Ziqi Zhao
ea6d49d1b5
fix G204 bugs ( #835 )
...
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>
2022-07-26 11:08:43 +02:00
云微
602ced7e71
Fix wrong location for G109 ( #829 )
...
Before this commit, G109 will report on `strconv.Atoi`.
After this, it will report on the convertion like`int32(a)`.
2022-07-06 06:37:11 +02:00
云微
b0f3e78e07
fix ReadTimeout for G112 rule
2022-06-23 14:58:13 +02:00
Vladimir Severov
9c19cb6501
Add check for usage of Rat.SetString in math/big with an overflow error ( #819 )
...
* Add check for usage of Rat.SetString in math/big with an overflow error
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.
It is the CVE-2022-23772.
* Use ContainsPkgCallExpr instead of manual parsing
2022-06-03 00:19:51 +02:00
云微
34d144b3fa
Add new rule for Slowloris Attack
2022-04-30 12:38:50 +02:00
Calin Capitanu
48bbf96b56
Adds directory traversal for Http.Dir("/")
2022-03-06 10:58:47 +01:00
Cosmin Cojocar
1fbcf10e18
Add a test for tls min version defined in a different file
2022-01-26 19:27:26 +01:00
kaiili
1d909e2687
Add db.Exec and db.Prepare to the sql rule ( #763 )
...
* Add db.Exec and db.Prepare to the sql rule
* add test cases for G201,G202
2022-01-17 13:50:37 +01:00
Cosmin Cojocar
7be6d4efb5
Add os.Create to the readfile rule ( #761 )
2022-01-12 19:33:17 +01:00
kaiili
75cc7dcd51
Fix false negative for SQL injection when using DB.QueryRow.Scan() ( #759 )
2022-01-12 16:33:39 +01:00
kaiili
9d66b0d346
Fix false negatives for SQL injection in multi-line queries
2022-01-05 12:05:53 +01:00
Ville Skyttä
4c1afaa492
Find G303 with filepath.Join'd temp dirs ( #754 )
2022-01-04 14:48:02 +01:00
Ville Skyttä
19bda8d15f
Find more tempdirs
...
* Find G303 in string concatenations, with os.TempDir, and in path.Join args
* Find G303 with /usr/tmp, too
/usr/tmp is commonly found e.g. on Solaris.
2022-01-03 21:58:25 +01:00
Ville Skyttä
d23ab2d997
Remove space between //
and #nosec
in examples and internal use
...
Comments intended for machines to read do not have the space by
convention.
2021-12-15 19:31:14 +01:00
Lars
6a41fb9e61
Fix https://github.com/securego/gosec/issues/714 ( #733 )
2021-11-24 16:34:42 +01:00
Ville Skyttä
40fa36d1de
G303: catch with os.WriteFile, add os.Create test case ( #718 )
...
* Add G303 os.Create test case
* Catch G303 with os.WriteFile too
2021-11-09 21:13:45 +01:00
Eng Zer Jun
7fd4aef9dc
feat: add os.ReadFile to G304 ( #706 )
...
In Go 1.16 or higher, the `io/ioutil` has been deprecated and the
`ioutil.ReadFile` function now calls `os.ReadFile`.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-10-14 09:53:26 +02:00
Matthieu MOREL
bfb0f422fe
chore(lint): enable errorlint and gci ( #698 )
2021-09-13 09:40:10 +02:00
Cosmin Cojocar
f285d612b5
Fix formatting issues with gofumpt ( #685 )
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-08-18 13:16:21 +02:00
Nanik
5a131be2ec
fix: add more rules for G204 ( #677 )
...
* fix: add more rules for G204
* fix: add extra test and comment
2021-08-16 11:31:51 +02:00
Lars
d4dc2d2df5
Improve the G307 rule
...
* Add G307 sample code.
The sample should reflect a defered close that leads to data loss.
Due to IDE auto-complete people tend at least log errors, but not
really care about handling.
* Add more G307 sample code. Propose a way to implement
* Remove unused code. Add example that should not return an error but does
* Remove test for synced closed file for now.
