From 2817adf09c1be9c7ebf4755d267d28904e68b1ac Mon Sep 17 00:00:00 2001 From: gotbadger Date: Thu, 22 Feb 2024 15:47:31 +0000 Subject: [PATCH] ci(go): snapshots to annotations for gosec --- .../blocklist/cgi/__snapshots__/test.js.snap | 83 ---- tests/go/gosec/blocklist/cgi/test.js | 40 +- tests/go/gosec/blocklist/cgi/testdata/main.go | 1 + .../go/gosec/blocklist/cgi/testdata/main2.go | 1 + .../blocklist/des/__snapshots__/test.js.snap | 42 -- tests/go/gosec/blocklist/des/test.js | 23 +- tests/go/gosec/blocklist/des/testdata/main.go | 1 + .../blocklist/md5/__snapshots__/test.js.snap | 42 -- tests/go/gosec/blocklist/md5/test.js | 23 +- tests/go/gosec/blocklist/md5/testdata/main.go | 1 + .../blocklist/rc4/__snapshots__/test.js.snap | 42 -- tests/go/gosec/blocklist/rc4/test.js | 23 +- tests/go/gosec/blocklist/rc4/testdata/main.go | 1 + .../blocklist/sha1/__snapshots__/test.js.snap | 42 -- tests/go/gosec/blocklist/sha1/test.js | 23 +- .../go/gosec/blocklist/sha1/testdata/main.go | 1 + .../__snapshots__/test.js.snap | 76 ---- .../go/gosec/crypto/bad_tls_settings/test.js | 23 +- .../crypto/bad_tls_settings/testdata/main.go | 2 + .../__snapshots__/test.js.snap | 42 -- .../crypto/insecure_ignore_host_key/test.js | 23 +- .../insecure_ignore_host_key/testdata/main.go | 1 + .../weak_crypto/__snapshots__/test.js.snap | 246 ---------- tests/go/gosec/crypto/weak_crypto/test.js | 23 +- .../gosec/crypto/weak_crypto/testdata/main.go | 7 + .../__snapshots__/test.js.snap | 42 -- .../go/gosec/crypto/weak_key_strength/test.js | 23 +- .../crypto/weak_key_strength/testdata/main.go | 1 + .../weak_random/__snapshots__/test.js.snap | 144 ------ tests/go/gosec/crypto/weak_random/test.js | 23 +- .../gosec/crypto/weak_random/testdata/main.go | 4 + .../__snapshots__/test.js.snap | 76 ---- .../go/gosec/crypto/weak_tls_version/test.js | 23 +- .../crypto/weak_tls_version/testdata/main.go | 2 + .../file_perm/__snapshots__/test.js.snap | 144 ------ .../gosec/file_permissions/file_perm/test.js | 23 +- .../file_perm/testdata/main.go | 4 + .../mkdir/__snapshots__/test.js.snap | 76 ---- tests/go/gosec/file_permissions/mkdir/test.js | 23 +- .../file_permissions/mkdir/testdata/main.go | 2 + .../__snapshots__/test.js.snap | 110 ----- .../filesystem/decompression_bomb/test.js | 23 +- .../decompression_bomb/testdata/main.go | 3 + .../dirtraversal/__snapshots__/test.js.snap | 42 -- .../go/gosec/filesystem/dirtraversal/test.js | 23 +- .../filesystem/dirtraversal/testdata/main.go | 1 + .../filereadtaint/__snapshots__/test.js.snap | 212 --------- .../go/gosec/filesystem/filereadtaint/test.js | 23 +- .../filesystem/filereadtaint/testdata/main.go | 6 + .../__snapshots__/test.js.snap | 42 -- .../filesystem/poor_write_permissions/test.js | 23 +- .../poor_write_permissions/testdata/main.go | 1 + .../tempfile/__snapshots__/test.js.snap | 110 ----- tests/go/gosec/filesystem/tempfile/test.js | 23 +- .../filesystem/tempfile/testdata/main.go | 3 + .../ziparchive/__snapshots__/test.js.snap | 110 ----- tests/go/gosec/filesystem/ziparchive/test.js | 23 +- .../filesystem/ziparchive/testdata/main.go | 3 + .../http_serve/__snapshots__/test.js.snap | 144 ------ tests/go/gosec/http/http_serve/test.js | 23 +- .../go/gosec/http/http_serve/testdata/main.go | 4 + .../http_slowloris/__snapshots__/test.js.snap | 144 ------ tests/go/gosec/http/http_slowloris/test.js | 23 +- .../http/http_slowloris/testdata/main.go | 4 + .../ssrf_injection/__snapshots__/test.js.snap | 144 ------ .../go/gosec/injection/ssrf_injection/test.js | 23 +- .../injection/ssrf_injection/testdata/main.go | 4 + .../__snapshots__/test.js.snap | 280 ------------ .../gosec/injection/subproc_injection/test.js | 23 +- .../subproc_injection/testdata/main.go | 8 + .../__snapshots__/test.js.snap | 110 ----- .../injection/template_injection/test.js | 23 +- .../template_injection/testdata/main.go | 3 + .../pprof_endpoint/__snapshots__/test.js.snap | 42 -- tests/go/gosec/leak/pprof_endpoint/test.js | 23 +- .../leak/pprof_endpoint/testdata/main.go | 1 + .../__snapshots__/test.js.snap | 76 ---- .../go/gosec/memory/integer_overflow/test.js | 23 +- .../memory/integer_overflow/testdata/main.go | 2 + .../math_big_rat/__snapshots__/test.js.snap | 76 ---- tests/go/gosec/memory/math_big_rat/test.js | 23 +- .../memory/math_big_rat/testdata/main.go | 2 + .../__snapshots__/test.js.snap | 76 ---- tests/go/gosec/memory/memory_aliasing/test.js | 23 +- .../memory/memory_aliasing/testdata/main.go | 2 + .../__snapshots__/test.js.snap | 42 -- .../network/bind_to_all_interfaces/test.js | 23 +- .../bind_to_all_interfaces/testdata/main.go | 1 + .../secrets/__snapshots__/test.js.snap | 110 ----- tests/go/gosec/secrets/secrets/test.js | 23 +- .../go/gosec/secrets/secrets/testdata/main.go | 3 + .../concat_sqli/__snapshots__/test.js.snap | 355 --------------- tests/go/gosec/sql/concat_sqli/test.js | 429 ++++++++++-------- .../go/gosec/sql/concat_sqli/testdata/main.go | 6 + .../gosec/sql/concat_sqli/testdata/main2.go | 4 + tests/go/gosec/subproc/subproc/test.js | 2 +- .../unsafe/unsafe/__snapshots__/test.js.snap | 76 ---- tests/go/gosec/unsafe/unsafe/test.js | 23 +- tests/go/gosec/unsafe/unsafe/testdata/main.go | 2 + 99 files changed, 843 insertions(+), 3808 deletions(-) delete mode 100644 tests/go/gosec/blocklist/cgi/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/blocklist/des/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/blocklist/md5/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/blocklist/rc4/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/blocklist/sha1/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/crypto/bad_tls_settings/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/crypto/insecure_ignore_host_key/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/crypto/weak_crypto/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/crypto/weak_key_strength/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/crypto/weak_random/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/crypto/weak_tls_version/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/file_permissions/file_perm/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/file_permissions/mkdir/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/filesystem/decompression_bomb/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/filesystem/dirtraversal/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/filesystem/filereadtaint/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/filesystem/poor_write_permissions/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/filesystem/tempfile/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/filesystem/ziparchive/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/http/http_serve/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/http/http_slowloris/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/injection/ssrf_injection/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/injection/subproc_injection/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/injection/template_injection/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/leak/pprof_endpoint/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/memory/integer_overflow/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/memory/math_big_rat/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/memory/memory_aliasing/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/network/bind_to_all_interfaces/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/secrets/secrets/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/sql/concat_sqli/__snapshots__/test.js.snap delete mode 100644 tests/go/gosec/unsafe/unsafe/__snapshots__/test.js.snap diff --git a/tests/go/gosec/blocklist/cgi/__snapshots__/test.js.snap b/tests/go/gosec/blocklist/cgi/__snapshots__/test.js.snap deleted file mode 100644 index 98e9648a8..000000000 --- a/tests/go/gosec/blocklist/cgi/__snapshots__/test.js.snap +++ /dev/null @@ -1,83 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_blocklist_cgi test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "1395" - ], - "id": "go_gosec_blocklist_cgi", - "title": "Usage of vulnerable 'net/http/cgi' package", - "description": "## Description\\n\\nUsing the \`net/http/cgi\` package in Go, especially with versions prior to 1.6.3, exposes the application to the Httpoxy attack, a vulnerability identified as CVE-2016-5386. This vulnerability arises from the way CGI and FastCGI protocols handle certain environment variables, which can be manipulated to intercept and redirect outgoing HTTP requests made by the web application.\\n\\n## Remediations\\n\\n✅ Update Go Version\\n\\nEnsure you are using a version of Go that is 1.6.3 or later, where this vulnerability is patched.\\n\\n\`\`\`sh\\n# Check Go version and update if necessary\\ngo version\\n# Follow Go's update instructions if your version is < 1.6.3\\n\`\`\`\\n\\n✅ Use Alternative Packages\\n\\nRefrain from using CGI where possible. Utilize alternative packages and methods to handle HTTP requests which do not rely on the CGI protocol.\\n\\n\`\`\`go\\n// Use the standard net/http package instead\\nimport \\"net/http\\"\\n\`\`\`\\n\\n❌ Don't Use \`net/http/cgi\` in Older Versions\\n\\nDo not use the \`net/http/cgi\` package if you are operating on Go versions older than 1.6.3 as they are susceptible to the Httpoxy vulnerability.\\n\\n\`\`\`go\\n// This import is vulnerable to Httpoxy in Go < 1.6.3\\nimport \\"net/http/cgi\\"\\n\`\`\`\\n\\n❌ Avoid Exposing Environment Variables\\n\\nEnsure that the environment variables such as \`HTTP_PROXY\` are not being exposed unintentionally, as this can be leveraged for Httpoxy attacks.\\n\\n## Resources\\n\\n- [CVE-2016-5386 Detail](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5386)\\n- [Httpoxy.org](https://httpoxy.org/)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_blocklist_cgi", - "line_number": 3, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 3, - "end": 3, - "column": { - "start": 8, - "end": 22 - } - }, - "sink": { - "start": 3, - "end": 3, - "column": { - "start": 8, - "end": 22 - }, - "content": "\\"net/http/cgi\\"" - }, - "parent_line_number": 3, - "snippet": "\\"net/http/cgi\\"", - "fingerprint": "d44ba4fd1dac6349b308c573d7831ecc_0", - "old_fingerprint": "f4afdcd85f5f01a0d80ee3f3337e2888_0", - "code_extract": "import \\"net/http/cgi\\"" - } - ] -}" -`; - -exports[`go_gosec_blocklist_cgi test 2 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "1395" - ], - "id": "go_gosec_blocklist_cgi", - "title": "Usage of vulnerable 'net/http/cgi' package", - "description": "## Description\\n\\nUsing the \`net/http/cgi\` package in Go, especially with versions prior to 1.6.3, exposes the application to the Httpoxy attack, a vulnerability identified as CVE-2016-5386. This vulnerability arises from the way CGI and FastCGI protocols handle certain environment variables, which can be manipulated to intercept and redirect outgoing HTTP requests made by the web application.\\n\\n## Remediations\\n\\n✅ Update Go Version\\n\\nEnsure you are using a version of Go that is 1.6.3 or later, where this vulnerability is patched.\\n\\n\`\`\`sh\\n# Check Go version and update if necessary\\ngo version\\n# Follow Go's update instructions if your version is < 1.6.3\\n\`\`\`\\n\\n✅ Use Alternative Packages\\n\\nRefrain from using CGI where possible. Utilize alternative packages and methods to handle HTTP requests which do not rely on the CGI protocol.\\n\\n\`\`\`go\\n// Use the standard net/http package instead\\nimport \\"net/http\\"\\n\`\`\`\\n\\n❌ Don't Use \`net/http/cgi\` in Older Versions\\n\\nDo not use the \`net/http/cgi\` package if you are operating on Go versions older than 1.6.3 as they are susceptible to the Httpoxy vulnerability.\\n\\n\`\`\`go\\n// This import is vulnerable to Httpoxy in Go < 1.6.3\\nimport \\"net/http/cgi\\"\\n\`\`\`\\n\\n❌ Avoid Exposing Environment Variables\\n\\nEnsure that the environment variables such as \`HTTP_PROXY\` are not being exposed unintentionally, as this can be leveraged for Httpoxy attacks.\\n\\n## Resources\\n\\n- [CVE-2016-5386 Detail](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5386)\\n- [Httpoxy.org](https://httpoxy.org/)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_blocklist_cgi", - "line_number": 4, - "full_filename": "/tmp/bearer-scan/main2.go", - "filename": ".", - "source": { - "start": 4, - "end": 4, - "column": { - "start": 7, - "end": 21 - } - }, - "sink": { - "start": 4, - "end": 4, - "column": { - "start": 7, - "end": 21 - }, - "content": "\\"net/http/cgi\\"" - }, - "parent_line_number": 4, - "snippet": "\\"net/http/cgi\\"", - "fingerprint": "d44ba4fd1dac6349b308c573d7831ecc_0", - "old_fingerprint": "08ab0d9c254c63555f4b1118aaa6548a_0", - "code_extract": "\\tcgi2 \\"net/http/cgi\\"" - } - ] -}" -`; diff --git a/tests/go/gosec/blocklist/cgi/test.js b/tests/go/gosec/blocklist/cgi/test.js index feb638403..04c2416d4 100644 --- a/tests/go/gosec/blocklist/cgi/test.js +++ b/tests/go/gosec/blocklist/cgi/test.js @@ -1,16 +1,30 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) - - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) - - test("test 2", () => { - const testCase = "main2.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("main2", () => { + const testCase = "main2.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/blocklist/cgi/testdata/main.go b/tests/go/gosec/blocklist/cgi/testdata/main.go index 81de73fc0..2eb749e77 100644 --- a/tests/go/gosec/blocklist/cgi/testdata/main.go +++ b/tests/go/gosec/blocklist/cgi/testdata/main.go @@ -1,5 +1,6 @@ package main +// bearer:expected go_gosec_blocklist_cgi import "net/http/cgi" func maincgi() { diff --git a/tests/go/gosec/blocklist/cgi/testdata/main2.go b/tests/go/gosec/blocklist/cgi/testdata/main2.go index 22de59e9e..a8342f730 100644 --- a/tests/go/gosec/blocklist/cgi/testdata/main2.go +++ b/tests/go/gosec/blocklist/cgi/testdata/main2.go @@ -1,6 +1,7 @@ package main import ( +// bearer:expected go_gosec_blocklist_cgi cgi2 "net/http/cgi" ) diff --git a/tests/go/gosec/blocklist/des/__snapshots__/test.js.snap b/tests/go/gosec/blocklist/des/__snapshots__/test.js.snap deleted file mode 100644 index 35d4f00b3..000000000 --- a/tests/go/gosec/blocklist/des/__snapshots__/test.js.snap +++ /dev/null @@ -1,42 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_blocklist_des test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_blocklist_des", - "title": "Import of weak encryption algorithm (DES)", - "description": "## Description\\n\\nThe Data Encryption Standard (DES) is an outdated symmetric-key algorithm for encryption. Officially deemed insecure and no longer recommended for use, DES was withdrawn by the National Institute of Standards and Technology (NIST) as a standard in 2005, primarily because of its 56-bit key size, which is vulnerable to brute-force attacks.\\n\\n## Remediation\\n\\nTo ensure the confidentiality and integrity of sensitive data, it is crucial to utilize a modern and secure encryption algorithm. The use of Advanced Encryption Standard (AES) with a key size of 256 bits (AES-256) is recommended for its strong security properties and widespread acceptance as a replacement for DES.\\n\\n✅ Implement AES-256 for Strong Encryption\\n\\n\`\`\`go\\n// Use AES-256 for secure encryption by initializing a 32-byte key for AES-256\\nkey := make([]byte, 32)\\nif _, err := io.ReadFull(rand.Reader, key); err != nil {\\n log.Fatal(err)\\n}\\n\\n// Create a new cipher block from the key\\nblockCipher, err := aes.NewCipher(key)\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\n// Use Galois/Counter Mode (GCM) for both encryption and decryption\\naead, err := cipher.NewGCM(blockCipher)\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nvar encrypted = []byte{}\\nvar nonce = []byte{}\\n\\n// Encrypt a message with AES-256 using GCM\\n{\\n msg := []byte(\\"Some secret message\\")\\n // Ensure nonces are unique for each encryption to maintain security\\n nonce = make([]byte, 12)\\n if _, err := io.ReadFull(rand.Reader, nonce); err != nil {\\n log.Fatal(err)\\n }\\n encrypted = aead.Seal(nil, nonce, msg, nil)\\n}\\n\\n// Decrypt the message securely\\n{\\n msg, err := aead.Open(nil, nonce, encrypted, nil)\\n if err != nil {\\n log.Fatal(err)\\n }\\n fmt.Printf(\\"Decrypted: %s\\\\n\\", msg)\\n}\\n\`\`\`\\n\\n❌ Do Not Use Deprecated Algorithms\\nAvoid using deprecated cryptographic algorithms such as DES, as they do not provide adequate security against modern threats and attacks.\\n\\n## Resources\\n\\n- [NIST Recommendations](https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final)\\n- [AES-256 Encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_blocklist_des", - "line_number": 4, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 4, - "end": 4, - "column": { - "start": 2, - "end": 14 - } - }, - "sink": { - "start": 4, - "end": 4, - "column": { - "start": 2, - "end": 14 - }, - "content": "\\"crypto/des\\"" - }, - "parent_line_number": 4, - "snippet": "\\"crypto/des\\"", - "fingerprint": "5701c2af30f4ca2aaf2cb0bff61be1be_0", - "old_fingerprint": "c8850e419b899cc93c57917fbacacbf4_0", - "code_extract": "\\t\\"crypto/des\\"" - } - ] -}" -`; diff --git a/tests/go/gosec/blocklist/des/test.js b/tests/go/gosec/blocklist/des/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/blocklist/des/test.js +++ b/tests/go/gosec/blocklist/des/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/blocklist/des/testdata/main.go b/tests/go/gosec/blocklist/des/testdata/main.go index 5ee6576ef..247e5ed80 100644 --- a/tests/go/gosec/blocklist/des/testdata/main.go +++ b/tests/go/gosec/blocklist/des/testdata/main.go @@ -1,6 +1,7 @@ package main import ( +// bearer:expected go_gosec_blocklist_des "crypto/des" "fmt" ) diff --git a/tests/go/gosec/blocklist/md5/__snapshots__/test.js.snap b/tests/go/gosec/blocklist/md5/__snapshots__/test.js.snap deleted file mode 100644 index 652649622..000000000 --- a/tests/go/gosec/blocklist/md5/__snapshots__/test.js.snap +++ /dev/null @@ -1,42 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_blocklist_md5 test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "328" - ], - "id": "go_gosec_blocklist_md5", - "title": "Import of weak hashing library (MD5)", - "description": "## Description\\n\\nMD5 is a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value. It's commonly used to check the integrity of files. However, MD5 is not collision-resistant; this means that different inputs may produce the same output hash. MD5's vulnerabilities and the feasibility of collision attacks have rendered it obsolete for security-related purposes, particularly digital signatures, SSL certificates, and cryptographic message authentication.\\n\\n## Remediation\\n\\nGiven the vulnerabilities of MD5, it is highly recommended to switch to more secure hashing algorithms. For hashing purposes that do not involve passwords, such as verifying file integrity or generating unique identifiers, SHA-3 or BLAKE2 can be used due to their stronger cryptographic properties.\\n\\n✅ Use SHA-3 or BLAKE2 for General Hashing Needs\\n\\n\`\`\`go\\n// BLAKE2 is a cryptographic hash function faster than MD5, SHA-1, and SHA-2, and as secure as the latest standard SHA-3\\nfileContents := []byte(\\"some file contents to create hash for\\")\\nblake2bHasher, err := blake2b.New512(nil)\\nif err != nil {\\n log.Fatal(err)\\n}\\nhashedValue := blake2bHasher.Sum(fileContents)\\nfmt.Printf(\\"%s\\\\n\\", hex.EncodeToString(hashedValue))\\n\`\`\`\\n\\nFor password hashing, where the hash functions need to be slow to combat brute-force attacks, bcrypt or Argon2id should be used. These algorithms are designed to be computationally intensive to hash and verify, which helps protect against password cracking attempts.\\n\\n✅ Adopt bcrypt or Argon2id for Password Hashing\\n\\nThe bcrypt algorithm is a good choice for password hashing as it allows you to adjust the cost (computational complexity) and is widely supported. Argon2id is the winner of the Password Hashing Competition and offers a good balance between resistance to GPU cracking attacks and usability.