Commit graph

227 commits

Author SHA1 Message Date
Cosmin Cojocar
ed3f51e663 Add more types to templates rule
Add additional types such as CSS, JSStr and Srcset to the template rule.
These types are marked as a security risk in the godoc
https://pkg.go.dev/html/template.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-28 10:39:33 +02:00
Cosmin Cojocar
4bf5667f66 Add a new rule to detect integer overflow on integer types conversion
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-27 13:03:01 +02:00
Cosmin Cojocar
6fbd381238 Catch os.ModePerm permissions in os.WriteFile
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-14 15:33:23 +02:00
Cosmin Cojocar
417a44c73b Add filepath.EvalSymlinks to clean functions in rule G304
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-13 17:19:29 +02:00
Hiroki Yorimitsu
be378e682f Add support for math/rand/v2 added in Go 1.22 2024-03-07 16:33:18 +01:00
Cosmin Cojocar
36878a9423 Skip the G601 tests for Go version 1.22
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2024-03-07 12:23:46 +01:00
Janusz Marcinkiewicz
f25ccd9fb5 Ignore 'implicit memory aliasing' rule for Go 1.22+
Signed-off-by: Janusz Marcinkiewicz <januszm@nvidia.com>
2024-03-04 10:24:32 +01:00
Quentin Laplanche
c824a5d308 fix(hardcoded): remove duplicated Stripe API Key 2024-02-13 10:02:03 +01:00
Cosmin Cojocar
616520f44f
Update the list of unsafe functions detected by the unsafe rule (#1033)
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-10 09:47:36 +02:00
Cosmin Cojocar
4def3a4eb0 Fix lint warning
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-25 13:24:34 +02:00
Cosmin Cojocar
0d332a1027 Add a new rule which detects when a file is created with os.Create but the configured permissions are less than 0666
It seems that the os.Create will create by default a file with 0666 permissions.

This should be detected when the configured permissions are less than 0666. By default will not detect this case
unless the more restrictive mode is configured.

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-25 13:24:34 +02:00
Cosmin Cojocar
e02e2f6d5b Redesign and reimplement the slice out of bounds check using SSA code representation
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-20 10:19:51 +02:00
Cosmin Cojocar
6c93653a29
Fix hardcoded_credentials rule to only match on more specific patterns (#1009)
* Fix hardcoded_credentials rule to only match on more specific patterns

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>

* Fix lint warnings

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>

* Fix double escape in regexps

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>

---------

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-05 18:00:02 +02:00
Cosmin Cojocar
beef1250a4
Exclude maps from slince bounce check rule (#1006)
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-08-23 17:17:14 +02:00
Alexander Yastrebov
21d13c9a9b
Ignore struct pointers in G601 (#1003)
Updates https://github.com/securego/gosec/issues/966

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
2023-08-18 17:05:17 +02:00
Audun
bf7feda2b9
fix: correctly identify infixed concats as potential SQL injections (#987) 2023-07-25 17:13:07 +02:00
Cosmin Cojocar
36f69332a4
Switch to a maintained fork of zxcvbn module (#984)
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-07-17 12:47:26 +02:00
Morgen Malinoski
a018cf0fbb
Feature: G602 Slice Bound Checking (#973)
* Added slice bounds testing for slice expressions.

* Added checking slice index.

* Added test for reassigning slice.

* Store capacities on reslicing.

* Scope change clears map. Func name used to track slices.

* Map CallExpr to check bounds when passing to functions.

* Fixed linter errors.

* Updated rulelist with CWE mapping.

* Added comment for NewSliceBoundCheck.

* Addressed nil cap runtime error.

* Replaced usage of nil in call arg map with dummy callexprs.

* Updated comments, wrapped error return, addressed other review concerns.
2023-06-21 09:56:36 +02:00
Morgen Malinoski
abeab1092d
Feature: G101 match variable values and names (#971)
* G101 now checks LHS of ValueAssignments for patternValue.

* Added matching string literals in equality check.

* Added patternValue matching for ValueSpec.

* Ran gci to fix linter error.

* Added tests and updated regex to be more inclusive.

* Addressed short-circuit eval for isHighEntropy and non-standard ok variable.

* Resolved unhandled error and added more tests.

* Flattened code to make it more readable.

* Added better comments.

* Added new regex for Google API Key, GitHub PAT, and GoogleOAuth.

* Gofmt'ed the test cases.
2023-06-15 10:18:03 +02:00
futuretea
bd58600acf Recognize struct field in G601
Signed-off-by: futuretea <1913508671@qq.com>
2023-06-02 17:17:10 +02:00
Oleksandr Redko
1f689968ec Fix typos in comments, vars and tests 2023-05-30 08:26:41 +02:00
Matthieu MOREL
d6aeaad931
correct gci linter (#946)
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
2023-03-30 09:31:24 +02:00
Cosmin Cojocar
6a73248135 Fix some linting warnings 2023-03-20 10:25:45 +01:00
Rick Moran
f823a7e92b
Check nil pointer when variable is declared in a different file 2023-03-08 14:42:45 +01:00
Cosmin Cojocar
d5a9c73723
Remove rule G307 which checks when an error is not handled when a file or socket connection is closed (#935)
* Remove read only types from unsafe defer rules

* Remove rule G307 which checks when an error is not handled when a file or socket connection is closed

This doesn't seem to bring much value from security perspective, and it caused a lot of controversy since
is a very common pattern in Go.

