )
...
In Go 1.16 or higher, the `io/ioutil` has been deprecated and the
`ioutil.ReadFile` function now calls `os.ReadFile`.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-10-14 09:53:26 +02:00
Yuval Kashtan
1933cba5b5
Add os.Unsetenv to NoErrorCheck whitelist ( #702 )
...
it always return nil err
2021-10-05 19:30:34 +02:00