\\n\\n## Resources\\n\\n- [OWASP Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_blocklist_md5", - "line_number": 4, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 4, - "end": 4, - "column": { - "start": 2, - "end": 14 - } - }, - "sink": { - "start": 4, - "end": 4, - "column": { - "start": 2, - "end": 14 - }, - "content": "\\"crypto/md5\\"" - }, - "parent_line_number": 4, - "snippet": "\\"crypto/md5\\"", - "fingerprint": "eb186a281342cc12d763fe3c841dfc09_0", - "old_fingerprint": "389be4fd1aecab117b4e71d6dc81e0fe_0", - "code_extract": "\\t\\"crypto/md5\\"" - } - ] -}" -`; diff --git a/tests/go/gosec/blocklist/md5/test.js b/tests/go/gosec/blocklist/md5/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/blocklist/md5/test.js +++ b/tests/go/gosec/blocklist/md5/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/blocklist/md5/testdata/main.go b/tests/go/gosec/blocklist/md5/testdata/main.go index 9da531607..6f974eb54 100644 --- a/tests/go/gosec/blocklist/md5/testdata/main.go +++ b/tests/go/gosec/blocklist/md5/testdata/main.go @@ -1,6 +1,7 @@ package main import ( +// bearer:expected go_gosec_blocklist_md5 "crypto/md5" "fmt" ) diff --git a/tests/go/gosec/blocklist/rc4/__snapshots__/test.js.snap b/tests/go/gosec/blocklist/rc4/__snapshots__/test.js.snap deleted file mode 100644 index d85a990de..000000000 --- a/tests/go/gosec/blocklist/rc4/__snapshots__/test.js.snap +++ /dev/null @@ -1,42 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_blocklist_rc4 test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_blocklist_rc4", - "title": "Import of weak encryption algorithm (RCA)", - "description": "## Description\\n\\nRC4 is a stream cipher that was once popular for its simplicity and speed in operation. However, extensive research over the years has revealed multiple vulnerabilities, rendering RC4 insecure in most contexts. Its weaknesses in key scheduling and the generation of non-random bytes have led to successful cryptanalysis and practical attacks, making it unsuitable for securing data.\\n\\n## Remediation\\n\\nWith the known vulnerabilities of RC4, it's essential to move to a more secure cipher. AES (Advanced Encryption Standard) is the recommended replacement because it has undergone extensive scrutiny and is considered secure against cryptanalysis.\\n\\n✅ Switch to AES-256 for Robust Encryption\\n\\n\`\`\`go\\n// 32 byte keys will set up AES-256, which is a secure block cipher that has become the industry standard for encryption.\\nkey := make([]byte, 32)\\nif _, err := io.ReadFull(rand.Reader, key); err != nil {\\n log.Fatal(err)\\n}\\n\\nblockCipher, err := aes.NewCipher(key)\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\naead, err := cipher.NewGCM(blockCipher)\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nvar encrypted = []byte{}\\nvar nonce = []byte{}\\n// Encryption routine\\n{\\n msg := []byte(\\"Some secret message\\")\\n // Note that the key must be rotated after every 2^32 uses of a single nonce-value to avoid cipher text repetition.\\n nonce = make([]byte, 12)\\n if _, err := io.ReadFull(rand.Reader, nonce); err != nil {\\n log.Fatal(err)\\n }\\n encrypted = aead.Seal(nil, nonce, msg, nil)\\n}\\n\\n// Decryption routine\\n{\\n msg, err := aead.Open(nil, nonce, encrypted, nil)\\n if err != nil {\\n log.Fatal(err)\\n }\\n fmt.Printf(\\"Decrypted: %s\\\\n\\", msg)\\n}\\n\`\`\`\\n\\nUsing AES-256 ensures that your encryption mechanism meets current security standards and is robust against known attacks. AES has been widely adopted across various industries and has proven its reliability over time.\\n\\n## Resources\\n\\n- [NIST Guidelines on Cryptography](https://csrc.nist.gov/publications/detail/sp/800-38a/final)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_blocklist_rc4", - "line_number": 4, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 4, - "end": 4, - "column": { - "start": 2, - "end": 14 - } - }, - "sink": { - "start": 4, - "end": 4, - "column": { - "start": 2, - "end": 14 - }, - "content": "\\"crypto/rc4\\"" - }, - "parent_line_number": 4, - "snippet": "\\"crypto/rc4\\"", - "fingerprint": "0fec54dd8724cf655550856999eb17fb_0", - "old_fingerprint": "67002f96f906da879da606e636c13b8c_0", - "code_extract": "\\t\\"crypto/rc4\\"" - } - ] -}" -`; diff --git a/tests/go/gosec/blocklist/rc4/test.js b/tests/go/gosec/blocklist/rc4/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/blocklist/rc4/test.js +++ b/tests/go/gosec/blocklist/rc4/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/blocklist/rc4/testdata/main.go b/tests/go/gosec/blocklist/rc4/testdata/main.go index d223fa505..bac6680a3 100644 --- a/tests/go/gosec/blocklist/rc4/testdata/main.go +++ b/tests/go/gosec/blocklist/rc4/testdata/main.go @@ -1,6 +1,7 @@ package main import ( +// bearer:expected go_gosec_blocklist_rc4 "crypto/rc4" "fmt" ) diff --git a/tests/go/gosec/blocklist/sha1/__snapshots__/test.js.snap b/tests/go/gosec/blocklist/sha1/__snapshots__/test.js.snap deleted file mode 100644 index 0d66b1386..000000000 --- a/tests/go/gosec/blocklist/sha1/__snapshots__/test.js.snap +++ /dev/null @@ -1,42 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_blocklist_sha1 test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "328" - ], - "id": "go_gosec_blocklist_sha1", - "title": "Import of weak hashing library (SHA-1)", - "description": "## Description\\n\\nThe SHA-1 hashing algorithm is no longer considered secure against well-funded attackers. It is vulnerable to collision attacks, which means it's possible to generate two different inputs that result in the same SHA-1 hash, undermining the hash's uniqueness and security. Due to these vulnerabilities, it is advised to discontinue using SHA-1 for cryptographic security.\\n\\n## Remediation\\n\\nWhen choosing a hashing algorithm for cryptographic purposes, it's important to select one that is resistant to collisions and other attack vectors. SHA-3 and BLAKE2 are both excellent choices for non-password-based hashing requirements due to their strong cryptographic properties.\\n\\n✅ For General Hashing Needs, Use SHA-3 or BLAKE2\\n\\nChoose SHA-3 or BLAKE2 for their resistance to known hash attack vectors, ensuring the integrity and uniqueness of your data fingerprints.\\n\\n✅ For Password Hashing, Prefer bcrypt or Argon2id\\n\\nFor password hashing specifically, bcrypt or Argon2id are recommended. These algorithms are designed to be computationally intensive, which helps protect against brute-force attacks.\\n\\n❌ Discontinue Using SHA-1 for Security Purposes\\n\\nGiven its vulnerabilities, avoid using SHA-1 in any security context to prevent potential collision attacks.\\n\\nThe code snippet provided is unrelated to the hashing algorithms and seems to be a continuation of the previous examples for encryption with AES-256. Ensure your hashing and encryption strategies are correctly implemented as per their intended use-cases.\\n\\n## Resources\\n\\n- [OWASP Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\\n- [NIST Policy on Hash Functions](https://csrc.nist.gov/projects/hash-functions)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_blocklist_sha1", - "line_number": 4, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 4, - "end": 4, - "column": { - "start": 2, - "end": 15 - } - }, - "sink": { - "start": 4, - "end": 4, - "column": { - "start": 2, - "end": 15 - }, - "content": "\\"crypto/sha1\\"" - }, - "parent_line_number": 4, - "snippet": "\\"crypto/sha1\\"", - "fingerprint": "c2e8f4129be45dc51a2f05ecb2a2c021_0", - "old_fingerprint": "be80d15eca84c5e2caf79b59e5541bc9_0", - "code_extract": "\\t\\"crypto/sha1\\"" - } - ] -}" -`; diff --git a/tests/go/gosec/blocklist/sha1/test.js b/tests/go/gosec/blocklist/sha1/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/blocklist/sha1/test.js +++ b/tests/go/gosec/blocklist/sha1/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/blocklist/sha1/testdata/main.go b/tests/go/gosec/blocklist/sha1/testdata/main.go index 3a6af7bee..66eaf2c26 100644 --- a/tests/go/gosec/blocklist/sha1/testdata/main.go +++ b/tests/go/gosec/blocklist/sha1/testdata/main.go @@ -1,6 +1,7 @@ package main import ( +// bearer:expected go_gosec_blocklist_sha1 "crypto/sha1" "fmt" ) diff --git a/tests/go/gosec/crypto/bad_tls_settings/__snapshots__/test.js.snap b/tests/go/gosec/crypto/bad_tls_settings/__snapshots__/test.js.snap deleted file mode 100644 index d51fe68b8..000000000 --- a/tests/go/gosec/crypto/bad_tls_settings/__snapshots__/test.js.snap +++ /dev/null @@ -1,76 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_crypto_bad_tls_settings test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_bad_tls_settings", - "title": "Usage of insecure cipher", - "description": "## Description\\n\\nA security concern arises when a cryptographically insecure cipher suite is used in an application. Such cipher suites may be vulnerable to various types of attacks, reducing the security of the communication channel.\\n\\n## Remediation\\n\\nTo enhance the security of TLS connections, it is crucial to use up-to-date and secure cipher suites and protocols. Here are the recommended steps to ensure the use of secure ciphers:\\n\\n✅ Use Modern, Secure Cipher Suites\\n\\nSelect cipher suites that are known to be secure and have properties such as Perfect Forward Secrecy (PFS), which protects past communications even if future private keys are compromised.\\n\\n✅ Adopt TLS 1.3 Where Possible\\n\\nTLS 1.3 should be the preferred protocol as it includes improvements over previous versions, making it more secure against various attacks. Go's standard library will automatically prefer the most secure protocol and cipher suite available during the TLS handshake.\\n\\n✅ Configure TLS Properly If Using TLS 1.0-1.2\\n\\nIn cases where TLS 1.3 is not an option and you must use TLS 1.0-1.2, ensure to configure the cipher suites to use those that support PFS, as listed below.\\n\\n❌ Avoid Using Obsolete or Insecure Cipher Suites\\n\\nAvoid any cipher suites that do not support modern security standards, including those without PFS or with known vulnerabilities.\\n\\nThe provided Go code examples demonstrate how to configure the \`tls.Config\` struct for a Go server to use TLS 1.3 or to specify a list of secure cipher suites when using TLS 1.0-1.2.\\n\\n## Resources\\n\\n- [Mozilla's SSL Configuration Generator](https://ssl-config.mozilla.org/)\\n- [OWASP TLS Cipher String Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html)\\n- [RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3](https://tools.ietf.org/html/rfc8446)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_bad_tls_settings", - "line_number": 11, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 11, - "end": 11, - "column": { - "start": 21, - "end": 137 - } - }, - "sink": { - "start": 11, - "end": 11, - "column": { - "start": 21, - "end": 137 - }, - "content": "tls.Config{CipherSuites: []uint16{tls.TLS_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}}" - }, - "parent_line_number": 11, - "snippet": "tls.Config{CipherSuites: []uint16{tls.TLS_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}}", - "fingerprint": "36c61f9e4fdfaf69e608c2e75308672a_0", - "old_fingerprint": "4a972d23a74fe461e2424501cdcbd9d0_0", - "code_extract": "\\t\\tTLSClientConfig: &tls.Config{CipherSuites: []uint16{tls.TLS_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}}," - }, - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_bad_tls_settings", - "title": "Usage of insecure cipher", - "description": "## Description\\n\\nA security concern arises when a cryptographically insecure cipher suite is used in an application. Such cipher suites may be vulnerable to various types of attacks, reducing the security of the communication channel.\\n\\n## Remediation\\n\\nTo enhance the security of TLS connections, it is crucial to use up-to-date and secure cipher suites and protocols. Here are the recommended steps to ensure the use of secure ciphers:\\n\\n✅ Use Modern, Secure Cipher Suites\\n\\nSelect cipher suites that are known to be secure and have properties such as Perfect Forward Secrecy (PFS), which protects past communications even if future private keys are compromised.\\n\\n✅ Adopt TLS 1.3 Where Possible\\n\\nTLS 1.3 should be the preferred protocol as it includes improvements over previous versions, making it more secure against various attacks. Go's standard library will automatically prefer the most secure protocol and cipher suite available during the TLS handshake.\\n\\n✅ Configure TLS Properly If Using TLS 1.0-1.2\\n\\nIn cases where TLS 1.3 is not an option and you must use TLS 1.0-1.2, ensure to configure the cipher suites to use those that support PFS, as listed below.\\n\\n❌ Avoid Using Obsolete or Insecure Cipher Suites\\n\\nAvoid any cipher suites that do not support modern security standards, including those without PFS or with known vulnerabilities.\\n\\nThe provided Go code examples demonstrate how to configure the \`tls.Config\` struct for a Go server to use TLS 1.3 or to specify a list of secure cipher suites when using TLS 1.0-1.2.\\n\\n## Resources\\n\\n- [Mozilla's SSL Configuration Generator](https://ssl-config.mozilla.org/)\\n- [OWASP TLS Cipher String Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html)\\n- [RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3](https://tools.ietf.org/html/rfc8446)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_bad_tls_settings", - "line_number": 14, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 14, - "end": 16, - "column": { - "start": 12, - "end": 3 - } - }, - "sink": { - "start": 14, - "end": 16, - "column": { - "start": 12, - "end": 3 - }, - "content": "tls.CipherSuite{\\n\\t\\tID: tls.TLS_AES_128_GCM_SHA256,\\n\\t}" - }, - "parent_line_number": 14, - "snippet": "tls.CipherSuite{\\n\\t\\tID: tls.TLS_AES_128_GCM_SHA256,\\n\\t}", - "fingerprint": "36c61f9e4fdfaf69e608c2e75308672a_1", - "old_fingerprint": "4a972d23a74fe461e2424501cdcbd9d0_1", - "code_extract": "\\tcipher := tls.CipherSuite{\\n\\t\\tID: tls.TLS_AES_128_GCM_SHA256,\\n\\t}" - } - ] -}" -`; diff --git a/tests/go/gosec/crypto/bad_tls_settings/test.js b/tests/go/gosec/crypto/bad_tls_settings/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/crypto/bad_tls_settings/test.js +++ b/tests/go/gosec/crypto/bad_tls_settings/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/crypto/bad_tls_settings/testdata/main.go b/tests/go/gosec/crypto/bad_tls_settings/testdata/main.go index 216d5b36f..c947f89c1 100644 --- a/tests/go/gosec/crypto/bad_tls_settings/testdata/main.go +++ b/tests/go/gosec/crypto/bad_tls_settings/testdata/main.go @@ -8,9 +8,11 @@ import ( func mainbadciphersuites() { tr := &http.Transport{ +// bearer:expected go_gosec_crypto_bad_tls_settings TLSClientConfig: &tls.Config{CipherSuites: []uint16{tls.TLS_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}}, } +// bearer:expected go_gosec_crypto_bad_tls_settings cipher := tls.CipherSuite{ ID: tls.TLS_AES_128_GCM_SHA256, } diff --git a/tests/go/gosec/crypto/insecure_ignore_host_key/__snapshots__/test.js.snap b/tests/go/gosec/crypto/insecure_ignore_host_key/__snapshots__/test.js.snap deleted file mode 100644 index d65845201..000000000 --- a/tests/go/gosec/crypto/insecure_ignore_host_key/__snapshots__/test.js.snap +++ /dev/null @@ -1,42 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_crypto_insecure_ignore_host_key test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_insecure_ignore_host_key", - "title": "Missing verification of host keys", - "description": "## Description\\n\\nThe security vulnerability identified pertains to the application neglecting the verification of host keys during SSH connections. Host keys are crucial for confirming the server's identity, preventing Man-in-the-Middle (MitM) attacks where an attacker could impersonate the server. When these keys are ignored, the client cannot guarantee the authenticity of the server it connects to.\\n\\n## Remediation\\n\\nTo mitigate this risk, it is essential to implement proper host key checking:\\n\\n✅ Implement Host Key Verification\\n\\nUse the \`knownhosts\` package from Go's \`x/crypto/ssh\` to validate server keys against known hosts. This mirrors the functionality found in OpenSSH.\\n\\n✅ Avoid Disabling Host Key Checking\\n\\nNever disable host key checking in production code. While it might be convenient for testing, it opens up security vulnerabilities.\\n\\n❌ Do Not Use \`InsecureIgnoreHostKey\`\\n\\nAlthough available, using \`ssh.InsecureIgnoreHostKey\` as a \`HostKeyCallback\` function should be strictly avoided as it does not offer any form of host validation.\\n\\nBelow is a code snippet showing how to set up an SSH \`ClientConfig\` in Go to use the \`knownhosts\` callback for server verification:\\n\\n## Resources\\n\\n- [GoDoc for x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh)\\n- [Secure use of SSH - OpenSSH](https://www.openssh.com/)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_insecure_ignore_host_key", - "line_number": 8, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 8, - "end": 8, - "column": { - "start": 6, - "end": 33 - } - }, - "sink": { - "start": 8, - "end": 8, - "column": { - "start": 6, - "end": 33 - }, - "content": "ssh.InsecureIgnoreHostKey()" - }, - "parent_line_number": 8, - "snippet": "ssh.InsecureIgnoreHostKey()", - "fingerprint": "dbf696ab5d93618a95e2b8124b7c4c18_0", - "old_fingerprint": "736c606334c8f895d0bfe41c1abff8ea_0", - "code_extract": "\\t_ = ssh.InsecureIgnoreHostKey()" - } - ] -}" -`; diff --git a/tests/go/gosec/crypto/insecure_ignore_host_key/test.js b/tests/go/gosec/crypto/insecure_ignore_host_key/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/crypto/insecure_ignore_host_key/test.js +++ b/tests/go/gosec/crypto/insecure_ignore_host_key/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/crypto/insecure_ignore_host_key/testdata/main.go b/tests/go/gosec/crypto/insecure_ignore_host_key/testdata/main.go index c60bd8abf..f2b5beec5 100644 --- a/tests/go/gosec/crypto/insecure_ignore_host_key/testdata/main.go +++ b/tests/go/gosec/crypto/insecure_ignore_host_key/testdata/main.go @@ -5,5 +5,6 @@ import ( ) func main() { +// bearer:expected go_gosec_crypto_insecure_ignore_host_key _ = ssh.InsecureIgnoreHostKey() } diff --git a/tests/go/gosec/crypto/weak_crypto/__snapshots__/test.js.snap b/tests/go/gosec/crypto/weak_crypto/__snapshots__/test.js.snap deleted file mode 100644 index 0677a543e..000000000 --- a/tests/go/gosec/crypto/weak_crypto/__snapshots__/test.js.snap +++ /dev/null @@ -1,246 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_crypto_weak_crypto test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_crypto", - "title": "Usage of weak hashing library", - "description": "## Description\\n\\nThe issue identified indicates the use of a cryptographic algorithm that is no longer considered secure by current standards. Such algorithms can compromise data confidentiality and integrity, making it vulnerable to decryption and tampering by unauthorized parties.\\n\\n## Remediation\\n\\nTo ensure the security of the data, adhere to the following guidelines:\\n\\n✅ Employ Strong Cryptographic Algorithms\\n\\nReplace deprecated or weak algorithms with strong, modern alternatives such as AES (Advanced Encryption Standard) for encryption, and SHA-256 or higher for hashing.\\n\\n✅ Keep Libraries Updated\\n\\nUse the latest versions of cryptographic libraries, as they are more likely to default to secure algorithms and settings.\\n\\n❌ Avoid Deprecated Algorithms\\n\\nDo not use cryptographic algorithms that have been deprecated due to vulnerabilities, such as MD5, SHA-1, or DES.\\n\\n❌ Do Not Reinvent Cryptography\\n\\nAvoid custom cryptographic implementations as they are more susceptible to errors. Instead, rely on well-reviewed and tested standard cryptographic libraries.\\n\\n## Resources\\n\\n- [NIST Cryptographic Standards and Guidelines](https://csrc.nist.gov/publications/sp)\\n- [Cryptography Coding Standard](https://cryptocoding.net/index.php/Coding_rules)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_crypto", - "line_number": 13, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 13, - "end": 13, - "column": { - "start": 12, - "end": 28 - } - }, - "sink": { - "start": 13, - "end": 13, - "column": { - "start": 12, - "end": 28 - }, - "content": "rc4.NewCipher(k)" - }, - "parent_line_number": 13, - "snippet": "rc4.NewCipher(k)", - "fingerprint": "45b48243a6f8f3eba502319efc975ec0_0", - "old_fingerprint": "071fb5b2a3758433e529d3c7636d7af7_0", - "code_extract": "\\tc, err := rc4.NewCipher(k)" - }, - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_crypto", - "title": "Usage of weak hashing library", - "description": "## Description\\n\\nThe issue identified indicates the use of a cryptographic algorithm that is no longer considered secure by current standards. Such algorithms can compromise data confidentiality and integrity, making it vulnerable to decryption and tampering by unauthorized parties.\\n\\n## Remediation\\n\\nTo ensure the security of the data, adhere to the following guidelines:\\n\\n✅ Employ Strong Cryptographic Algorithms\\n\\nReplace deprecated or weak algorithms with strong, modern alternatives such as AES (Advanced Encryption Standard) for encryption, and SHA-256 or higher for hashing.