Will add this later
Co-authored-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2021-07-31 23:03:09 +02:00
Nanik
9535c9e3e1
fix: add variable assignment checking as part of MinVersion ( #669 )
...
* fix: add variable assignment checking as part of MinVersion
* fix: add more code to allow assignment with const
* fix: rework the code and add more test cases for MinVersion
* fix: format linting issue using gofumpt
2021-07-27 22:03:59 +02:00
Nanik
2a4064d45d
feat: adding new keyword for hardcoded credentials ( #666 )
2021-07-19 11:23:39 +02:00
Josh Kaufman
514f65f3c3
Add G204 rule for sys/execabs ( #660 )
...
* Add G204 rule for sys/execabs
* syntax error in testutils/sources.go
2021-07-01 17:43:25 +02:00
Matthieu MOREL
1256f16f33
Fix lint and fail on error in the ci build
2021-05-31 10:44:12 +02:00
Matthieu MOREL
4df7f1c3e9
Fix typos, Go Report link and Gofmt
2021-05-07 18:04:01 +02:00
Cosmin Cojocar
897c203e62
Reset the state of TLS rule after each version check ( #570 )
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-02-11 10:52:16 +01:00
Cosmin Cojocar
a5911ad7bb
Fix compilation errors in the test samples
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-01-04 09:28:00 +01:00
Chris Bandy
23ef7009f9
Fix some typos in rules tests
2021-01-04 09:28:00 +01:00
Chris Bandy
e100f6b862
Assert that sample code compiles
2021-01-04 09:28:00 +01:00
Cosmin Cojocar
f13b8bc639
Add also filepath.Rel as a sanitization method for input argument in the G304 rule
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
Cosmin Cojocar
047729a84f
Fix the rule G304 to handle the case when the input is cleaned as a variable assignment
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
ggkitsas
b60ddc21ba
feat: adds support for path.Join and for tar archives in G305
2020-08-03 09:17:45 +02:00
Cosmin Cojocar
110b62b05f
Add io.CopyBuffer function to rule G110
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-29 14:25:45 +02:00
evalphobia
03f12f3f5d
Change naming rule from blacklist to blocklist
2020-06-29 13:45:44 +02:00
Cosmin Cojocar
55d368f2e5
Improve the TLS version checking
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-25 09:21:14 +02:00
Cosmin Cojocar
1d2c951f2c
Extend the rule G304 with os.OpenFile and add a test to cover it
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-17 13:14:08 +02:00
Cosmin Cojocar
0c1a71b8a1
Add more tests samples to increase coverage
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 15:12:02 +02:00
Cosmin Cojocar
fe07fcf276
Fix unit test when checking a mix of good and bad random functions
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 15:12:02 +02:00
Cosmin Cojocar
30e93bf865
Improve the SQL strings concat rules to handle multiple string concatenation
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00
Cosmin Cojocar
68bce94323
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context
...
In addition makes pattern matching used by the rules cases insensitive.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00
Grant Murphy
8630c43b66
Add null pointer check in G601
...
fixes : #475
2020-05-21 05:51:45 +02:00
Lukas Aron
1418b856ea
ondisk -> onDisk
2020-05-19 11:34:34 +02:00
Caccavale
ee3146e637
Rule which detects aliasing of values in RangeStmt
2020-04-24 07:46:25 -07:00
Cosmin Cojocar
fb44007c6e
Enhance the hardcoded credentials rule to check the equality and non-equality of strings
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-20 03:08:39 -07:00
Cosmin Cojocar
c6e10af40f
Handle properly the gosec module version v2
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-06 09:06:23 -07:00
Cosmin Cojocar
7da9f46445
Fix the call list info to handle selector expressions
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-16 09:44:57 +01:00
Cosmin Cojocar
cf2590442c
Fix the subproc rule to handle correctly the CommandContext check
...
In this case, we need to skip the first argument because it is the context.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-13 13:25:35 +01:00
Cosmin Cojocar
f97f86103c
Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls
...
Also add the corresponding tests for this.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-13 13:25:35 +01:00
Sam Caccavale
7525fe4bb7
Rule for defering methods which return errors ( #441 )
2020-03-01 21:45:37 +01:00