* Mentioned in documentation that rule G307 is retired

* Clean up the test for rule G307
2023-02-24 14:04:13 +01:00
Cosmin Cojocar
de2c6a36fa Extract the issue in its own package 2023-02-16 09:45:28 +01:00
bean.zhang
a624254e39
Update hardcoded_credentials.go fix: adaper equal expr which const value at left (#917)
* Update hardcoded_credentials.go

adaper equal expr which const value at left.
```
if "Tr0ub4dour_UPL&&LOlo" == pwd
```

* Update hardcoded_credentials.go

check ident not equal nil

* adapter const == key hardcoded, add testcases
2023-01-31 09:52:37 +01:00
Cosmin Cojocar
c5d217da7a
Update Go version in CI script (#913)
* Update Go version in CI script

* Introduce back an additional check for filepath clean to fix the unit tests
2023-01-09 16:49:02 +01:00
Cosmin Cojocar
5874e63c9e
Track back when a file path was sanitized with filepath.Clean (#912)
* Track back when a file path was sanitized with filepath.Clean

* Remove unused argument to fix lint warnings
2023-01-09 16:26:20 +01:00
Cosmin Cojocar
fd280360cd
Fix the TLS config rule when parsing the settings from a variable (#911) 2023-01-09 15:10:44 +01:00
Alexey Ivanov
dabc7dc27e
Auto-detect TLS MinVersion integer base (#903) 2022-12-12 09:30:06 +01:00
Dmitry Golushko
44f484fdc7
Additional types for bad defer check (#897)
* Additional types for bad defer check

* Ignore new check in tlsconfig.go
2022-11-30 09:38:46 +01:00
pro-wh
cf63541008
fileperms: bitwise permission comparison (#883)
* fileperms: extract existing mode comparison logic

* fileperms: add failing test

* fileperms: bitwise permission comparison
2022-10-20 08:48:40 +02:00
Ville Skyttä
0c8e63ed86
Detect use of net/http functions that have no support for setting timeouts (#842)
https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/
https://blog.cloudflare.com/exposing-go-on-the-internet/

Closes https://github.com/securego/gosec/issues/833
2022-08-02 17:16:44 +02:00
Ville Skyttä
6a26c231fc
Refactor SQL rules for better extensibility (#841)
Remove hardwired assumption and heuristics on index of arg taking a SQL
string, be explicit about it instead.
2022-08-02 15:25:30 +02:00
Dmitry Golushko
a5982fb6a6
Fix for G402. Check package path instead of package name (#838) 2022-07-28 08:51:30 +02:00
Ziqi Zhao
ea6d49d1b5
fix G204 bugs (#835)
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>
2022-07-26 11:08:43 +02:00
云微
602ced7e71
Fix wrong location for G109 (#829)
Before this commit, G109 will report on `strconv.Atoi`.
After this, it will report on the convertion like`int32(a)`.
2022-07-06 06:37:11 +02:00
云微
b0f3e78e07
fix ReadTimeout for G112 rule 2022-06-23 14:58:13 +02:00
Vladimir Severov
9c19cb6501
Add check for usage of Rat.SetString in math/big with an overflow error (#819)
* Add check for usage of Rat.SetString in math/big with an overflow error

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.

It is the CVE-2022-23772.

* Use ContainsPkgCallExpr instead of manual parsing
2022-06-03 00:19:51 +02:00
云微
34d144b3fa
Add new rule for Slowloris Attack 2022-04-30 12:38:50 +02:00
Cosmin Cojocar
89dfdc0c97
Update the description message of template rule (#803) 2022-04-05 07:41:36 +02:00
robot-5
afc9903ba9
Fix use rule IDs to retrieve the rule config 2022-03-28 20:28:02 +02:00
Calin Capitanu
48bbf96b56
Adds directory traversal for Http.Dir("/") 2022-03-06 10:58:47 +01:00
kruskal
7d539ed494
feat: add concurrency option to parallelize package loading (#778)
* feat: add concurrency option to parallelize package loading

* refactor: move wg.add inside the for loop

* fix: gracefully stop the workers on error

* test: add test for concurrent scan
2022-02-16 18:23:37 +01:00
Cosmin Cojocar
2fad8a4193 Resolve the TLS min version when is declarted in the same package but in a different file 2022-01-26 19:27:26 +01:00
Cosmin Cojocar
1fbcf10e18 Add a test for tls min version defined in a different file 2022-01-26 19:27:26 +01:00
kaiili
1d909e2687
Add db.Exec and db.Prepare to the sql rule (#763)
* Add db.Exec and db.Prepare to the sql rule

* add test cases for G201,G202
2022-01-17 13:50:37 +01:00
Cosmin Cojocar
7be6d4efb5
Add os.Create to the readfile rule (#761) 2022-01-12 19:33:17 +01:00
kaiili
75cc7dcd51
Fix false negative for SQL injection when using DB.QueryRow.Scan() (#759) 2022-01-12 16:33:39 +01:00