\\n\\n✅ Keep Libraries Updated\\n\\nUse the latest versions of cryptographic libraries, as they are more likely to default to secure algorithms and settings.\\n\\n❌ Avoid Deprecated Algorithms\\n\\nDo not use cryptographic algorithms that have been deprecated due to vulnerabilities, such as MD5, SHA-1, or DES.\\n\\n❌ Do Not Reinvent Cryptography\\n\\nAvoid custom cryptographic implementations as they are more susceptible to errors. Instead, rely on well-reviewed and tested standard cryptographic libraries.\\n\\n## Resources\\n\\n- [NIST Cryptographic Standards and Guidelines](https://csrc.nist.gov/publications/sp)\\n- [Cryptography Coding Standard](https://cryptocoding.net/index.php/Coding_rules)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_crypto", - "line_number": 24, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 24, - "end": 24, - "column": { - "start": 7, - "end": 16 - } - }, - "sink": { - "start": 24, - "end": 24, - "column": { - "start": 7, - "end": 16 - }, - "content": "md5.New()" - }, - "parent_line_number": 24, - "snippet": "md5.New()", - "fingerprint": "45b48243a6f8f3eba502319efc975ec0_1", - "old_fingerprint": "071fb5b2a3758433e529d3c7636d7af7_1", - "code_extract": "\\th := md5.New()" - }, - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_crypto", - "title": "Usage of weak hashing library", - "description": "## Description\\n\\nThe issue identified indicates the use of a cryptographic algorithm that is no longer considered secure by current standards. Such algorithms can compromise data confidentiality and integrity, making it vulnerable to decryption and tampering by unauthorized parties.\\n\\n## Remediation\\n\\nTo ensure the security of the data, adhere to the following guidelines:\\n\\n✅ Employ Strong Cryptographic Algorithms\\n\\nReplace deprecated or weak algorithms with strong, modern alternatives such as AES (Advanced Encryption Standard) for encryption, and SHA-256 or higher for hashing.\\n\\n✅ Keep Libraries Updated\\n\\nUse the latest versions of cryptographic libraries, as they are more likely to default to secure algorithms and settings.\\n\\n❌ Avoid Deprecated Algorithms\\n\\nDo not use cryptographic algorithms that have been deprecated due to vulnerabilities, such as MD5, SHA-1, or DES.\\n\\n❌ Do Not Reinvent Cryptography\\n\\nAvoid custom cryptographic implementations as they are more susceptible to errors. Instead, rely on well-reviewed and tested standard cryptographic libraries.\\n\\n## Resources\\n\\n- [NIST Cryptographic Standards and Guidelines](https://csrc.nist.gov/publications/sp)\\n- [Cryptography Coding Standard](https://cryptocoding.net/index.php/Coding_rules)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_crypto", - "line_number": 29, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 29, - "end": 29, - "column": { - "start": 9, - "end": 33 - } - }, - "sink": { - "start": 29, - "end": 29, - "column": { - "start": 9, - "end": 33 - }, - "content": "md5.Sum([]byte(\\"stuff\\"))" - }, - "parent_line_number": 29, - "snippet": "md5.Sum([]byte(\\"stuff\\"))", - "fingerprint": "45b48243a6f8f3eba502319efc975ec0_2", - "old_fingerprint": "071fb5b2a3758433e529d3c7636d7af7_2", - "code_extract": "\\tout := md5.Sum([]byte(\\"stuff\\"))" - }, - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_crypto", - "title": "Usage of weak hashing library", - "description": "## Description\\n\\nThe issue identified indicates the use of a cryptographic algorithm that is no longer considered secure by current standards. Such algorithms can compromise data confidentiality and integrity, making it vulnerable to decryption and tampering by unauthorized parties.\\n\\n## Remediation\\n\\nTo ensure the security of the data, adhere to the following guidelines:\\n\\n✅ Employ Strong Cryptographic Algorithms\\n\\nReplace deprecated or weak algorithms with strong, modern alternatives such as AES (Advanced Encryption Standard) for encryption, and SHA-256 or higher for hashing.\\n\\n✅ Keep Libraries Updated\\n\\nUse the latest versions of cryptographic libraries, as they are more likely to default to secure algorithms and settings.\\n\\n❌ Avoid Deprecated Algorithms\\n\\nDo not use cryptographic algorithms that have been deprecated due to vulnerabilities, such as MD5, SHA-1, or DES.\\n\\n❌ Do Not Reinvent Cryptography\\n\\nAvoid custom cryptographic implementations as they are more susceptible to errors. Instead, rely on well-reviewed and tested standard cryptographic libraries.\\n\\n## Resources\\n\\n- [NIST Cryptographic Standards and Guidelines](https://csrc.nist.gov/publications/sp)\\n- [Cryptography Coding Standard](https://cryptocoding.net/index.php/Coding_rules)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_crypto", - "line_number": 34, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 34, - "end": 34, - "column": { - "start": 7, - "end": 17 - } - }, - "sink": { - "start": 34, - "end": 34, - "column": { - "start": 7, - "end": 17 - }, - "content": "sha1.New()" - }, - "parent_line_number": 34, - "snippet": "sha1.New()", - "fingerprint": "45b48243a6f8f3eba502319efc975ec0_3", - "old_fingerprint": "071fb5b2a3758433e529d3c7636d7af7_3", - "code_extract": "\\th := sha1.New()" - }, - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_crypto", - "title": "Usage of weak hashing library", - "description": "## Description\\n\\nThe issue identified indicates the use of a cryptographic algorithm that is no longer considered secure by current standards. Such algorithms can compromise data confidentiality and integrity, making it vulnerable to decryption and tampering by unauthorized parties.\\n\\n## Remediation\\n\\nTo ensure the security of the data, adhere to the following guidelines:\\n\\n✅ Employ Strong Cryptographic Algorithms\\n\\nReplace deprecated or weak algorithms with strong, modern alternatives such as AES (Advanced Encryption Standard) for encryption, and SHA-256 or higher for hashing.\\n\\n✅ Keep Libraries Updated\\n\\nUse the latest versions of cryptographic libraries, as they are more likely to default to secure algorithms and settings.\\n\\n❌ Avoid Deprecated Algorithms\\n\\nDo not use cryptographic algorithms that have been deprecated due to vulnerabilities, such as MD5, SHA-1, or DES.\\n\\n❌ Do Not Reinvent Cryptography\\n\\nAvoid custom cryptographic implementations as they are more susceptible to errors. Instead, rely on well-reviewed and tested standard cryptographic libraries.\\n\\n## Resources\\n\\n- [NIST Cryptographic Standards and Guidelines](https://csrc.nist.gov/publications/sp)\\n- [Cryptography Coding Standard](https://cryptocoding.net/index.php/Coding_rules)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_crypto", - "line_number": 39, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 39, - "end": 39, - "column": { - "start": 9, - "end": 34 - } - }, - "sink": { - "start": 39, - "end": 39, - "column": { - "start": 9, - "end": 34 - }, - "content": "sha1.Sum([]byte(\\"stuff\\"))" - }, - "parent_line_number": 39, - "snippet": "sha1.Sum([]byte(\\"stuff\\"))", - "fingerprint": "45b48243a6f8f3eba502319efc975ec0_4", - "old_fingerprint": "071fb5b2a3758433e529d3c7636d7af7_4", - "code_extract": "\\tout := sha1.Sum([]byte(\\"stuff\\"))" - }, - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_crypto", - "title": "Usage of weak hashing library", - "description": "## Description\\n\\nThe issue identified indicates the use of a cryptographic algorithm that is no longer considered secure by current standards. Such algorithms can compromise data confidentiality and integrity, making it vulnerable to decryption and tampering by unauthorized parties.\\n\\n## Remediation\\n\\nTo ensure the security of the data, adhere to the following guidelines:\\n\\n✅ Employ Strong Cryptographic Algorithms\\n\\nReplace deprecated or weak algorithms with strong, modern alternatives such as AES (Advanced Encryption Standard) for encryption, and SHA-256 or higher for hashing.\\n\\n✅ Keep Libraries Updated\\n\\nUse the latest versions of cryptographic libraries, as they are more likely to default to secure algorithms and settings.\\n\\n❌ Avoid Deprecated Algorithms\\n\\nDo not use cryptographic algorithms that have been deprecated due to vulnerabilities, such as MD5, SHA-1, or DES.\\n\\n❌ Do Not Reinvent Cryptography\\n\\nAvoid custom cryptographic implementations as they are more susceptible to errors. Instead, rely on well-reviewed and tested standard cryptographic libraries.\\n\\n## Resources\\n\\n- [NIST Cryptographic Standards and Guidelines](https://csrc.nist.gov/publications/sp)\\n- [Cryptography Coding Standard](https://cryptocoding.net/index.php/Coding_rules)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_crypto", - "line_number": 45, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 45, - "end": 45, - "column": { - "start": 16, - "end": 32 - } - }, - "sink": { - "start": 45, - "end": 45, - "column": { - "start": 16, - "end": 32 - }, - "content": "des.NewCipher(k)" - }, - "parent_line_number": 45, - "snippet": "des.NewCipher(k)", - "fingerprint": "45b48243a6f8f3eba502319efc975ec0_5", - "old_fingerprint": "071fb5b2a3758433e529d3c7636d7af7_5", - "code_extract": "\\tblock, err := des.NewCipher(k)" - }, - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_crypto", - "title": "Usage of weak hashing library", - "description": "## Description\\n\\nThe issue identified indicates the use of a cryptographic algorithm that is no longer considered secure by current standards. Such algorithms can compromise data confidentiality and integrity, making it vulnerable to decryption and tampering by unauthorized parties.\\n\\n## Remediation\\n\\nTo ensure the security of the data, adhere to the following guidelines:\\n\\n✅ Employ Strong Cryptographic Algorithms\\n\\nReplace deprecated or weak algorithms with strong, modern alternatives such as AES (Advanced Encryption Standard) for encryption, and SHA-256 or higher for hashing.\\n\\n✅ Keep Libraries Updated\\n\\nUse the latest versions of cryptographic libraries, as they are more likely to default to secure algorithms and settings.\\n\\n❌ Avoid Deprecated Algorithms\\n\\nDo not use cryptographic algorithms that have been deprecated due to vulnerabilities, such as MD5, SHA-1, or DES.\\n\\n❌ Do Not Reinvent Cryptography\\n\\nAvoid custom cryptographic implementations as they are more susceptible to errors. Instead, rely on well-reviewed and tested standard cryptographic libraries.\\n\\n## Resources\\n\\n- [NIST Cryptographic Standards and Guidelines](https://csrc.nist.gov/publications/sp)\\n- [Cryptography Coding Standard](https://cryptocoding.net/index.php/Coding_rules)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_crypto", - "line_number": 59, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 59, - "end": 59, - "column": { - "start": 16, - "end": 41 - } - }, - "sink": { - "start": 59, - "end": 59, - "column": { - "start": 16, - "end": 41 - }, - "content": "des.NewTripleDESCipher(k)" - }, - "parent_line_number": 59, - "snippet": "des.NewTripleDESCipher(k)", - "fingerprint": "45b48243a6f8f3eba502319efc975ec0_6", - "old_fingerprint": "071fb5b2a3758433e529d3c7636d7af7_6", - "code_extract": "\\tblock, err := des.NewTripleDESCipher(k)" - } - ] -}" -`; diff --git a/tests/go/gosec/crypto/weak_crypto/test.js b/tests/go/gosec/crypto/weak_crypto/test.js index 12471991f..2589fa550 100644 --- a/tests/go/gosec/crypto/weak_crypto/test.js +++ b/tests/go/gosec/crypto/weak_crypto/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/crypto/weak_crypto/testdata/main.go b/tests/go/gosec/crypto/weak_crypto/testdata/main.go index c52d7042f..b4f5a9356 100644 --- a/tests/go/gosec/crypto/weak_crypto/testdata/main.go +++ b/tests/go/gosec/crypto/weak_crypto/testdata/main.go @@ -10,6 +10,7 @@ import ( func mainrc4() { k := []byte("super secret key") +// bearer:expected go_gosec_crypto_weak_crypto c, err := rc4.NewCipher(k) if err != nil { return @@ -21,27 +22,32 @@ func mainrc4() { } func mainMD55() { +// bearer:expected go_gosec_crypto_weak_crypto h := md5.New() h.Write([]byte("stuff")) } func mainMD5Sum() { +// bearer:expected go_gosec_crypto_weak_crypto out := md5.Sum([]byte("stuff")) fmt.Println(out) } func mainSHA1() { +// bearer:expected go_gosec_crypto_weak_crypto h := sha1.New() h.Write([]byte("stuff")) } func mainSHA1Sum() { +// bearer:expected go_gosec_crypto_weak_crypto out := sha1.Sum([]byte("stuff")) fmt.Println(out) } func maindes() { k := []byte("super secret key") +// bearer:expected go_gosec_crypto_weak_crypto block, err := des.NewCipher(k) if err != nil { return @@ -56,6 +62,7 @@ func maindes() { func main3des() { k := []byte("super secret key") +// bearer:expected go_gosec_crypto_weak_crypto block, err := des.NewTripleDESCipher(k) if err != nil { return diff --git a/tests/go/gosec/crypto/weak_key_strength/__snapshots__/test.js.snap b/tests/go/gosec/crypto/weak_key_strength/__snapshots__/test.js.snap deleted file mode 100644 index f987339d9..000000000 --- a/tests/go/gosec/crypto/weak_key_strength/__snapshots__/test.js.snap +++ /dev/null @@ -1,42 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_crypto_weak_key_strength test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_key_strength", - "title": "Usage of inadequate encryption strength", - "description": "## Description\\n\\nThe application generates an RSA key with a bit length that is shorter than the current recommended minimum of 2048 bits. Keys shorter than 2048 bits are considered insecure due to advancements in computational power which could potentially allow them to be factored, thereby breaking the encryption.\\n\\n## Remediation\\n\\nTo ensure the security of RSA keys, follow these guidelines:\\n\\n✅ Use Sufficient Key Length\\n\\nGenerate RSA keys with a minimum length of 2048 bits to align with NIST recommendations and safeguard against future advancements in computing power that could compromise keys of shorter lengths.\\n\\n\`\`\`go\\n// Example of generating a secure RSA key with 2048 bits\\nimport (\\n \\"crypto/rand\\"\\n \\"crypto/rsa\\"\\n \\"log\\"\\n)\\n\\nfunc generateSecureKey() {\\n // Use at least 2048 bits for secure RSA keys\\n privateKey, err := rsa.GenerateKey(rand.Reader, 2048)\\n if err != nil {\\n log.Fatalf(\\"Error generating RSA key: %v\\", err)\\n }\\n // privateKey can now be used for secure cryptographic operations\\n}\\n\`\`\`\\n\\n❌ Avoid Short Keys\\n\\nDo not use RSA keys that are less than 2048 bits in length, as they do not offer sufficient protection against brute-force attacks.\\n\\n❌ Don't Ignore Industry Standards\\n\\nAlways follow industry standards and guidelines for cryptographic practices to maintain the integrity and confidentiality of data.\\n\\n## Resources\\n\\n- [NIST Special Publication 800-57 Part 1](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_key_strength", - "line_number": 11, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 11, - "end": 11, - "column": { - "start": 14, - "end": 48 - } - }, - "sink": { - "start": 11, - "end": 11, - "column": { - "start": 14, - "end": 48 - }, - "content": "rsa.GenerateKey(rand.Reader, 1024)" - }, - "parent_line_number": 11, - "snippet": "rsa.GenerateKey(rand.Reader, 1024)", - "fingerprint": "695a0322af8c5cb0665169f1eaca776f_0", - "old_fingerprint": "63ff529d2f1ee14097f9417bfa5ffde8_0", - "code_extract": "\\tpvk, err := rsa.GenerateKey(rand.Reader, 1024)" - } - ] -}" -`; diff --git a/tests/go/gosec/crypto/weak_key_strength/test.js b/tests/go/gosec/crypto/weak_key_strength/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/crypto/weak_key_strength/test.js +++ b/tests/go/gosec/crypto/weak_key_strength/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/crypto/weak_key_strength/testdata/main.go b/tests/go/gosec/crypto/weak_key_strength/testdata/main.go index c44fdf9a7..bda4d9af3 100644 --- a/tests/go/gosec/crypto/weak_key_strength/testdata/main.go +++ b/tests/go/gosec/crypto/weak_key_strength/testdata/main.go @@ -8,6 +8,7 @@ import ( func mainweakkey() { //Generate Private Key +// bearer:expected go_gosec_crypto_weak_key_strength pvk, err := rsa.GenerateKey(rand.Reader, 1024) if err != nil { fmt.Println(err) diff --git a/tests/go/gosec/crypto/weak_random/__snapshots__/test.js.snap b/tests/go/gosec/crypto/weak_random/__snapshots__/test.js.snap deleted file mode 100644 index cf5259a1c..000000000 --- a/tests/go/gosec/crypto/weak_random/__snapshots__/test.js.snap +++ /dev/null @@ -1,144 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_crypto_weak_random test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_random", - "title": "Usage of weak Pseudo-Random Number Generator (PRNG)", - "description": "## Description\\n\\nThe \`math/rand\` package in Go is designed for generating pseudorandom numbers, which are not secure for cryptographic purposes. These numbers are predictable if the seed is known, which could compromise the security of applications using them for secrets, tokens, or other security-sensitive features.\\n\\n## Remediations\\n\\nTo securely generate random numbers in a security-sensitive context, implement the following measures:\\n\\n✅ Use Cryptographically Secure Randomness\\n\\nReplace the use of \`math/rand\` with \`crypto/rand\` to ensure that the random numbers generated are suitable for cryptographic use and are not predictable.\\n\\n\`\`\`go\\nimport (\\n \\"crypto/rand\\"\\n \\"log\\"\\n \\"math/big\\"\\n)\\n\\nfunc generateSecureRandomNumber() *big.Int {\\n // Generate a cryptographically secure random number\\n randomNumber, err := rand.Int(rand.Reader, big.NewInt(1<<62))\\n if err != nil {\\n log.Fatalf(\\"Failed to generate a secure random number: %v\\", err)\\n }\\n return randomNumber\\n}\\n\`\`\`\\n\\n✅ Audit Existing Code\\n\\nReview your codebase for instances where \`math/rand\` is used in security-sensitive contexts and update them to use \`crypto/rand\`.\\n\\n❌ Do Not Use Predictable Seeds\\n\\nAvoid initializing \`math/rand\` with predictable seeds, such as timestamps or other easily guessable values, especially in a security context.\\n\\n❌ Don't Use for Security Purposes\\n\\nNever rely on \`math/rand\` for generating random numbers in cryptographic applications, like key generation, authentication tokens, or any form of security challenge.\\n\\n## Resources\\n\\n- [crypto/rand package documentation](https://pkg.go.dev/crypto/rand)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_random", - "line_number": 9, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 9, - "end": 9, - "column": { - "start": 9, - "end": 19 - } - }, - "sink": { - "start": 9, - "end": 9, - "column": { - "start": 9, - "end": 19 - }, - "content": "rand.Int()" - }, - "parent_line_number": 9, - "snippet": "rand.Int()", - "fingerprint": "7b6ec9847cbc39c97fa0639013146ac3_0", - "old_fingerprint": "a2f5db50454d53a8f3aa6a3845a5f64b_0", - "code_extract": "\\tbad := rand.Int() // detected" - }, - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_random", - "title": "Usage of weak Pseudo-Random Number Generator (PRNG)", - "description": "## Description\\n\\nThe \`math/rand\` package in Go is designed for generating pseudorandom numbers, which are not secure for cryptographic purposes. These numbers are predictable if the seed is known, which could compromise the security of applications using them for secrets, tokens, or other security-sensitive features.\\n\\n## Remediations\\n\\nTo securely generate random numbers in a security-sensitive context, implement the following measures:\\n\\n✅ Use Cryptographically Secure Randomness\\n\\nReplace the use of \`math/rand\` with \`crypto/rand\` to ensure that the random numbers generated are suitable for cryptographic use and are not predictable.\\n\\n\`\`\`go\\nimport (\\n \\"crypto/rand\\"\\n \\"log\\"\\n \\"math/big\\"\\n)\\n\\nfunc generateSecureRandomNumber() *big.Int {\\n // Generate a cryptographically secure random number\\n randomNumber, err := rand.Int(rand.Reader, big.NewInt(1<<62))\\n if err != nil {\\n log.Fatalf(\\"Failed to generate a secure random number: %v\\", err)\\n }\\n return randomNumber\\n}\\n\`\`\`\\n\\n✅ Audit Existing Code\\n\\nReview your codebase for instances where \`math/rand\` is used in security-sensitive contexts and update them to use \`crypto/rand\`.\\n\\n❌ Do Not Use Predictable Seeds\\n\\nAvoid initializing \`math/rand\` with predictable seeds, such as timestamps or other easily guessable values, especially in a security context.\\n\\n❌ Don't Use for Security Purposes\\n\\nNever rely on \`math/rand\` for generating random numbers in cryptographic applications, like key generation, authentication tokens, or any form of security challenge.\\n\\n## Resources\\n\\n- [crypto/rand package documentation](https://pkg.go.dev/crypto/rand)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_random", - "line_number": 16, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 16, - "end": 16, - "column": { - "start": 9, - "end": 22 - } - }, - "sink": { - "start": 16, - "end": 16, - "column": { - "start": 9, - "end": 22 - }, - "content": "mrand.Int31()" - }, - "parent_line_number": 16, - "snippet": "mrand.Int31()", - "fingerprint": "7b6ec9847cbc39c97fa0639013146ac3_1", - "old_fingerprint": "a2f5db50454d53a8f3aa6a3845a5f64b_1", - "code_extract": "\\tbad := mrand.Int31() // detected" - }, - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_random", - "title": "Usage of weak Pseudo-Random Number Generator (PRNG)", - "description": "## Description\\n\\nThe \`math/rand\` package in Go is designed for generating pseudorandom numbers, which are not secure for cryptographic purposes. These numbers are predictable if the seed is known, which could compromise the security of applications using them for secrets, tokens, or other security-sensitive features.\\n\\n## Remediations\\n\\nTo securely generate random numbers in a security-sensitive context, implement the following measures:\\n\\n✅ Use Cryptographically Secure Randomness\\n\\nReplace the use of \`math/rand\` with \`crypto/rand\` to ensure that the random numbers generated are suitable for cryptographic use and are not predictable.\\n\\n\`\`\`go\\nimport (\\n \\"crypto/rand\\"\\n \\"log\\"\\n \\"math/big\\"\\n)\\n\\nfunc generateSecureRandomNumber() *big.Int {\\n // Generate a cryptographically secure random number\\n randomNumber, err := rand.Int(rand.Reader, big.NewInt(1<<62))\\n if err != nil {\\n log.Fatalf(\\"Failed to generate a secure random number: %v\\", err)\\n }\\n return randomNumber\\n}\\n\`\`\`\\n\\n✅ Audit Existing Code\\n\\nReview your codebase for instances where \`math/rand\` is used in security-sensitive contexts and update them to use \`crypto/rand\`.\\n\\n❌ Do Not Use Predictable Seeds\\n\\nAvoid initializing \`math/rand\` with predictable seeds, such as timestamps or other easily guessable values, especially in a security context.\\n\\n❌ Don't Use for Security Purposes\\n\\nNever rely on \`math/rand\` for generating random numbers in cryptographic applications, like key generation, authentication tokens, or any form of security challenge.\\n\\n## Resources\\n\\n- [crypto/rand package documentation](https://pkg.go.dev/crypto/rand)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_random", - "line_number": 22, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 22, - "end": 22, - "column": { - "start": 9, - "end": 18 - } - }, - "sink": { - "start": 22, - "end": 22, - "column": { - "start": 9, - "end": 18 - }, - "content": "gen.Int()" - }, - "parent_line_number": 22, - "snippet": "gen.Int()", - "fingerprint": "7b6ec9847cbc39c97fa0639013146ac3_2", - "old_fingerprint": "a2f5db50454d53a8f3aa6a3845a5f64b_2", - "code_extract": "\\tbad := gen.Int() // detected" - }, - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_random", - "title": "Usage of weak Pseudo-Random Number Generator (PRNG)", - "description": "## Description\\n\\nThe \`math/rand\` package in Go is designed for generating pseudorandom numbers, which are not secure for cryptographic purposes. These numbers are predictable if the seed is known, which could compromise the security of applications using them for secrets, tokens, or other security-sensitive features.\\n\\n## Remediations\\n\\nTo securely generate random numbers in a security-sensitive context, implement the following measures:\\n\\n✅ Use Cryptographically Secure Randomness\\n\\nReplace the use of \`math/rand\` with \`crypto/rand\` to ensure that the random numbers generated are suitable for cryptographic use and are not predictable.\\n\\n\`\`\`go\\nimport (\\n \\"crypto/rand\\"\\n \\"log\\"\\n \\"math/big\\"\\n)\\n\\nfunc generateSecureRandomNumber() *big.Int {\\n // Generate a cryptographically secure random number\\n randomNumber, err := rand.Int(rand.Reader, big.NewInt(1<<62))\\n if err != nil {\\n log.Fatalf(\\"Failed to generate a secure random number: %v\\", err)\\n }\\n return randomNumber\\n}\\n\`\`\`\\n\\n✅ Audit Existing Code\\n\\nReview your codebase for instances where \`math/rand\` is used in security-sensitive contexts and update them to use \`crypto/rand\`.\\n\\n❌ Do Not Use Predictable Seeds\\n\\nAvoid initializing \`math/rand\` with predictable seeds, such as timestamps or other easily guessable values, especially in a security context.\\n\\n❌ Don't Use for Security Purposes\\n\\nNever rely on \`math/rand\` for generating random numbers in cryptographic applications, like key generation, authentication tokens, or any form of security challenge.\\n\\n## Resources\\n\\n- [crypto/rand package documentation](https://pkg.go.dev/crypto/rand)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_random", - "line_number": 27, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 27, - "end": 27, - "column": { - "start": 9, - "end": 22 - } - }, - "sink": { - "start": 27, - "end": 27, - "column": { - "start": 9, - "end": 22 - }, - "content": "rand.Intn(10)" - }, - "parent_line_number": 27, - "snippet": "rand.Intn(10)", - "fingerprint": "7b6ec9847cbc39c97fa0639013146ac3_3", - "old_fingerprint": "a2f5db50454d53a8f3aa6a3845a5f64b_3", - "code_extract": "\\tbad := rand.Intn(10) // detected" - } - ] -}" -`; diff --git a/tests/go/gosec/crypto/weak_random/test.js b/tests/go/gosec/crypto/weak_random/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/crypto/weak_random/test.js +++ b/tests/go/gosec/crypto/weak_random/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/crypto/weak_random/testdata/main.go b/tests/go/gosec/crypto/weak_random/testdata/main.go index 26246120c..861570409 100644 --- a/tests/go/gosec/crypto/weak_random/testdata/main.go +++ b/tests/go/gosec/crypto/weak_random/testdata/main.go @@ -6,6 +6,7 @@ import ( ) func bad1() { +// bearer:expected go_gosec_crypto_weak_random bad := rand.Int() // detected println(bad) } @@ -13,17 +14,20 @@ func bad1() { func bad2() { good, _ := rand.Read(nil) println(good) +// bearer:expected go_gosec_crypto_weak_random bad := mrand.Int31() // detected println(bad) } func badnewsource() { gen := rand.New(rand.NewSource(10)) +// bearer:expected go_gosec_crypto_weak_random bad := gen.Int() // detected println(bad) } func badIntn() { +// bearer:expected go_gosec_crypto_weak_random bad := rand.Intn(10) // detected println(bad) } diff --git a/tests/go/gosec/crypto/weak_tls_version/__snapshots__/test.js.snap b/tests/go/gosec/crypto/weak_tls_version/__snapshots__/test.js.snap deleted file mode 100644 index d423dea71..000000000 --- a/tests/go/gosec/crypto/weak_tls_version/__snapshots__/test.js.snap +++ /dev/null @@ -1,76 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_crypto_weak_tls_version test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_tls_version", - "title": "Usage of deprecated TLS version", - "description": "## Description\\n\\nTLS (Transport Layer Security) versions 1.1 and 1.0 have been deprecated due to known security vulnerabilities that can expose sensitive data to interception and attacks. Using these versions can put data transmissions at risk.\\n\\n## Remediations\\n\\nTo ensure secure data transmission, you should enforce the use of TLS 1.3, which includes security enhancements over its predecessors. The following steps can be taken:\\n\\n✅ Enforce TLS 1.3\\n\\nUpdate your server configuration to support and prefer TLS 1.3, which includes modern security features and mitigates known vulnerabilities found in older versions.\\n\\n✅ Configure Go’s TLS Library\\n\\nSet \`MinVersion\` in the \`tls.Config\` struct to \`tls.VersionTLS13\` to ensure that the server only accepts TLS 1.3 connections.\\n\\n\`\`\`go\\nimport (\\n \\"crypto/tls\\"\\n \\"log\\"\\n \\"net/http\\"\\n \\"time\\"\\n)\\n\\nfunc main() {\\n cert, err := tls.LoadX509KeyPair(\\"server.crt\\", \\"server.key\\")\\n if err != nil {\\n log.Fatalf(\\"failed to load key pair: %s\\", err)\\n }\\n\\n cfg := &tls.Config{\\n Certificates: []tls.Certificate{cert},\\n MinVersion: tls.VersionTLS13, // Enforce TLS 1.3\\n }\\n\\n srv := &http.Server{\\n Addr: \\":8999\\", // Listen on port 8999\\n TLSConfig: cfg,\\n ReadTimeout: time.Minute,\\n WriteTimeout: time.Minute,\\n }\\n\\n log.Printf(\\"Server is starting...\\")\\n log.Fatal(srv.ListenAndServeTLS(\\"\\", \\"\\")) // TLS cert and key are already provided in the TLSConfig\\n}\\n\`\`\`\\n\\n✅ Perfect Forward Secrecy (PFS)\\n\\nTLS 1.3 configurations ensure PFS by default, which protects past communications even if future session keys are compromised.\\n\\n✅ Regularly Update Dependencies\\n\\nKeep your Go version and dependencies up-to-date to benefit from the latest security fixes and improvements.\\n\\n❌ Do Not Use Deprecated TLS Versions\\n\\nAvoid configuring your server to accept TLS 1.0 or 1.1. Remove these options from your TLS configuration to prevent downgrade attacks.\\n\\n## Resources\\n\\n- [IETF's Deprecation of TLS 1.0 and 1.1](https://tools.ietf.org/html/rfc8996)\\n- [OWASP TLS Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/TLS_Security_Cheat_Sheet.html)\\n- [Go \`crypto/tls\` package documentation](https://pkg.go.dev/crypto/tls)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_tls_version", - "line_number": 12, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 12, - "end": 12, - "column": { - "start": 4, - "end": 20 - } - }, - "sink": { - "start": 12, - "end": 12, - "column": { - "start": 4, - "end": 20 - }, - "content": "tls.VersionTLS11" - }, - "parent_line_number": 12, - "snippet": "tls.VersionTLS11", - "fingerprint": "764f08ca905f8ac862ad3f7f1aedd81e_0", - "old_fingerprint": "e2cbe75a9a29dfc680f083a7d6379e4f_0", - "code_extract": "\\t\\t\\ttls.VersionTLS11," - }, - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_crypto_weak_tls_version", - "title": "Usage of deprecated TLS version", - "description": "## Description\\n\\nTLS (Transport Layer Security) versions 1.1 and 1.0 have been deprecated due to known security vulnerabilities that can expose sensitive data to interception and attacks. Using these versions can put data transmissions at risk.\\n\\n## Remediations\\n\\nTo ensure secure data transmission, you should enforce the use of TLS 1.3, which includes security enhancements over its predecessors. The following steps can be taken:\\n\\n✅ Enforce TLS 1.3\\n\\nUpdate your server configuration to support and prefer TLS 1.3, which includes modern security features and mitigates known vulnerabilities found in older versions.\\n\\n✅ Configure Go’s TLS Library\\n\\nSet \`MinVersion\` in the \`tls.Config\` struct to \`tls.VersionTLS13\` to ensure that the server only accepts TLS 1.3 connections.\\n\\n\`\`\`go\\nimport (\\n \\"crypto/tls\\"\\n \\"log\\"\\n \\"net/http\\"\\n \\"time\\"\\n)\\n\\nfunc main() {\\n cert, err := tls.LoadX509KeyPair(\\"server.crt\\", \\"server.key\\")\\n if err != nil {\\n log.Fatalf(\\"failed to load key pair: %s\\", err)\\n }\\n\\n cfg := &tls.Config{\\n Certificates: []tls.Certificate{cert},\\n MinVersion: tls.VersionTLS13, // Enforce TLS 1.3\\n }\\n\\n srv := &http.Server{\\n Addr: \\":8999\\", // Listen on port 8999\\n TLSConfig: cfg,\\n ReadTimeout: time.Minute,\\n WriteTimeout: time.Minute,\\n }\\n\\n log.Printf(\\"Server is starting...\\")\\n log.Fatal(srv.ListenAndServeTLS(\\"\\", \\"\\")) // TLS cert and key are already provided in the TLSConfig\\n}\\n\`\`\`\\n\\n✅ Perfect Forward Secrecy (PFS)\\n\\nTLS 1.3 configurations ensure PFS by default, which protects past communications even if future session keys are compromised.\\n\\n✅ Regularly Update Dependencies\\n\\nKeep your Go version and dependencies up-to-date to benefit from the latest security fixes and improvements.\\n\\n❌ Do Not Use Deprecated TLS Versions\\n\\nAvoid configuring your server to accept TLS 1.0 or 1.1. Remove these options from your TLS configuration to prevent downgrade attacks.\\n\\n## Resources\\n\\n- [IETF's Deprecation of TLS 1.0 and 1.1](https://tools.ietf.org/html/rfc8996)\\n- [OWASP TLS Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/TLS_Security_Cheat_Sheet.html)\\n- [Go \`crypto/tls\` package documentation](https://pkg.go.dev/crypto/tls)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_crypto_weak_tls_version", - "line_number": 13, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 13, - "end": 13, - "column": { - "start": 4, - "end": 20 - } - }, - "sink": { - "start": 13, - "end": 13, - "column": { - "start": 4, - "end": 20 - }, - "content": "tls.VersionTLS10" - }, - "parent_line_number": 13, - "snippet": "tls.VersionTLS10", - "fingerprint": "764f08ca905f8ac862ad3f7f1aedd81e_1", - "old_fingerprint": "e2cbe75a9a29dfc680f083a7d6379e4f_1", - "code_extract": "\\t\\t\\ttls.VersionTLS10," - } - ] -}" -`; diff --git a/tests/go/gosec/crypto/weak_tls_version/test.js b/tests/go/gosec/crypto/weak_tls_version/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/crypto/weak_tls_version/test.js +++ b/tests/go/gosec/crypto/weak_tls_version/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/crypto/weak_tls_version/testdata/main.go b/tests/go/gosec/crypto/weak_tls_version/testdata/main.go index e28f8923e..e059e942a 100644 --- a/tests/go/gosec/crypto/weak_tls_version/testdata/main.go +++ b/tests/go/gosec/crypto/weak_tls_version/testdata/main.go @@ -9,7 +9,9 @@ import ( func mainbadciphersuites() { tr := &http.Transport{ TLSClientConfig: &tls.Config{CipherSuites: []uint16{ +// bearer:expected go_gosec_crypto_weak_tls_version tls.VersionTLS11, +// bearer:expected go_gosec_crypto_weak_tls_version tls.VersionTLS10, }}, } diff --git a/tests/go/gosec/file_permissions/file_perm/__snapshots__/test.js.snap b/tests/go/gosec/file_permissions/file_perm/__snapshots__/test.js.snap deleted file mode 100644 index 7282b404d..000000000 --- a/tests/go/gosec/file_permissions/file_perm/__snapshots__/test.js.snap +++ /dev/null @@ -1,144 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_file_permissions_file_perm test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "276" - ], - "id": "go_gosec_file_permissions_file_perm", - "title": "Permissive file assignment", - "description": "## Description\\n\\nWhen creating or updating files, ensuring proper file permissions is crucial to maintain security. Overly permissive file settings can allow unauthorized users to read, modify, or execute files, which could lead to information disclosure, data tampering, or compromise of the system.\\n\\n## Remediations\\n\\nTo prevent unauthorized access, it's important to set restrictive file permissions, particularly when sensitive data is involved. Here's how to manage file permissions in Go:\\n\\n✅ Restrict File Permissions\\n\\nSet file permissions to allow only the necessary access level for the application. Avoid using permissions like \`0777\`, which allows read, write, and execute permissions for all users.\\n\\n✅ Use Go’s \`os\` Package\\n\\nUtilize the \`os.OpenFile\` function with the appropriate file permission flags.\\n\\n✅ Recommended File Permissions\\n\\n- \`0400\` grants read-only access to the file's owner.\\n- \`0200\` grants write-only access to the file's owner.\\n- \`0600\` grants read and write access to the file's owner and is commonly used for files that need to be both read from and written to by the application.\\n\\n\`\`\`go\\nimport (\\n \\"log\\"\\n \\"os\\"\\n)\\n\\nfunc main() {\\n // Use os.OpenFile to create a file with restricted permissions\\n // 0600 permission: Read and write for the owner, no permissions for others\\n f, err := os.OpenFile(\\"file.txt\\", os.O_CREATE|os.O_WRONLY, 0600)\\n if err != nil {\\n log.Fatalf(\\"failed to create file: %s\\", err)\\n }\\n defer f.Close()\\n // Continue to work with the file here\\n}\\n\`\`\`\\n\\n✅ Verify File Permissions\\n\\nAfter file creation, check the file permissions to ensure they are set correctly.\\n\\n✅ Secure Default Permissions\\n\\nIf you are developing an application that creates multiple files, consider setting umask in your application to a secure default.\\n\\n✅ Review File Permission Settings\\n\\nRegularly audit file permissions to ensure they adhere to the principle of least privilege.\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_file_permissions_file_perm", - "line_number": 10, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 10, - "end": 10, - "column": { - "start": 9, - "end": 40 - } - }, - "sink": { - "start": 10, - "end": 10, - "column": { - "start": 9, - "end": 40 - }, - "content": "os.Chmod(\\"/tmp/somefile\\", 0777)" - }, - "parent_line_number": 10, - "snippet": "os.Chmod(\\"/tmp/somefile\\", 0777)", - "fingerprint": "209f59925365847834972fad1f6b8239_0", - "old_fingerprint": "d7910697f643b646416f0860cd20d867_0", - "code_extract": "\\terr := os.Chmod(\\"/tmp/somefile\\", 0777) // detected" - }, - { - "cwe_ids": [ - "276" - ], - "id": "go_gosec_file_permissions_file_perm", - "title": "Permissive file assignment", - "description": "## Description\\n\\nWhen creating or updating files, ensuring proper file permissions is crucial to maintain security. Overly permissive file settings can allow unauthorized users to read, modify, or execute files, which could lead to information disclosure, data tampering, or compromise of the system.\\n\\n## Remediations\\n\\nTo prevent unauthorized access, it's important to set restrictive file permissions, particularly when sensitive data is involved. Here's how to manage file permissions in Go:\\n\\n✅ Restrict File Permissions\\n\\nSet file permissions to allow only the necessary access level for the application. Avoid using permissions like \`0777\`, which allows read, write, and execute permissions for all users.\\n\\n✅ Use Go’s \`os\` Package\\n\\nUtilize the \`os.OpenFile\` function with the appropriate file permission flags.\\n\\n✅ Recommended File Permissions\\n\\n- \`0400\` grants read-only access to the file's owner.\\n- \`0200\` grants write-only access to the file's owner.\\n- \`0600\` grants read and write access to the file's owner and is commonly used for files that need to be both read from and written to by the application.\\n\\n\`\`\`go\\nimport (\\n \\"log\\"\\n \\"os\\"\\n)\\n\\nfunc main() {\\n // Use os.OpenFile to create a file with restricted permissions\\n // 0600 permission: Read and write for the owner, no permissions for others\\n f, err := os.OpenFile(\\"file.txt\\", os.O_CREATE|os.O_WRONLY, 0600)\\n if err != nil {\\n log.Fatalf(\\"failed to create file: %s\\", err)\\n }\\n defer f.Close()\\n // Continue to work with the file here\\n}\\n\`\`\`\\n\\n✅ Verify File Permissions\\n\\nAfter file creation, check the file permissions to ensure they are set correctly.\\n\\n✅ Secure Default Permissions\\n\\nIf you are developing an application that creates multiple files, consider setting umask in your application to a secure default.\\n\\n✅ Review File Permission Settings\\n\\nRegularly audit file permissions to ensure they adhere to the principle of least privilege.\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_file_permissions_file_perm", - "line_number": 18, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 18, - "end": 18, - "column": { - "start": 12, - "end": 68 - } - }, - "sink": { - "start": 18, - "end": 18, - "column": { - "start": 12, - "end": 68 - }, - "content": "os.OpenFile(\\"/tmp/thing\\", os.O_CREATE|os.O_WRONLY, 0666)" - }, - "parent_line_number": 18, - "snippet": "os.OpenFile(\\"/tmp/thing\\", os.O_CREATE|os.O_WRONLY, 0666)", - "fingerprint": "209f59925365847834972fad1f6b8239_1", - "old_fingerprint": "d7910697f643b646416f0860cd20d867_1", - "code_extract": "\\t_, err := os.OpenFile(\\"/tmp/thing\\", os.O_CREATE|os.O_WRONLY, 0666) // detected" - }, - { - "cwe_ids": [ - "276" - ], - "id": "go_gosec_file_permissions_file_perm", - "title": "Permissive file assignment", - "description": "## Description\\n\\nWhen creating or updating files, ensuring proper file permissions is crucial to maintain security. Overly permissive file settings can allow unauthorized users to read, modify, or execute files, which could lead to information disclosure, data tampering, or compromise of the system.\\n\\n## Remediations\\n\\nTo prevent unauthorized access, it's important to set restrictive file permissions, particularly when sensitive data is involved. Here's how to manage file permissions in Go:\\n\\n✅ Restrict File Permissions\\n\\nSet file permissions to allow only the necessary access level for the application. Avoid using permissions like \`0777\`, which allows read, write, and execute permissions for all users.\\n\\n✅ Use Go’s \`os\` Package\\n\\nUtilize the \`os.OpenFile\` function with the appropriate file permission flags.\\n\\n✅ Recommended File Permissions\\n\\n- \`0400\` grants read-only access to the file's owner.\\n- \`0200\` grants write-only access to the file's owner.\\n- \`0600\` grants read and write access to the file's owner and is commonly used for files that need to be both read from and written to by the application.\\n\\n\`\`\`go\\nimport (\\n \\"log\\"\\n \\"os\\"\\n)\\n\\nfunc main() {\\n // Use os.OpenFile to create a file with restricted permissions\\n // 0600 permission: Read and write for the owner, no permissions for others\\n f, err := os.OpenFile(\\"file.txt\\", os.O_CREATE|os.O_WRONLY, 0600)\\n if err != nil {\\n log.Fatalf(\\"failed to create file: %s\\", err)\\n }\\n defer f.Close()\\n // Continue to work with the file here\\n}\\n\`\`\`\\n\\n✅ Verify File Permissions\\n\\nAfter file creation, check the file permissions to ensure they are set correctly.\\n\\n✅ Secure Default Permissions\\n\\nIf you are developing an application that creates multiple files, consider setting umask in your application to a secure default.\\n\\n✅ Review File Permission Settings\\n\\nRegularly audit file permissions to ensure they adhere to the principle of least privilege.\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_file_permissions_file_perm", - "line_number": 43, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 43, - "end": 43, - "column": { - "start": 12, - "end": 82 - } - }, - "sink": { - "start": 43, - "end": 43, - "column": { - "start": 12, - "end": 82 - }, - "content": "os.OpenFile(\\"/tmp/thing\\", os.O_CREATE|os.O_WRONLY, fs.FileMode(perms))" - }, - "parent_line_number": 43, - "snippet": "os.OpenFile(\\"/tmp/thing\\", os.O_CREATE|os.O_WRONLY, fs.FileMode(perms))", - "fingerprint": "209f59925365847834972fad1f6b8239_2", - "old_fingerprint": "d7910697f643b646416f0860cd20d867_2", - "code_extract": "\\t_, err := os.OpenFile(\\"/tmp/thing\\", os.O_CREATE|os.O_WRONLY, fs.FileMode(perms)) // detected" - }, - { - "cwe_ids": [ - "276" - ], - "id": "go_gosec_file_permissions_file_perm", - "title": "Permissive file assignment", - "description": "## Description\\n\\nWhen creating or updating files, ensuring proper file permissions is crucial to maintain security. Overly permissive file settings can allow unauthorized users to read, modify, or execute files, which could lead to information disclosure, data tampering, or compromise of the system.\\n\\n## Remediations\\n\\nTo prevent unauthorized access, it's important to set restrictive file permissions, particularly when sensitive data is involved. Here's how to manage file permissions in Go:\\n\\n✅ Restrict File Permissions\\n\\nSet file permissions to allow only the necessary access level for the application. Avoid using permissions like \`0777\`, which allows read, write, and execute permissions for all users.\\n\\n✅ Use Go’s \`os\` Package\\n\\nUtilize the \`os.OpenFile\` function with the appropriate file permission flags.\\n\\n✅ Recommended File Permissions\\n\\n- \`0400\` grants read-only access to the file's owner.\\n- \`0200\` grants write-only access to the file's owner.\\n- \`0600\` grants read and write access to the file's owner and is commonly used for files that need to be both read from and written to by the application.\\n\\n\`\`\`go\\nimport (\\n \\"log\\"\\n \\"os\\"\\n)\\n\\nfunc main() {\\n // Use os.OpenFile to create a file with restricted permissions\\n // 0600 permission: Read and write for the owner, no permissions for others\\n f, err := os.OpenFile(\\"file.txt\\", os.O_CREATE|os.O_WRONLY, 0600)\\n if err != nil {\\n log.Fatalf(\\"failed to create file: %s\\", err)\\n }\\n defer f.Close()\\n // Continue to work with the file here\\n}\\n\`\`\`\\n\\n✅ Verify File Permissions\\n\\nAfter file creation, check the file permissions to ensure they are set correctly.\\n\\n✅ Secure Default Permissions\\n\\nIf you are developing an application that creates multiple files, consider setting umask in your application to a secure default.\\n\\n✅ Review File Permission Settings\\n\\nRegularly audit file permissions to ensure they adhere to the principle of least privilege.\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_file_permissions_file_perm", - "line_number": 51, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 51, - "end": 51, - "column": { - "start": 9, - "end": 50 - } - }, - "sink": { - "start": 51, - "end": 51, - "column": { - "start": 9, - "end": 50 - }, - "content": "os.WriteFile(\\"/tmp/thing\\", content, 0666)" - }, - "parent_line_number": 51, - "snippet": "os.WriteFile(\\"/tmp/thing\\", content, 0666)", - "fingerprint": "209f59925365847834972fad1f6b8239_3", - "old_fingerprint": "d7910697f643b646416f0860cd20d867_3", - "code_extract": "\\terr := os.WriteFile(\\"/tmp/thing\\", content, 0666) // detected" - } - ] -}" -`; diff --git a/tests/go/gosec/file_permissions/file_perm/test.js b/tests/go/gosec/file_permissions/file_perm/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/file_permissions/file_perm/test.js +++ b/tests/go/gosec/file_permissions/file_perm/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/file_permissions/file_perm/testdata/main.go b/tests/go/gosec/file_permissions/file_perm/testdata/main.go index 7f68044ae..b007ad8f1 100644 --- a/tests/go/gosec/file_permissions/file_perm/testdata/main.go +++ b/tests/go/gosec/file_permissions/file_perm/testdata/main.go @@ -7,6 +7,7 @@ import ( ) func foo1() { +// bearer:expected go_gosec_file_permissions_file_perm err := os.Chmod("/tmp/somefile", 0777) // detected if err != nil { fmt.Println("Error when changing file permissions!") @@ -15,6 +16,7 @@ func foo1() { } func foo2() { +// bearer:expected go_gosec_file_permissions_file_perm _, err := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666) // detected if err != nil { fmt.Println("Error opening a file!") @@ -40,6 +42,7 @@ func foo4() { func foo5() { perms := 0402 +// bearer:expected go_gosec_file_permissions_file_perm _, err := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, fs.FileMode(perms)) // detected if err != nil { fmt.Println("Error opening a file!") @@ -48,6 +51,7 @@ func foo5() { } func foo6(content []byte) { +// bearer:expected go_gosec_file_permissions_file_perm err := os.WriteFile("/tmp/thing", content, 0666) // detected if err != nil { fmt.Println("Error opening a file!") diff --git a/tests/go/gosec/file_permissions/mkdir/__snapshots__/test.js.snap b/tests/go/gosec/file_permissions/mkdir/__snapshots__/test.js.snap deleted file mode 100644 index 4e8544b06..000000000 --- a/tests/go/gosec/file_permissions/mkdir/__snapshots__/test.js.snap +++ /dev/null @@ -1,76 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_file_permissions_mkdir test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "276" - ], - "id": "go_gosec_file_permissions_mkdir", - "title": "Permissive folder creation", - "description": "## Description\\n\\nSetting correct directory permissions is critical to maintaining the security of a system. Directories with overly permissive access rights can become a vector for security breaches, allowing unauthorized users to add, remove, or change files, potentially leading to the execution of malicious code, data leaks, or system compromise.\\n\\n## Remediations\\n\\nWhen creating directories, apply the principle of least privilege to ensure users have only the permissions necessary for their role:\\n\\n✅ Restrict Directory Permissions\\n\\nUse permissions that restrict access to what is strictly necessary for the operation of the application. Avoid overly permissive settings such as \`0777\`, which allow all users to read, write, and execute.\\n\\n✅ Use Go’s \`os\` Package\\n\\nLeverage the \`os.Mkdir\` or \`os.MkdirAll\` function with appropriate permission flags to create directories.\\n\\n✅ Recommended Directory Permissions\\n\\n- \`0700\` gives the owner read, write, and execute permissions, with no access for group and others, suitable for private user data.\\n- \`0750\` gives the owner full permissions, the group read and execute permissions, and no permissions for others, which is commonly used for directories that need to be shared within a group.\\n\\n\`\`\`go\\nimport (\\n \\"log\\"\\n \\"os\\"\\n)\\n\\nfunc main() {\\n // Use os.Mkdir to create a directory with restricted permissions\\n // 0700 permission: Full control for the owner, no permissions for group and others\\n err := os.Mkdir(\\"secure_directory\\", 0700)\\n if err != nil {\\n log.Fatalf(\\"failed to create directory: %s\\", err)\\n }\\n // Continue setting up the directory here\\n}\\n\`\`\`\\n\\n✅ Verify Directory Permissions\\n\\nAfter creating a directory, confirm the permissions to ensure they have been set correctly.\\n\\n✅ Set Secure Umask\\n\\nConsider setting a secure umask in your application or user profile to ensure that all newly created files and directories have restrictive permissions by default.\\n\\n✅ Regular Auditing\\n\\nImplement regular checks of directory permissions as part of your security auditing procedures to identify and correct any permissions that are too broad.\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_file_permissions_mkdir", - "line_number": 17, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 17, - "end": 17, - "column": { - "start": 9, - "end": 37 - } - }, - "sink": { - "start": 17, - "end": 17, - "column": { - "start": 9, - "end": 37 - }, - "content": "os.Mkdir(\\"/tmp/mydir\\", 0777)" - }, - "parent_line_number": 17, - "snippet": "os.Mkdir(\\"/tmp/mydir\\", 0777)", - "fingerprint": "48915bcd60ffd3454f55db2924e59c62_0", - "old_fingerprint": "253074ffb8917f7c68f698b97a6d661b_0", - "code_extract": "\\terr := os.Mkdir(\\"/tmp/mydir\\", 0777)" - }, - { - "cwe_ids": [ - "276" - ], - "id": "go_gosec_file_permissions_mkdir", - "title": "Permissive folder creation", - "description": "## Description\\n\\nSetting correct directory permissions is critical to maintaining the security of a system. Directories with overly permissive access rights can become a vector for security breaches, allowing unauthorized users to add, remove, or change files, potentially leading to the execution of malicious code, data leaks, or system compromise.\\n\\n## Remediations\\n\\nWhen creating directories, apply the principle of least privilege to ensure users have only the permissions necessary for their role:\\n\\n✅ Restrict Directory Permissions\\n\\nUse permissions that restrict access to what is strictly necessary for the operation of the application. Avoid overly permissive settings such as \`0777\`, which allow all users to read, write, and execute.\\n\\n✅ Use Go’s \`os\` Package\\n\\nLeverage the \`os.Mkdir\` or \`os.MkdirAll\` function with appropriate permission flags to create directories.\\n\\n✅ Recommended Directory Permissions\\n\\n- \`0700\` gives the owner read, write, and execute permissions, with no access for group and others, suitable for private user data.\\n- \`0750\` gives the owner full permissions, the group read and execute permissions, and no permissions for others, which is commonly used for directories that need to be shared within a group.\\n\\n\`\`\`go\\nimport (\\n \\"log\\"\\n \\"os\\"\\n)\\n\\nfunc main() {\\n // Use os.Mkdir to create a directory with restricted permissions\\n // 0700 permission: Full control for the owner, no permissions for group and others\\n err := os.Mkdir(\\"secure_directory\\", 0700)\\n if err != nil {\\n log.Fatalf(\\"failed to create directory: %s\\", err)\\n }\\n // Continue setting up the directory here\\n}\\n\`\`\`\\n\\n✅ Verify Directory Permissions\\n\\nAfter creating a directory, confirm the permissions to ensure they have been set correctly.\\n\\n✅ Set Secure Umask\\n\\nConsider setting a secure umask in your application or user profile to ensure that all newly created files and directories have restrictive permissions by default.\\n\\n✅ Regular Auditing\\n\\nImplement regular checks of directory permissions as part of your security auditing procedures to identify and correct any permissions that are too broad.\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_file_permissions_mkdir", - "line_number": 25, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 25, - "end": 25, - "column": { - "start": 9, - "end": 40 - } - }, - "sink": { - "start": 25, - "end": 25, - "column": { - "start": 9, - "end": 40 - }, - "content": "os.MkdirAll(\\"/tmp/mydir\\", 0777)" - }, - "parent_line_number": 25, - "snippet": "os.MkdirAll(\\"/tmp/mydir\\", 0777)", - "fingerprint": "48915bcd60ffd3454f55db2924e59c62_1", - "old_fingerprint": "253074ffb8917f7c68f698b97a6d661b_1", - "code_extract": "\\terr := os.MkdirAll(\\"/tmp/mydir\\", 0777)" - } - ] -}" -`; diff --git a/tests/go/gosec/file_permissions/mkdir/test.js b/tests/go/gosec/file_permissions/mkdir/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/file_permissions/mkdir/test.js +++ b/tests/go/gosec/file_permissions/mkdir/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/file_permissions/mkdir/testdata/main.go b/tests/go/gosec/file_permissions/mkdir/testdata/main.go index 447c968b1..80b11dfdd 100644 --- a/tests/go/gosec/file_permissions/mkdir/testdata/main.go +++ b/tests/go/gosec/file_permissions/mkdir/testdata/main.go @@ -14,6 +14,7 @@ func foo0() { } func foo1() { +// bearer:expected go_gosec_file_permissions_mkdir err := os.Mkdir("/tmp/mydir", 0777) if err != nil { fmt.Println("Error when creating a directory!") @@ -22,6 +23,7 @@ func foo1() { } func foo2() { +// bearer:expected go_gosec_file_permissions_mkdir err := os.MkdirAll("/tmp/mydir", 0777) if err != nil { fmt.Println("Error when creating a directory!") diff --git a/tests/go/gosec/filesystem/decompression_bomb/__snapshots__/test.js.snap b/tests/go/gosec/filesystem/decompression_bomb/__snapshots__/test.js.snap deleted file mode 100644 index 7145e7cd4..000000000 --- a/tests/go/gosec/filesystem/decompression_bomb/__snapshots__/test.js.snap +++ /dev/null @@ -1,110 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_filesystem_decompression_bomb test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_filesystem_decompression_bomb", - "title": "Missing configuration against decompression bomb", - "description": "## Description\\n\\nDecompression bombs are a form of attack against an application or service that processes compressed files. The attacker crafts a compressed file that is small in size, but when decompressed, expands to a much larger size that is disproportionate to the original. This can exhaust system resources like CPU, memory, or disk space, leading to a Denial of Service (DoS).\\n\\n## Remediations\\n\\nImplement measures to mitigate the impact of decompression bombs:\\n\\n✅ Limit Decompression Size\\n\\nUse \`io.LimitReader\` to restrict the amount of data that a reader will decompress. This prevents the decompression of large files that could fill up memory or disk space.\\n\\n✅ Monitor Resource Usage\\n\\nImplement resource monitoring to watch for unexpected spikes in CPU, memory, or disk usage, which could indicate an attempted decompression bomb attack.\\n\\n✅ Input Validation\\n\\nValidate the size and type of the input before decompressing. If possible, reject files that do not meet expected criteria.\\n\\n✅ Fail Safely\\n\\nEnsure that your application can handle errors from the decompression process safely, without crashing or becoming unresponsive.\\n\\n✅ Regular Updates\\n\\nKeep compression libraries up to date with the latest security patches to protect against known vulnerabilities.\\n\\n✅ User Education\\n\\nEducate users about the risks of decompression bombs if they are able to upload compressed files.\\n\\n\`\`\`go\\nimport (\\n \\"compress/gzip\\"\\n \\"io\\"\\n \\"log\\"\\n \\"os\\"\\n)\\n\\nfunc main() {\\n // Open the gzip file\\n f, err := os.Open(\\"example.gz\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n defer f.Close()\\n\\n // Create a gzip reader on the file\\n r, err := gzip.NewReader(f)\\n if err != nil {\\n log.Fatal(err)\\n }\\n defer r.Close()\\n\\n // Define a limit for decompression\\n const maxDecompressSize = 10 * 1024 * 1024 // 10 MB\\n\\n // Limit the size of the reader\\n limitedReader := io.LimitReader(r, maxDecompressSize)\\n\\n // Use the limited reader to decompress, preventing the decompression bomb from expanding fully\\n if _, err := io.Copy(os.Stdout, limitedReader); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_decompression_bomb", - "line_number": 20, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 20, - "end": 20, - "column": { - "start": 11, - "end": 32 - } - }, - "sink": { - "start": 20, - "end": 20, - "column": { - "start": 11, - "end": 32 - }, - "content": "io.Copy(os.Stdout, r)" - }, - "parent_line_number": 20, - "snippet": "io.Copy(os.Stdout, r)", - "fingerprint": "2d4190d402514b2a6ed40a15b61c33ea_0", - "old_fingerprint": "b56cbf630ceb5b94f25b38725079b469_0", - "code_extract": "\\t_, err = io.Copy(os.Stdout, r)" - }, - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_filesystem_decompression_bomb", - "title": "Missing configuration against decompression bomb", - "description": "## Description\\n\\nDecompression bombs are a form of attack against an application or service that processes compressed files. The attacker crafts a compressed file that is small in size, but when decompressed, expands to a much larger size that is disproportionate to the original. This can exhaust system resources like CPU, memory, or disk space, leading to a Denial of Service (DoS).\\n\\n## Remediations\\n\\nImplement measures to mitigate the impact of decompression bombs:\\n\\n✅ Limit Decompression Size\\n\\nUse \`io.LimitReader\` to restrict the amount of data that a reader will decompress. This prevents the decompression of large files that could fill up memory or disk space.\\n\\n✅ Monitor Resource Usage\\n\\nImplement resource monitoring to watch for unexpected spikes in CPU, memory, or disk usage, which could indicate an attempted decompression bomb attack.\\n\\n✅ Input Validation\\n\\nValidate the size and type of the input before decompressing. If possible, reject files that do not meet expected criteria.\\n\\n✅ Fail Safely\\n\\nEnsure that your application can handle errors from the decompression process safely, without crashing or becoming unresponsive.\\n\\n✅ Regular Updates\\n\\nKeep compression libraries up to date with the latest security patches to protect against known vulnerabilities.\\n\\n✅ User Education\\n\\nEducate users about the risks of decompression bombs if they are able to upload compressed files.\\n\\n\`\`\`go\\nimport (\\n \\"compress/gzip\\"\\n \\"io\\"\\n \\"log\\"\\n \\"os\\"\\n)\\n\\nfunc main() {\\n // Open the gzip file\\n f, err := os.Open(\\"example.gz\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n defer f.Close()\\n\\n // Create a gzip reader on the file\\n r, err := gzip.NewReader(f)\\n if err != nil {\\n log.Fatal(err)\\n }\\n defer r.Close()\\n\\n // Define a limit for decompression\\n const maxDecompressSize = 10 * 1024 * 1024 // 10 MB\\n\\n // Limit the size of the reader\\n limitedReader := io.LimitReader(r, maxDecompressSize)\\n\\n // Use the limited reader to decompress, preventing the decompression bomb from expanding fully\\n if _, err := io.Copy(os.Stdout, limitedReader); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_decompression_bomb", - "line_number": 36, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 36, - "end": 36, - "column": { - "start": 11, - "end": 43 - } - }, - "sink": { - "start": 36, - "end": 36, - "column": { - "start": 11, - "end": 43 - }, - "content": "io.CopyBuffer(os.Stdout, r, buf)" - }, - "parent_line_number": 36, - "snippet": "io.CopyBuffer(os.Stdout, r, buf)", - "fingerprint": "2d4190d402514b2a6ed40a15b61c33ea_1", - "old_fingerprint": "b56cbf630ceb5b94f25b38725079b469_1", - "code_extract": "\\t_, err = io.CopyBuffer(os.Stdout, r, buf)" - }, - { - "cwe_ids": [ - "327" - ], - "id": "go_gosec_filesystem_decompression_bomb", - "title": "Missing configuration against decompression bomb", - "description": "## Description\\n\\nDecompression bombs are a form of attack against an application or service that processes compressed files. The attacker crafts a compressed file that is small in size, but when decompressed, expands to a much larger size that is disproportionate to the original. This can exhaust system resources like CPU, memory, or disk space, leading to a Denial of Service (DoS).\\n\\n## Remediations\\n\\nImplement measures to mitigate the impact of decompression bombs:\\n\\n✅ Limit Decompression Size\\n\\nUse \`io.LimitReader\` to restrict the amount of data that a reader will decompress. This prevents the decompression of large files that could fill up memory or disk space.\\n\\n✅ Monitor Resource Usage\\n\\nImplement resource monitoring to watch for unexpected spikes in CPU, memory, or disk usage, which could indicate an attempted decompression bomb attack.\\n\\n✅ Input Validation\\n\\nValidate the size and type of the input before decompressing. If possible, reject files that do not meet expected criteria.\\n\\n✅ Fail Safely\\n\\nEnsure that your application can handle errors from the decompression process safely, without crashing or becoming unresponsive.\\n\\n✅ Regular Updates\\n\\nKeep compression libraries up to date with the latest security patches to protect against known vulnerabilities.\\n\\n✅ User Education\\n\\nEducate users about the risks of decompression bombs if they are able to upload compressed files.\\n\\n\`\`\`go\\nimport (\\n \\"compress/gzip\\"\\n \\"io\\"\\n \\"log\\"\\n \\"os\\"\\n)\\n\\nfunc main() {\\n // Open the gzip file\\n f, err := os.Open(\\"example.gz\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n defer f.Close()\\n\\n // Create a gzip reader on the file\\n r, err := gzip.NewReader(f)\\n if err != nil {\\n log.Fatal(err)\\n }\\n defer r.Close()\\n\\n // Define a limit for decompression\\n const maxDecompressSize = 10 * 1024 * 1024 // 10 MB\\n\\n // Limit the size of the reader\\n limitedReader := io.LimitReader(r, maxDecompressSize)\\n\\n // Use the limited reader to decompress, preventing the decompression bomb from expanding fully\\n if _, err := io.Copy(os.Stdout, limitedReader); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_decompression_bomb", - "line_number": 58, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 58, - "end": 58, - "column": { - "start": 12, - "end": 28 - } - }, - "sink": { - "start": 58, - "end": 58, - "column": { - "start": 12, - "end": 28 - }, - "content": "io.Copy(out, rc)" - }, - "parent_line_number": 58, - "snippet": "io.Copy(out, rc)", - "fingerprint": "2d4190d402514b2a6ed40a15b61c33ea_2", - "old_fingerprint": "b56cbf630ceb5b94f25b38725079b469_2", - "code_extract": "\\t\\t_, err = io.Copy(out, rc)" - } - ] -}" -`; diff --git a/tests/go/gosec/filesystem/decompression_bomb/test.js b/tests/go/gosec/filesystem/decompression_bomb/test.js index 12471991f..2589fa550 100644 --- a/tests/go/gosec/filesystem/decompression_bomb/test.js +++ b/tests/go/gosec/filesystem/decompression_bomb/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/filesystem/decompression_bomb/testdata/main.go b/tests/go/gosec/filesystem/decompression_bomb/testdata/main.go index 29a1aa159..70b74ea3f 100644 --- a/tests/go/gosec/filesystem/decompression_bomb/testdata/main.go +++ b/tests/go/gosec/filesystem/decompression_bomb/testdata/main.go @@ -17,6 +17,7 @@ func foo1() { if err != nil { panic(err) } +// bearer:expected go_gosec_filesystem_decompression_bomb _, err = io.Copy(os.Stdout, r) if err != nil { panic(err) @@ -33,6 +34,7 @@ func foo2() { panic(err) } buf := make([]byte, 8) +// bearer:expected go_gosec_filesystem_decompression_bomb _, err = io.CopyBuffer(os.Stdout, r, buf) if err != nil { panic(err) @@ -55,6 +57,7 @@ func foo3() { if err != nil { panic(err) } +// bearer:expected go_gosec_filesystem_decompression_bomb _, err = io.Copy(out, rc) out.Close() rc.Close() diff --git a/tests/go/gosec/filesystem/dirtraversal/__snapshots__/test.js.snap b/tests/go/gosec/filesystem/dirtraversal/__snapshots__/test.js.snap deleted file mode 100644 index 5f6a537f7..000000000 --- a/tests/go/gosec/filesystem/dirtraversal/__snapshots__/test.js.snap +++ /dev/null @@ -1,42 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_filesystem_dirtraversal test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "22" - ], - "id": "go_gosec_filesystem_dirtraversal", - "title": "Usage of Root directory mounting", - "description": "## Description\\n\\nMounting the root directory (\`/\`) in an HTTP server is a significant security risk. It potentially allows anyone with access to the HTTP service to browse and access system files, which can lead to information disclosure, data breaches, or further exploitation of the system.\\n\\n## Remediations\\n\\nImplement the following measures to prevent exposing the entire filesystem through your web server:\\n\\n✅ Serve Specific Directory\\n\\nChange the \`http.Dir\` to serve files from a specific, safe directory intended for public access rather than the root directory. Ensure this directory contains only the files that are meant to be publicly accessible.\\n\\n✅ Access Control\\n\\nApply appropriate permissions to the directory being served to ensure that the server process can only access the files that it's supposed to serve.\\n\\n✅ Use of Configuration Files\\n\\nIf supported, use configuration files like \`.htaccess\` (for Apache HTTP Server) or equivalent server configuration to control access to directories.\\n\\n✅ Isolate Environment\\n\\nConsider running your server in a containerized or virtualized environment with strict access controls to limit the potential damage in case of a security breach.\\n\\n✅ Regular Audits\\n\\nPerform regular audits of the filesystem and the files being served to ensure that no sensitive information is being unintentionally exposed.\\n\\n\`\`\`go\\nimport (\\n \\"net/http\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n // Define the specific path to a directory to be served\\n const safePath = \\"/var/www/html/public\\"\\n\\n // Create a new file server handler that serves files from the safePath\\n fs := http.FileServer(http.Dir(safePath))\\n\\n // Configure the server to handle requests to the root with the file server handler\\n http.Handle(\\"/\\", http.StripPrefix(\\"/\\", fs))\\n\\n // Start the server\\n log.Fatal(http.ListenAndServe(\\":9000\\", nil))\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [Go Documentation: http package](https://pkg.go.dev/net/http)\\n- [OWASP: Securing File Uploads](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)\\n- [NIST Guidelines on Securing Public Web Servers](https://csrc.nist.gov/publications/detail/sp/800-44/version-2/final)\\n- [Docker Documentation: Use containers for isolation](https://docs.docker.com/get-started/overview/#use-containers-for-isolation)\\n- [Linux man page for chmod (file permissions)](https://linux.die.net/man/1/chmod)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_dirtraversal", - "line_number": 10, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 10, - "end": 10, - "column": { - "start": 7, - "end": 20 - } - }, - "sink": { - "start": 10, - "end": 10, - "column": { - "start": 7, - "end": 20 - }, - "content": "net2.Dir(\\"/\\")" - }, - "parent_line_number": 10, - "snippet": "net2.Dir(\\"/\\")", - "fingerprint": "3a1c1dd6de643ca21a3d5b17af97729a_0", - "old_fingerprint": "bb634df7af20e27aa8f7123da072efdc_0", - "code_extract": "\\td := net2.Dir(\\"/\\")" - } - ] -}" -`; diff --git a/tests/go/gosec/filesystem/dirtraversal/test.js b/tests/go/gosec/filesystem/dirtraversal/test.js index 12471991f..276c0d056 100644 --- a/tests/go/gosec/filesystem/dirtraversal/test.js +++ b/tests/go/gosec/filesystem/dirtraversal/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/filesystem/dirtraversal/testdata/main.go b/tests/go/gosec/filesystem/dirtraversal/testdata/main.go index 84ecee727..f53f1ebe1 100644 --- a/tests/go/gosec/filesystem/dirtraversal/testdata/main.go +++ b/tests/go/gosec/filesystem/dirtraversal/testdata/main.go @@ -7,6 +7,7 @@ import ( ) func dtrav() { +// bearer:expected go_gosec_filesystem_dirtraversal d := net2.Dir("/") f, err := d.Open("some file") if err != nil { diff --git a/tests/go/gosec/filesystem/filereadtaint/__snapshots__/test.js.snap b/tests/go/gosec/filesystem/filereadtaint/__snapshots__/test.js.snap deleted file mode 100644 index 6bbcc5961..000000000 --- a/tests/go/gosec/filesystem/filereadtaint/__snapshots__/test.js.snap +++ /dev/null @@ -1,212 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_filesystem_filereadtaint test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "73" - ], - "id": "go_gosec_filesystem_filereadtaint", - "title": "Unsanitized user input in file path", - "description": "## Description\\n\\nConstructing file or path information dynamically, especially from user input, poses a significant security risk. If not handled correctly, attackers could manipulate these paths to access or manipulate sensitive files, leading to data breaches or system compromise. It is crucial to ensure that user input is not used directly to interact with the file system, as this can be exploited to perform path traversal attacks.\\n\\n## Remediations\\n\\nTo mitigate the risks associated with dynamic file path construction from user inputs, apply the following best practices:\\n\\n✅ Hash or Replace User Input\\n\\nWhen dealing with user input for file operations, hash the input or replace it with a system-generated unique identifier to prevent path manipulation.\\n\\n✅ Use \`filepath.Base\`\\n\\nExtract only the filename from the path, ignoring any directory information, to avoid directory traversal vulnerabilities.\\n\\n✅ Validate Paths Before Use\\n\\nAlways perform validation on the resolved paths before accessing files to ensure they are within the expected directory.\\n\\n\`\`\`go\\nimport (\\n \\"crypto/rand\\"\\n \\"encoding/hex\\"\\n \\"io\\"\\n \\"log\\"\\n \\"path/filepath\\"\\n \\"strings\\"\\n)\\n\\n// userData struct holds user-related data with a unique ID for file operations\\ntype userData struct {\\n id string // Unique identifier for the filename\\n userFilename string // Original filename from the user, kept for reference\\n}\\n\\n// newUserData constructs a new userData instance with a random file ID\\nfunc newUserData(userFilename string) userData {\\n return userData{\\n id: randomFileID(), // Use a random ID instead of user-provided filename\\n userFilename: userFilename,\\n }\\n}\\n\\n// randomFileID generates a secure random ID to be used as a filename\\nfunc randomFileID() string {\\n id := make([]byte, 16)\\n if _, err := io.ReadFull(rand.Reader, id); err != nil {\\n log.Fatal(err)\\n }\\n return hex.EncodeToString(id)\\n}\\n\\nfunc main() {\\n // Simulated user input, which may be malicious\\n data := newUserData(\\"../../possibly/malicious\\")\\n\\n // Define a safe base path for file operations\\n const basePath = \\"/tmp/\\"\\n\\n // Resolve the full path using the safe base path and the random ID\\n resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Ensure the resolved path is within our designated base path\\n if !strings.HasPrefix(resolvedPath, basePath) {\\n log.Fatal(\\"The resolved path does not start with the expected base path\\")\\n }\\n\\n // The file can now be safely accessed using resolvedPath\\n // Further file processing code would go here\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP Guide to Preventing Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_filereadtaint", - "line_number": 15, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 15, - "end": 15, - "column": { - "start": 15, - "end": 33 - } - }, - "sink": { - "start": 15, - "end": 15, - "column": { - "start": 15, - "end": 33 - }, - "content": "ioutil.ReadFile(f)" - }, - "parent_line_number": 15, - "snippet": "ioutil.ReadFile(f)", - "fingerprint": "4cbdcba5327691a5836bdf26ca7b0f5d_0", - "old_fingerprint": "74ca07036b660b9689e4fe7febfbed2b_0", - "code_extract": "\\tbody, err := ioutil.ReadFile(f)" - }, - { - "cwe_ids": [ - "73" - ], - "id": "go_gosec_filesystem_filereadtaint", - "title": "Unsanitized user input in file path", - "description": "## Description\\n\\nConstructing file or path information dynamically, especially from user input, poses a significant security risk. If not handled correctly, attackers could manipulate these paths to access or manipulate sensitive files, leading to data breaches or system compromise. It is crucial to ensure that user input is not used directly to interact with the file system, as this can be exploited to perform path traversal attacks.\\n\\n## Remediations\\n\\nTo mitigate the risks associated with dynamic file path construction from user inputs, apply the following best practices:\\n\\n✅ Hash or Replace User Input\\n\\nWhen dealing with user input for file operations, hash the input or replace it with a system-generated unique identifier to prevent path manipulation.\\n\\n✅ Use \`filepath.Base\`\\n\\nExtract only the filename from the path, ignoring any directory information, to avoid directory traversal vulnerabilities.\\n\\n✅ Validate Paths Before Use\\n\\nAlways perform validation on the resolved paths before accessing files to ensure they are within the expected directory.\\n\\n\`\`\`go\\nimport (\\n \\"crypto/rand\\"\\n \\"encoding/hex\\"\\n \\"io\\"\\n \\"log\\"\\n \\"path/filepath\\"\\n \\"strings\\"\\n)\\n\\n// userData struct holds user-related data with a unique ID for file operations\\ntype userData struct {\\n id string // Unique identifier for the filename\\n userFilename string // Original filename from the user, kept for reference\\n}\\n\\n// newUserData constructs a new userData instance with a random file ID\\nfunc newUserData(userFilename string) userData {\\n return userData{\\n id: randomFileID(), // Use a random ID instead of user-provided filename\\n userFilename: userFilename,\\n }\\n}\\n\\n// randomFileID generates a secure random ID to be used as a filename\\nfunc randomFileID() string {\\n id := make([]byte, 16)\\n if _, err := io.ReadFull(rand.Reader, id); err != nil {\\n log.Fatal(err)\\n }\\n return hex.EncodeToString(id)\\n}\\n\\nfunc main() {\\n // Simulated user input, which may be malicious\\n data := newUserData(\\"../../possibly/malicious\\")\\n\\n // Define a safe base path for file operations\\n const basePath = \\"/tmp/\\"\\n\\n // Resolve the full path using the safe base path and the random ID\\n resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Ensure the resolved path is within our designated base path\\n if !strings.HasPrefix(resolvedPath, basePath) {\\n log.Fatal(\\"The resolved path does not start with the expected base path\\")\\n }\\n\\n // The file can now be safely accessed using resolvedPath\\n // Further file processing code would go here\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP Guide to Preventing Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_filereadtaint", - "line_number": 26, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 26, - "end": 26, - "column": { - "start": 13, - "end": 27 - } - }, - "sink": { - "start": 26, - "end": 26, - "column": { - "start": 13, - "end": 27 - }, - "content": "os.Open(title)" - }, - "parent_line_number": 26, - "snippet": "os.Open(title)", - "fingerprint": "4cbdcba5327691a5836bdf26ca7b0f5d_1", - "old_fingerprint": "74ca07036b660b9689e4fe7febfbed2b_1", - "code_extract": "\\t\\tf, err := os.Open(title)" - }, - { - "cwe_ids": [ - "73" - ], - "id": "go_gosec_filesystem_filereadtaint", - "title": "Unsanitized user input in file path", - "description": "## Description\\n\\nConstructing file or path information dynamically, especially from user input, poses a significant security risk. If not handled correctly, attackers could manipulate these paths to access or manipulate sensitive files, leading to data breaches or system compromise. It is crucial to ensure that user input is not used directly to interact with the file system, as this can be exploited to perform path traversal attacks.\\n\\n## Remediations\\n\\nTo mitigate the risks associated with dynamic file path construction from user inputs, apply the following best practices:\\n\\n✅ Hash or Replace User Input\\n\\nWhen dealing with user input for file operations, hash the input or replace it with a system-generated unique identifier to prevent path manipulation.\\n\\n✅ Use \`filepath.Base\`\\n\\nExtract only the filename from the path, ignoring any directory information, to avoid directory traversal vulnerabilities.\\n\\n✅ Validate Paths Before Use\\n\\nAlways perform validation on the resolved paths before accessing files to ensure they are within the expected directory.\\n\\n\`\`\`go\\nimport (\\n \\"crypto/rand\\"\\n \\"encoding/hex\\"\\n \\"io\\"\\n \\"log\\"\\n \\"path/filepath\\"\\n \\"strings\\"\\n)\\n\\n// userData struct holds user-related data with a unique ID for file operations\\ntype userData struct {\\n id string // Unique identifier for the filename\\n userFilename string // Original filename from the user, kept for reference\\n}\\n\\n// newUserData constructs a new userData instance with a random file ID\\nfunc newUserData(userFilename string) userData {\\n return userData{\\n id: randomFileID(), // Use a random ID instead of user-provided filename\\n userFilename: userFilename,\\n }\\n}\\n\\n// randomFileID generates a secure random ID to be used as a filename\\nfunc randomFileID() string {\\n id := make([]byte, 16)\\n if _, err := io.ReadFull(rand.Reader, id); err != nil {\\n log.Fatal(err)\\n }\\n return hex.EncodeToString(id)\\n}\\n\\nfunc main() {\\n // Simulated user input, which may be malicious\\n data := newUserData(\\"../../possibly/malicious\\")\\n\\n // Define a safe base path for file operations\\n const basePath = \\"/tmp/\\"\\n\\n // Resolve the full path using the safe base path and the random ID\\n resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Ensure the resolved path is within our designated base path\\n if !strings.HasPrefix(resolvedPath, basePath) {\\n log.Fatal(\\"The resolved path does not start with the expected base path\\")\\n }\\n\\n // The file can now be safely accessed using resolvedPath\\n // Further file processing code would go here\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP Guide to Preventing Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_filereadtaint", - "line_number": 42, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 42, - "end": 42, - "column": { - "start": 13, - "end": 60 - } - }, - "sink": { - "start": 42, - "end": 42, - "column": { - "start": 13, - "end": 60 - }, - "content": "os.OpenFile(title, os.O_RDWR|os.O_CREATE, 0755)" - }, - "parent_line_number": 42, - "snippet": "os.OpenFile(title, os.O_RDWR|os.O_CREATE, 0755)", - "fingerprint": "4cbdcba5327691a5836bdf26ca7b0f5d_2", - "old_fingerprint": "74ca07036b660b9689e4fe7febfbed2b_2", - "code_extract": "\\t\\tf, err := os.OpenFile(title, os.O_RDWR|os.O_CREATE, 0755)" - }, - { - "cwe_ids": [ - "73" - ], - "id": "go_gosec_filesystem_filereadtaint", - "title": "Unsanitized user input in file path", - "description": "## Description\\n\\nConstructing file or path information dynamically, especially from user input, poses a significant security risk. If not handled correctly, attackers could manipulate these paths to access or manipulate sensitive files, leading to data breaches or system compromise. It is crucial to ensure that user input is not used directly to interact with the file system, as this can be exploited to perform path traversal attacks.\\n\\n## Remediations\\n\\nTo mitigate the risks associated with dynamic file path construction from user inputs, apply the following best practices:\\n\\n✅ Hash or Replace User Input\\n\\nWhen dealing with user input for file operations, hash the input or replace it with a system-generated unique identifier to prevent path manipulation.\\n\\n✅ Use \`filepath.Base\`\\n\\nExtract only the filename from the path, ignoring any directory information, to avoid directory traversal vulnerabilities.\\n\\n✅ Validate Paths Before Use\\n\\nAlways perform validation on the resolved paths before accessing files to ensure they are within the expected directory.\\n\\n\`\`\`go\\nimport (\\n \\"crypto/rand\\"\\n \\"encoding/hex\\"\\n \\"io\\"\\n \\"log\\"\\n \\"path/filepath\\"\\n \\"strings\\"\\n)\\n\\n// userData struct holds user-related data with a unique ID for file operations\\ntype userData struct {\\n id string // Unique identifier for the filename\\n userFilename string // Original filename from the user, kept for reference\\n}\\n\\n// newUserData constructs a new userData instance with a random file ID\\nfunc newUserData(userFilename string) userData {\\n return userData{\\n id: randomFileID(), // Use a random ID instead of user-provided filename\\n userFilename: userFilename,\\n }\\n}\\n\\n// randomFileID generates a secure random ID to be used as a filename\\nfunc randomFileID() string {\\n id := make([]byte, 16)\\n if _, err := io.ReadFull(rand.Reader, id); err != nil {\\n log.Fatal(err)\\n }\\n return hex.EncodeToString(id)\\n}\\n\\nfunc main() {\\n // Simulated user input, which may be malicious\\n data := newUserData(\\"../../possibly/malicious\\")\\n\\n // Define a safe base path for file operations\\n const basePath = \\"/tmp/\\"\\n\\n // Resolve the full path using the safe base path and the random ID\\n resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Ensure the resolved path is within our designated base path\\n if !strings.HasPrefix(resolvedPath, basePath) {\\n log.Fatal(\\"The resolved path does not start with the expected base path\\")\\n }\\n\\n // The file can now be safely accessed using resolvedPath\\n // Further file processing code would go here\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP Guide to Preventing Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_filereadtaint", - "line_number": 57, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 57, - "end": 57, - "column": { - "start": 15, - "end": 44 - } - }, - "sink": { - "start": 57, - "end": 57, - "column": { - "start": 15, - "end": 44 - }, - "content": "ioutil.ReadFile(\\"/tmp/\\" + f2)" - }, - "parent_line_number": 57, - "snippet": "ioutil.ReadFile(\\"/tmp/\\" + f2)", - "fingerprint": "4cbdcba5327691a5836bdf26ca7b0f5d_3", - "old_fingerprint": "74ca07036b660b9689e4fe7febfbed2b_3", - "code_extract": "\\tbody, err := ioutil.ReadFile(\\"/tmp/\\" + f2)" - }, - { - "cwe_ids": [ - "73" - ], - "id": "go_gosec_filesystem_filereadtaint", - "title": "Unsanitized user input in file path", - "description": "## Description\\n\\nConstructing file or path information dynamically, especially from user input, poses a significant security risk. If not handled correctly, attackers could manipulate these paths to access or manipulate sensitive files, leading to data breaches or system compromise. It is crucial to ensure that user input is not used directly to interact with the file system, as this can be exploited to perform path traversal attacks.\\n\\n## Remediations\\n\\nTo mitigate the risks associated with dynamic file path construction from user inputs, apply the following best practices:\\n\\n✅ Hash or Replace User Input\\n\\nWhen dealing with user input for file operations, hash the input or replace it with a system-generated unique identifier to prevent path manipulation.\\n\\n✅ Use \`filepath.Base\`\\n\\nExtract only the filename from the path, ignoring any directory information, to avoid directory traversal vulnerabilities.\\n\\n✅ Validate Paths Before Use\\n\\nAlways perform validation on the resolved paths before accessing files to ensure they are within the expected directory.\\n\\n\`\`\`go\\nimport (\\n \\"crypto/rand\\"\\n \\"encoding/hex\\"\\n \\"io\\"\\n \\"log\\"\\n \\"path/filepath\\"\\n \\"strings\\"\\n)\\n\\n// userData struct holds user-related data with a unique ID for file operations\\ntype userData struct {\\n id string // Unique identifier for the filename\\n userFilename string // Original filename from the user, kept for reference\\n}\\n\\n// newUserData constructs a new userData instance with a random file ID\\nfunc newUserData(userFilename string) userData {\\n return userData{\\n id: randomFileID(), // Use a random ID instead of user-provided filename\\n userFilename: userFilename,\\n }\\n}\\n\\n// randomFileID generates a secure random ID to be used as a filename\\nfunc randomFileID() string {\\n id := make([]byte, 16)\\n if _, err := io.ReadFull(rand.Reader, id); err != nil {\\n log.Fatal(err)\\n }\\n return hex.EncodeToString(id)\\n}\\n\\nfunc main() {\\n // Simulated user input, which may be malicious\\n data := newUserData(\\"../../possibly/malicious\\")\\n\\n // Define a safe base path for file operations\\n const basePath = \\"/tmp/\\"\\n\\n // Resolve the full path using the safe base path and the random ID\\n resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Ensure the resolved path is within our designated base path\\n if !strings.HasPrefix(resolvedPath, basePath) {\\n log.Fatal(\\"The resolved path does not start with the expected base path\\")\\n }\\n\\n // The file can now be safely accessed using resolvedPath\\n // Further file processing code would go here\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP Guide to Preventing Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_filereadtaint", - "line_number": 69, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 69, - "end": 69, - "column": { - "start": 12, - "end": 57 - } - }, - "sink": { - "start": 69, - "end": 69, - "column": { - "start": 12, - "end": 57 - }, - "content": "os.Open(filepath.Join(\\"/tmp/service/\\", file))" - }, - "parent_line_number": 69, - "snippet": "os.Open(filepath.Join(\\"/tmp/service/\\", file))", - "fingerprint": "4cbdcba5327691a5836bdf26ca7b0f5d_4", - "old_fingerprint": "74ca07036b660b9689e4fe7febfbed2b_4", - "code_extract": "\\tf, err := os.Open(filepath.Join(\\"/tmp/service/\\", file))" - }, - { - "cwe_ids": [ - "73" - ], - "id": "go_gosec_filesystem_filereadtaint", - "title": "Unsanitized user input in file path", - "description": "## Description\\n\\nConstructing file or path information dynamically, especially from user input, poses a significant security risk. If not handled correctly, attackers could manipulate these paths to access or manipulate sensitive files, leading to data breaches or system compromise. It is crucial to ensure that user input is not used directly to interact with the file system, as this can be exploited to perform path traversal attacks.\\n\\n## Remediations\\n\\nTo mitigate the risks associated with dynamic file path construction from user inputs, apply the following best practices:\\n\\n✅ Hash or Replace User Input\\n\\nWhen dealing with user input for file operations, hash the input or replace it with a system-generated unique identifier to prevent path manipulation.\\n\\n✅ Use \`filepath.Base\`\\n\\nExtract only the filename from the path, ignoring any directory information, to avoid directory traversal vulnerabilities.\\n\\n✅ Validate Paths Before Use\\n\\nAlways perform validation on the resolved paths before accessing files to ensure they are within the expected directory.\\n\\n\`\`\`go\\nimport (\\n \\"crypto/rand\\"\\n \\"encoding/hex\\"\\n \\"io\\"\\n \\"log\\"\\n \\"path/filepath\\"\\n \\"strings\\"\\n)\\n\\n// userData struct holds user-related data with a unique ID for file operations\\ntype userData struct {\\n id string // Unique identifier for the filename\\n userFilename string // Original filename from the user, kept for reference\\n}\\n\\n// newUserData constructs a new userData instance with a random file ID\\nfunc newUserData(userFilename string) userData {\\n return userData{\\n id: randomFileID(), // Use a random ID instead of user-provided filename\\n userFilename: userFilename,\\n }\\n}\\n\\n// randomFileID generates a secure random ID to be used as a filename\\nfunc randomFileID() string {\\n id := make([]byte, 16)\\n if _, err := io.ReadFull(rand.Reader, id); err != nil {\\n log.Fatal(err)\\n }\\n return hex.EncodeToString(id)\\n}\\n\\nfunc main() {\\n // Simulated user input, which may be malicious\\n data := newUserData(\\"../../possibly/malicious\\")\\n\\n // Define a safe base path for file operations\\n const basePath = \\"/tmp/\\"\\n\\n // Resolve the full path using the safe base path and the random ID\\n resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Ensure the resolved path is within our designated base path\\n if !strings.HasPrefix(resolvedPath, basePath) {\\n log.Fatal(\\"The resolved path does not start with the expected base path\\")\\n }\\n\\n // The file can now be safely accessed using resolvedPath\\n // Further file processing code would go here\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP Guide to Preventing Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_filereadtaint", - "line_number": 84, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 84, - "end": 84, - "column": { - "start": 15, - "end": 62 - } - }, - "sink": { - "start": 84, - "end": 84, - "column": { - "start": 15, - "end": 62 - }, - "content": "ioutil.ReadFile(filepath.Join(\\"/var/\\"+dir, f3))" - }, - "parent_line_number": 84, - "snippet": "ioutil.ReadFile(filepath.Join(\\"/var/\\"+dir, f3))", - "fingerprint": "4cbdcba5327691a5836bdf26ca7b0f5d_5", - "old_fingerprint": "74ca07036b660b9689e4fe7febfbed2b_5", - "code_extract": "\\tbody, err := ioutil.ReadFile(filepath.Join(\\"/var/\\"+dir, f3))" - } - ] -}" -`; diff --git a/tests/go/gosec/filesystem/filereadtaint/test.js b/tests/go/gosec/filesystem/filereadtaint/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/filesystem/filereadtaint/test.js +++ b/tests/go/gosec/filesystem/filereadtaint/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/filesystem/filereadtaint/testdata/main.go b/tests/go/gosec/filesystem/filereadtaint/testdata/main.go index 0df36d1c5..9888e2fe3 100644 --- a/tests/go/gosec/filesystem/filereadtaint/testdata/main.go +++ b/tests/go/gosec/filesystem/filereadtaint/testdata/main.go @@ -12,6 +12,7 @@ import ( func mainenvreadfile() { f := os.Getenv("tainted_file") +// bearer:expected go_gosec_filesystem_filereadtaint body, err := ioutil.ReadFile(f) if err != nil { log.Printf("Error: %v\n", err) @@ -23,6 +24,7 @@ func mainenvreadfile() { func mainqueryopen() { http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) { title := r.URL.Query().Get("title") +// bearer:expected go_gosec_filesystem_filereadtaint f, err := os.Open(title) if err != nil { fmt.Printf("Error: %v\n", err) @@ -39,6 +41,7 @@ func mainqueryopen() { func mainqueryopenfile() { http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) { title := r.URL.Query().Get("title") +// bearer:expected go_gosec_filesystem_filereadtaint f, err := os.OpenFile(title, os.O_RDWR|os.O_CREATE, 0755) if err != nil { fmt.Printf("Error: %v\n", err) @@ -54,6 +57,7 @@ func mainqueryopenfile() { func mainenvreadfileappend() { f2 := os.Getenv("tainted_file2") +// bearer:expected go_gosec_filesystem_filereadtaint body, err := ioutil.ReadFile("/tmp/" + f2) if err != nil { log.Printf("Error: %v\n", err) @@ -66,6 +70,7 @@ func mainstdinopenjoin() { fmt.Print("Please enter file to read: ") file, _ := reader.ReadString('\n') file = file[:len(file)-1] +// bearer:expected go_gosec_filesystem_filereadtaint f, err := os.Open(filepath.Join("/tmp/service/", file)) if err != nil { fmt.Printf("Error: %v\n", err) @@ -81,6 +86,7 @@ func mainenvreadfilejointwice() { dir := os.Getenv("server_root") f3 := os.Getenv("tainted_file3") // edge case where both a binary expression and file Join are used. +// bearer:expected go_gosec_filesystem_filereadtaint body, err := ioutil.ReadFile(filepath.Join("/var/"+dir, f3)) if err != nil { log.Printf("Error: %v\n", err) diff --git a/tests/go/gosec/filesystem/poor_write_permissions/__snapshots__/test.js.snap b/tests/go/gosec/filesystem/poor_write_permissions/__snapshots__/test.js.snap deleted file mode 100644 index be825bcbc..000000000 --- a/tests/go/gosec/filesystem/poor_write_permissions/__snapshots__/test.js.snap +++ /dev/null @@ -1,42 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_filesystem_poor_write_permissions test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "276" - ], - "id": "go_gosec_filesystem_poor_write_permissions", - "title": "Permissive file creation", - "description": "## Description\\n\\nThe application has been detected setting file permissions that are too permissive. This configuration could allow unauthorized users to read, write, or execute files, potentially leading to information disclosure or other security vulnerabilities.\\n\\n## Remediations\\n\\nTo enhance security, file permissions should be set to more restrictive values, especially when the files contain sensitive information:\\n\\n✅ Use Restrictive File Permissions\\n\\nAssign file permissions to limit access appropriately based on the application's requirements.\\n\\n- \`0400\`: Grants read-only access to the file for the owner.\\n- \`0200\`: Grants write-only access to the file for the owner.\\n- \`0600\`: Grants read and write access to the file for the owner.\\n\\n✅ Apply Permissions During File Creation\\n\\nWhen creating or modifying files, set the appropriate permissions to prevent unauthorized access.\\n\\n\`\`\`go\\nimport (\\n \\"os\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n // Data to be written to the file\\n dat := []byte(\\"sensitive data\\")\\n\\n // Write the data to 'file.txt' with read and write permissions for the owner only\\n if err := os.WriteFile(\\"file.txt\\", dat, 0600); err != nil {\\n log.Fatalf(\\"failed to write file: %s\\", err)\\n }\\n // File is now safely written with restricted permissions\\n}\\n\`\`\`\\n\\n✅ Review File Permission Settings\\n\\nRegularly audit the permissions of files to ensure they conform to the principle of least privilege.\\n\\n## Resources\\n\\n- [Go Documentation for os Package](https://pkg.go.dev/os)\\n- [Linux 'chmod' Command](https://linux.die.net/man/1/chmod)\\n- [OWASP File Handling Best Practices](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_poor_write_permissions", - "line_number": 19, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 19, - "end": 19, - "column": { - "start": 9, - "end": 48 - } - }, - "sink": { - "start": 19, - "end": 19, - "column": { - "start": 9, - "end": 48 - }, - "content": "ioutil.WriteFile(\\"/tmp/dat1\\", d1, 0744)" - }, - "parent_line_number": 19, - "snippet": "ioutil.WriteFile(\\"/tmp/dat1\\", d1, 0744)", - "fingerprint": "608e26e1e7ff94dddcae86ff0bb9a03b_0", - "old_fingerprint": "bea73efa91d0340a983a52974a790bff_0", - "code_extract": "\\terr := ioutil.WriteFile(\\"/tmp/dat1\\", d1, 0744)" - } - ] -}" -`; diff --git a/tests/go/gosec/filesystem/poor_write_permissions/test.js b/tests/go/gosec/filesystem/poor_write_permissions/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/filesystem/poor_write_permissions/test.js +++ b/tests/go/gosec/filesystem/poor_write_permissions/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/filesystem/poor_write_permissions/testdata/main.go b/tests/go/gosec/filesystem/poor_write_permissions/testdata/main.go index bfed084ac..ec46830bd 100644 --- a/tests/go/gosec/filesystem/poor_write_permissions/testdata/main.go +++ b/tests/go/gosec/filesystem/poor_write_permissions/testdata/main.go @@ -16,6 +16,7 @@ func check(e error) { func mainwriteperms() { d1 := []byte("hello\ngo\n") +// bearer:expected go_gosec_filesystem_poor_write_permissions err := ioutil.WriteFile("/tmp/dat1", d1, 0744) check(err) diff --git a/tests/go/gosec/filesystem/tempfile/__snapshots__/test.js.snap b/tests/go/gosec/filesystem/tempfile/__snapshots__/test.js.snap deleted file mode 100644 index 20b3706a2..000000000 --- a/tests/go/gosec/filesystem/tempfile/__snapshots__/test.js.snap +++ /dev/null @@ -1,110 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_filesystem_tempfile test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "378" - ], - "id": "go_gosec_filesystem_tempfile", - "title": "Permissive temporary file creation", - "description": "## Description\\n\\nThe application has been observed creating files in shared system temporary directories, such as \`/tmp\` or \`/var/tmp\`, without the use of secure functions like \`os.CreateTemp\`. This practice is insecure because it opens up the possibility of symlink attacks, where an attacker could anticipate the temporary file name and create a symlink to a target file, leading to unauthorized file creation or overwriting when the application writes to what it believes is a temporary file.\\n\\n## Remediations\\n\\nTo prevent symlink attacks and other vulnerabilities associated with the use of shared temporary directories:\\n\\n✅ Use Secure Temporary File Creation\\n\\nImplement \`os.CreateTemp\` to safely create temporary files within a directory that's restricted to the application. This reduces the risk of symlink attacks and ensures that temporary files are handled securely.\\n\\n\`\`\`go\\nimport (\\n \\"os\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n // Ensure the application-restricted directory exists with appropriate permissions\\n restrictedDir := \\"/opt/appdir/restricted\\"\\n if err := os.MkdirAll(restrictedDir, 0700); err != nil {\\n log.Fatalf(\\"failed to create restricted directory: %s\\", err)\\n }\\n\\n // Securely create a temporary file within the restricted directory\\n f, err := os.CreateTemp(restrictedDir, \\"temp-*.txt\\")\\n if err != nil {\\n log.Fatalf(\\"failed to create temporary file: %s\\", err)\\n }\\n defer f.Close() // Ensure the file is closed when no longer needed\\n\\n defer os.Remove(f.Name()) // Clean up the file upon exit\\n // Continue working with the temporary file\\n}\\n\`\`\`\\n\\n✅ Avoid Shared Temporary Directories for Sensitive Operations\\n\\nDo not use common temporary directories for storing sensitive information or for operations that require secure handling of files.\\n\\n✅ Clean Up After Use\\n\\nAlways remove temporary files after their use to prevent accumulation and potential misuse.\\n\\n## Resources\\n\\n- [Go Documentation: os.CreateTemp](https://pkg.go.dev/os#CreateTemp)\\n- [Secure Coding Guidelines for File I/O](https://wiki.sei.cmu.edu/confluence/display/seccode/TOCTOU+Race+Conditions)\\n- [OWASP Guide to File System Security](https://owasp.org/www-community/controls/Path_Traversal)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_tempfile", - "line_number": 11, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 11, - "end": 11, - "column": { - "start": 9, - "end": 74 - } - }, - "sink": { - "start": 11, - "end": 11, - "column": { - "start": 9, - "end": 74 - }, - "content": "ioutil.WriteFile(\\"/tmp/demo2\\", []byte(\\"This is some data\\"), 0644)" - }, - "parent_line_number": 11, - "snippet": "ioutil.WriteFile(\\"/tmp/demo2\\", []byte(\\"This is some data\\"), 0644)", - "fingerprint": "6ecf2eddbc7c43a01ece9577a34e9e61_0", - "old_fingerprint": "e8eb39c1772c573d1ca552003803ccbb_0", - "code_extract": "\\terr := ioutil.WriteFile(\\"/tmp/demo2\\", []byte(\\"This is some data\\"), 0644)" - }, - { - "cwe_ids": [ - "378" - ], - "id": "go_gosec_filesystem_tempfile", - "title": "Permissive temporary file creation", - "description": "## Description\\n\\nThe application has been observed creating files in shared system temporary directories, such as \`/tmp\` or \`/var/tmp\`, without the use of secure functions like \`os.CreateTemp\`. This practice is insecure because it opens up the possibility of symlink attacks, where an attacker could anticipate the temporary file name and create a symlink to a target file, leading to unauthorized file creation or overwriting when the application writes to what it believes is a temporary file.\\n\\n## Remediations\\n\\nTo prevent symlink attacks and other vulnerabilities associated with the use of shared temporary directories:\\n\\n✅ Use Secure Temporary File Creation\\n\\nImplement \`os.CreateTemp\` to safely create temporary files within a directory that's restricted to the application. This reduces the risk of symlink attacks and ensures that temporary files are handled securely.\\n\\n\`\`\`go\\nimport (\\n \\"os\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n // Ensure the application-restricted directory exists with appropriate permissions\\n restrictedDir := \\"/opt/appdir/restricted\\"\\n if err := os.MkdirAll(restrictedDir, 0700); err != nil {\\n log.Fatalf(\\"failed to create restricted directory: %s\\", err)\\n }\\n\\n // Securely create a temporary file within the restricted directory\\n f, err := os.CreateTemp(restrictedDir, \\"temp-*.txt\\")\\n if err != nil {\\n log.Fatalf(\\"failed to create temporary file: %s\\", err)\\n }\\n defer f.Close() // Ensure the file is closed when no longer needed\\n\\n defer os.Remove(f.Name()) // Clean up the file upon exit\\n // Continue working with the temporary file\\n}\\n\`\`\`\\n\\n✅ Avoid Shared Temporary Directories for Sensitive Operations\\n\\nDo not use common temporary directories for storing sensitive information or for operations that require secure handling of files.\\n\\n✅ Clean Up After Use\\n\\nAlways remove temporary files after their use to prevent accumulation and potential misuse.\\n\\n## Resources\\n\\n- [Go Documentation: os.CreateTemp](https://pkg.go.dev/os#CreateTemp)\\n- [Secure Coding Guidelines for File I/O](https://wiki.sei.cmu.edu/confluence/display/seccode/TOCTOU+Race+Conditions)\\n- [OWASP Guide to File System Security](https://owasp.org/www-community/controls/Path_Traversal)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_tempfile", - "line_number": 18, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 18, - "end": 18, - "column": { - "start": 9, - "end": 70 - } - }, - "sink": { - "start": 18, - "end": 18, - "column": { - "start": 9, - "end": 70 - }, - "content": "os.WriteFile(\\"/tmp/demo2\\", []byte(\\"This is some data\\"), 0644)" - }, - "parent_line_number": 18, - "snippet": "os.WriteFile(\\"/tmp/demo2\\", []byte(\\"This is some data\\"), 0644)", - "fingerprint": "6ecf2eddbc7c43a01ece9577a34e9e61_1", - "old_fingerprint": "e8eb39c1772c573d1ca552003803ccbb_1", - "code_extract": "\\terr := os.WriteFile(\\"/tmp/demo2\\", []byte(\\"This is some data\\"), 0644)" - }, - { - "cwe_ids": [ - "378" - ], - "id": "go_gosec_filesystem_tempfile", - "title": "Permissive temporary file creation", - "description": "## Description\\n\\nThe application has been observed creating files in shared system temporary directories, such as \`/tmp\` or \`/var/tmp\`, without the use of secure functions like \`os.CreateTemp\`. This practice is insecure because it opens up the possibility of symlink attacks, where an attacker could anticipate the temporary file name and create a symlink to a target file, leading to unauthorized file creation or overwriting when the application writes to what it believes is a temporary file.\\n\\n## Remediations\\n\\nTo prevent symlink attacks and other vulnerabilities associated with the use of shared temporary directories:\\n\\n✅ Use Secure Temporary File Creation\\n\\nImplement \`os.CreateTemp\` to safely create temporary files within a directory that's restricted to the application. This reduces the risk of symlink attacks and ensures that temporary files are handled securely.\\n\\n\`\`\`go\\nimport (\\n \\"os\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n // Ensure the application-restricted directory exists with appropriate permissions\\n restrictedDir := \\"/opt/appdir/restricted\\"\\n if err := os.MkdirAll(restrictedDir, 0700); err != nil {\\n log.Fatalf(\\"failed to create restricted directory: %s\\", err)\\n }\\n\\n // Securely create a temporary file within the restricted directory\\n f, err := os.CreateTemp(restrictedDir, \\"temp-*.txt\\")\\n if err != nil {\\n log.Fatalf(\\"failed to create temporary file: %s\\", err)\\n }\\n defer f.Close() // Ensure the file is closed when no longer needed\\n\\n defer os.Remove(f.Name()) // Clean up the file upon exit\\n // Continue working with the temporary file\\n}\\n\`\`\`\\n\\n✅ Avoid Shared Temporary Directories for Sensitive Operations\\n\\nDo not use common temporary directories for storing sensitive information or for operations that require secure handling of files.\\n\\n✅ Clean Up After Use\\n\\nAlways remove temporary files after their use to prevent accumulation and potential misuse.\\n\\n## Resources\\n\\n- [Go Documentation: os.CreateTemp](https://pkg.go.dev/os#CreateTemp)\\n- [Secure Coding Guidelines for File I/O](https://wiki.sei.cmu.edu/confluence/display/seccode/TOCTOU+Race+Conditions)\\n- [OWASP Guide to File System Security](https://owasp.org/www-community/controls/Path_Traversal)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_tempfile", - "line_number": 26, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 26, - "end": 26, - "column": { - "start": 9, - "end": 62 - } - }, - "sink": { - "start": 26, - "end": 26, - "column": { - "start": 9, - "end": 62 - }, - "content": "os.WriteFile(path, []byte(\\"This is some data\\"), 0644)" - }, - "parent_line_number": 26, - "snippet": "os.WriteFile(path, []byte(\\"This is some data\\"), 0644)", - "fingerprint": "6ecf2eddbc7c43a01ece9577a34e9e61_2", - "old_fingerprint": "e8eb39c1772c573d1ca552003803ccbb_2", - "code_extract": "\\terr := os.WriteFile(path, []byte(\\"This is some data\\"), 0644)" - } - ] -}" -`; diff --git a/tests/go/gosec/filesystem/tempfile/test.js b/tests/go/gosec/filesystem/tempfile/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/filesystem/tempfile/test.js +++ b/tests/go/gosec/filesystem/tempfile/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/filesystem/tempfile/testdata/main.go b/tests/go/gosec/filesystem/tempfile/testdata/main.go index 1f83a455a..0308d24f6 100644 --- a/tests/go/gosec/filesystem/tempfile/testdata/main.go +++ b/tests/go/gosec/filesystem/tempfile/testdata/main.go @@ -8,6 +8,7 @@ import ( ) func foo1() { +// bearer:expected go_gosec_filesystem_tempfile err := ioutil.WriteFile("/tmp/demo2", []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") @@ -15,6 +16,7 @@ func foo1() { } func foo2() { +// bearer:expected go_gosec_filesystem_tempfile err := os.WriteFile("/tmp/demo2", []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") @@ -23,6 +25,7 @@ func foo2() { func foo3() { path := "/tmp/demo" +// bearer:expected go_gosec_filesystem_tempfile err := os.WriteFile(path, []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") diff --git a/tests/go/gosec/filesystem/ziparchive/__snapshots__/test.js.snap b/tests/go/gosec/filesystem/ziparchive/__snapshots__/test.js.snap deleted file mode 100644 index 30d628d39..000000000 --- a/tests/go/gosec/filesystem/ziparchive/__snapshots__/test.js.snap +++ /dev/null @@ -1,110 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_filesystem_ziparchive test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "22" - ], - "id": "go_gosec_filesystem_ziparchive", - "title": "Missing protection against 'Zip Slip' path traversal", - "description": "## Description\\n\\nThe application is at risk of a path traversal vulnerability, commonly known as 'Zip Slip', when extracting files from untrusted archives. Maliciously crafted archive files can contain relative path specifications that lead to writing files outside the intended directory when extracted, potentially overwriting system files or placing unauthorized files in critical paths.\\n\\n## Remediations\\n\\nTo safeguard against 'Zip Slip' and related exploitation techniques, follow these security practices:\\n\\n✅ Limit Archive Size\\n\\nImplement checks to ensure the zip archive's size does not exceed a maximum threshold, preventing 'Zip Bombs'—archives that decompress to disproportionately large sizes.\\n\\n✅ Generate Unique Filenames\\n\\nAvoid using the original filenames from the archive. If necessary, use only the base name after sanitizing or, better yet, generate a unique name to prevent intentional overwrites.\\n\\n✅ Validate Extraction Paths\\n\\nConfirm that extracted files are written to a specified, trusted directory and do not traverse outside of this directory.\\n\\n✅ Disallow Symbolic Links\\n\\nOnly process regular files. Exclude symbolic links to prevent indirect file read/write vulnerabilities.\\n\\n\`\`\`go\\nimport (\\n \\"archive/zip\\"\\n \\"io\\"\\n \\"log\\"\\n \\"os\\"\\n \\"path/filepath\\"\\n \\"strings\\"\\n)\\n\\nfunc main() {\\n // Open the zip file for reading\\n r, err := zip.OpenReader(\\"trusted.zip\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n defer r.Close()\\n\\n // Set up restrictions and base path\\n const (\\n expectedFileCount = 10\\n totalAllowedSize = 10 * 1024 * 1024 // 10MB\\n maxFileSize = 1024 * 1024 // 1MB\\n basePath = \\"/var/restricted/\\"\\n )\\n\\n // Calculate total size of uncompressed files\\n var totalSize uint64\\n for _, f := range r.File {\\n totalSize += f.UncompressedSize64\\n }\\n\\n // Check if total size exceeds the limit\\n if totalSize > totalAllowedSize {\\n log.Fatalf(\\"archive exceeds total allowed size: %d\\\\n\\", totalSize)\\n }\\n\\n // Process files in the archive\\n for _, f := range r.File {\\n // Skip overlarge files\\n if f.UncompressedSize64 > maxFileSize {\\n log.Printf(\\"skipping file as it exceeds maxFileSize: %s\\\\n\\", f.Name)\\n continue\\n }\\n\\n // Skip if not a regular file\\n if !f.Mode().IsRegular() {\\n log.Printf(\\"skipping non-regular file: %s\\\\n\\", f.Name)\\n continue\\n }\\n\\n // Securely resolve the file path\\n name := filepath.Base(f.Name)\\n resolvedPath, err := filepath.Join(basePath, name)\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Ensure the file does not traverse outside the base path\\n if !strings.HasPrefix(resolvedPath, basePath) {\\n log.Fatal(\\"path does not start with basePath\\")\\n }\\n\\n // Extract and process the file (omitted for brevity)\\n }\\n}\\n\`\`\`\\n\\nFor processing directories within the zip archive, ensure to clean the path and validate it strictly against the base path.\\n\\n## Resources\\n\\n- [OWASP Cheat Sheet: Zip Slip Vulnerability](https://cheatsheetseries.owasp.org/cheatsheets/Path_Traversal_Cheat_Sheet.html)\\n- [Go Documentation: archive/zip package](https://pkg.go.dev/archive/zip)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_ziparchive", - "line_number": 23, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 23, - "end": 23, - "column": { - "start": 11, - "end": 43 - } - }, - "sink": { - "start": 23, - "end": 23, - "column": { - "start": 11, - "end": 43 - }, - "content": "filepath.Join(target, file.Name)" - }, - "parent_line_number": 23, - "snippet": "filepath.Join(target, file.Name)", - "fingerprint": "704dc7b283b24c0deaaced0816ea502b_0", - "old_fingerprint": "1c766cd72bac736b6813d91ff99016c0_0", - "code_extract": "\\t\\tpath := filepath.Join(target, file.Name)" - }, - { - "cwe_ids": [ - "22" - ], - "id": "go_gosec_filesystem_ziparchive", - "title": "Missing protection against 'Zip Slip' path traversal", - "description": "## Description\\n\\nThe application is at risk of a path traversal vulnerability, commonly known as 'Zip Slip', when extracting files from untrusted archives. Maliciously crafted archive files can contain relative path specifications that lead to writing files outside the intended directory when extracted, potentially overwriting system files or placing unauthorized files in critical paths.\\n\\n## Remediations\\n\\nTo safeguard against 'Zip Slip' and related exploitation techniques, follow these security practices:\\n\\n✅ Limit Archive Size\\n\\nImplement checks to ensure the zip archive's size does not exceed a maximum threshold, preventing 'Zip Bombs'—archives that decompress to disproportionately large sizes.\\n\\n✅ Generate Unique Filenames\\n\\nAvoid using the original filenames from the archive. If necessary, use only the base name after sanitizing or, better yet, generate a unique name to prevent intentional overwrites.\\n\\n✅ Validate Extraction Paths\\n\\nConfirm that extracted files are written to a specified, trusted directory and do not traverse outside of this directory.\\n\\n✅ Disallow Symbolic Links\\n\\nOnly process regular files. Exclude symbolic links to prevent indirect file read/write vulnerabilities.\\n\\n\`\`\`go\\nimport (\\n \\"archive/zip\\"\\n \\"io\\"\\n \\"log\\"\\n \\"os\\"\\n \\"path/filepath\\"\\n \\"strings\\"\\n)\\n\\nfunc main() {\\n // Open the zip file for reading\\n r, err := zip.OpenReader(\\"trusted.zip\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n defer r.Close()\\n\\n // Set up restrictions and base path\\n const (\\n expectedFileCount = 10\\n totalAllowedSize = 10 * 1024 * 1024 // 10MB\\n maxFileSize = 1024 * 1024 // 1MB\\n basePath = \\"/var/restricted/\\"\\n )\\n\\n // Calculate total size of uncompressed files\\n var totalSize uint64\\n for _, f := range r.File {\\n totalSize += f.UncompressedSize64\\n }\\n\\n // Check if total size exceeds the limit\\n if totalSize > totalAllowedSize {\\n log.Fatalf(\\"archive exceeds total allowed size: %d\\\\n\\", totalSize)\\n }\\n\\n // Process files in the archive\\n for _, f := range r.File {\\n // Skip overlarge files\\n if f.UncompressedSize64 > maxFileSize {\\n log.Printf(\\"skipping file as it exceeds maxFileSize: %s\\\\n\\", f.Name)\\n continue\\n }\\n\\n // Skip if not a regular file\\n if !f.Mode().IsRegular() {\\n log.Printf(\\"skipping non-regular file: %s\\\\n\\", f.Name)\\n continue\\n }\\n\\n // Securely resolve the file path\\n name := filepath.Base(f.Name)\\n resolvedPath, err := filepath.Join(basePath, name)\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Ensure the file does not traverse outside the base path\\n if !strings.HasPrefix(resolvedPath, basePath) {\\n log.Fatal(\\"path does not start with basePath\\")\\n }\\n\\n // Extract and process the file (omitted for brevity)\\n }\\n}\\n\`\`\`\\n\\nFor processing directories within the zip archive, ensure to clean the path and validate it strictly against the base path.\\n\\n## Resources\\n\\n- [OWASP Cheat Sheet: Zip Slip Vulnerability](https://cheatsheetseries.owasp.org/cheatsheets/Path_Traversal_Cheat_Sheet.html)\\n- [Go Documentation: archive/zip package](https://pkg.go.dev/archive/zip)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_ziparchive", - "line_number": 61, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 61, - "end": 61, - "column": { - "start": 11, - "end": 45 - } - }, - "sink": { - "start": 61, - "end": 61, - "column": { - "start": 11, - "end": 45 - }, - "content": "filepath.Join(target, archiveFile)" - }, - "parent_line_number": 61, - "snippet": "filepath.Join(target, archiveFile)", - "fingerprint": "704dc7b283b24c0deaaced0816ea502b_1", - "old_fingerprint": "1c766cd72bac736b6813d91ff99016c0_1", - "code_extract": "\\t\\tpath := filepath.Join(target, archiveFile)" - }, - { - "cwe_ids": [ - "22" - ], - "id": "go_gosec_filesystem_ziparchive", - "title": "Missing protection against 'Zip Slip' path traversal", - "description": "## Description\\n\\nThe application is at risk of a path traversal vulnerability, commonly known as 'Zip Slip', when extracting files from untrusted archives. Maliciously crafted archive files can contain relative path specifications that lead to writing files outside the intended directory when extracted, potentially overwriting system files or placing unauthorized files in critical paths.\\n\\n## Remediations\\n\\nTo safeguard against 'Zip Slip' and related exploitation techniques, follow these security practices:\\n\\n✅ Limit Archive Size\\n\\nImplement checks to ensure the zip archive's size does not exceed a maximum threshold, preventing 'Zip Bombs'—archives that decompress to disproportionately large sizes.\\n\\n✅ Generate Unique Filenames\\n\\nAvoid using the original filenames from the archive. If necessary, use only the base name after sanitizing or, better yet, generate a unique name to prevent intentional overwrites.\\n\\n✅ Validate Extraction Paths\\n\\nConfirm that extracted files are written to a specified, trusted directory and do not traverse outside of this directory.\\n\\n✅ Disallow Symbolic Links\\n\\nOnly process regular files. Exclude symbolic links to prevent indirect file read/write vulnerabilities.\\n\\n\`\`\`go\\nimport (\\n \\"archive/zip\\"\\n \\"io\\"\\n \\"log\\"\\n \\"os\\"\\n \\"path/filepath\\"\\n \\"strings\\"\\n)\\n\\nfunc main() {\\n // Open the zip file for reading\\n r, err := zip.OpenReader(\\"trusted.zip\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n defer r.Close()\\n\\n // Set up restrictions and base path\\n const (\\n expectedFileCount = 10\\n totalAllowedSize = 10 * 1024 * 1024 // 10MB\\n maxFileSize = 1024 * 1024 // 1MB\\n basePath = \\"/var/restricted/\\"\\n )\\n\\n // Calculate total size of uncompressed files\\n var totalSize uint64\\n for _, f := range r.File {\\n totalSize += f.UncompressedSize64\\n }\\n\\n // Check if total size exceeds the limit\\n if totalSize > totalAllowedSize {\\n log.Fatalf(\\"archive exceeds total allowed size: %d\\\\n\\", totalSize)\\n }\\n\\n // Process files in the archive\\n for _, f := range r.File {\\n // Skip overlarge files\\n if f.UncompressedSize64 > maxFileSize {\\n log.Printf(\\"skipping file as it exceeds maxFileSize: %s\\\\n\\", f.Name)\\n continue\\n }\\n\\n // Skip if not a regular file\\n if !f.Mode().IsRegular() {\\n log.Printf(\\"skipping non-regular file: %s\\\\n\\", f.Name)\\n continue\\n }\\n\\n // Securely resolve the file path\\n name := filepath.Base(f.Name)\\n resolvedPath, err := filepath.Join(basePath, name)\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Ensure the file does not traverse outside the base path\\n if !strings.HasPrefix(resolvedPath, basePath) {\\n log.Fatal(\\"path does not start with basePath\\")\\n }\\n\\n // Extract and process the file (omitted for brevity)\\n }\\n}\\n\`\`\`\\n\\nFor processing directories within the zip archive, ensure to clean the path and validate it strictly against the base path.\\n\\n## Resources\\n\\n- [OWASP Cheat Sheet: Zip Slip Vulnerability](https://cheatsheetseries.owasp.org/cheatsheets/Path_Traversal_Cheat_Sheet.html)\\n- [Go Documentation: archive/zip package](https://pkg.go.dev/archive/zip)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_filesystem_ziparchive", - "line_number": 88, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 88, - "end": 88, - "column": { - "start": 14, - "end": 45 - } - }, - "sink": { - "start": 88, - "end": 88, - "column": { - "start": 14, - "end": 45 - }, - "content": "filepath.Join(destPath, f.Name)" - }, - "parent_line_number": 88, - "snippet": "filepath.Join(destPath, f.Name)", - "fingerprint": "704dc7b283b24c0deaaced0816ea502b_2", - "old_fingerprint": "1c766cd72bac736b6813d91ff99016c0_2", - "code_extract": "\\tfilePath := filepath.Join(destPath, f.Name)" - } - ] -}" -`; diff --git a/tests/go/gosec/filesystem/ziparchive/test.js b/tests/go/gosec/filesystem/ziparchive/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/filesystem/ziparchive/test.js +++ b/tests/go/gosec/filesystem/ziparchive/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/filesystem/ziparchive/testdata/main.go b/tests/go/gosec/filesystem/ziparchive/testdata/main.go index 9ab24c034..79ff6cfd7 100644 --- a/tests/go/gosec/filesystem/ziparchive/testdata/main.go +++ b/tests/go/gosec/filesystem/ziparchive/testdata/main.go @@ -20,6 +20,7 @@ func unzip(archive, target string) error { } for _, file := range reader.File { +// bearer:expected go_gosec_filesystem_ziparchive path := filepath.Join(target, file.Name) if file.FileInfo().IsDir() { os.MkdirAll(path, file.Mode()) // #nosec @@ -58,6 +59,7 @@ func unzipIndirectFilename(archive, target string) error { for _, file := range reader.File { archiveFile := file.Name +// bearer:expected go_gosec_filesystem_ziparchive path := filepath.Join(target, archiveFile) if file.FileInfo().IsDir() { os.MkdirAll(path, file.Mode()) // #nosec @@ -85,6 +87,7 @@ func unzipIndirectFilename(archive, target string) error { } func extractFile(f *zip.File, destPath string) error { +// bearer:expected go_gosec_filesystem_ziparchive filePath := filepath.Join(destPath, f.Name) os.MkdirAll(path.Dir(filePath), os.ModePerm) diff --git a/tests/go/gosec/http/http_serve/__snapshots__/test.js.snap b/tests/go/gosec/http/http_serve/__snapshots__/test.js.snap deleted file mode 100644 index d7f3f7395..000000000 --- a/tests/go/gosec/http/http_serve/__snapshots__/test.js.snap +++ /dev/null @@ -1,144 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_http_http_serve test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "400" - ], - "id": "go_gosec_http_http_serve", - "title": "Usage of vulnerable 'serve' function", - "description": "## Description\\n\\nThe \`net/http\` serve functions in Go, when used with default settings, are vulnerable to resource consumption attacks. Attackers can exploit this by creating numerous connections to the server, intentionally not completing data transfers or leaving connections open, which can exhaust the server's resources and prevent it from accepting new legitimate connections.\\n\\n## Remediations\\n\\nTo mitigate such attacks, specific server configurations are necessary:\\n\\n❌ Avoid Default Serve Functions for Production\\n\\nFunctions like \`http.ListenAndServe\` and \`http.Serve\` should not be used in a production setting as they do not allow for timeout configurations.\\n\\n✅ Configure Timeouts on Custom \`http.Server\` Object\\n\\nCreate a custom \`http.Server\` object and set appropriate timeouts to prevent resource exhaustion.\\n\\n\`\`\`go\\nimport (\\n \\"net/http\\"\\n \\"time\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n srv := &http.Server{\\n Addr: \\"localhost:8000\\",\\n ReadHeaderTimeout: 15 * time.Second,\\n ReadTimeout: 15 * time.Second,\\n WriteTimeout: 10 * time.Second,\\n IdleTimeout: 30 * time.Second,\\n }\\n\\n if err := srv.ListenAndServe(); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n\\n✅ Use \`http.TimeoutHandler\` for Per Request Timeouts\\n\\nTo set timeouts for individual requests, use the \`http.TimeoutHandler\` wrapper on your handlers. This ensures that the server does not wait indefinitely for a request to complete.\\n\\n## Resources\\n\\n- [http.Server Timeouts Documentation](https://pkg.go.dev/net/http#Server)\\n- [Guide to Setting Request-Based Timeouts](https://pkg.go.dev/net/http#TimeoutHandler)\\n- [Understanding the Slowloris Attack](https://en.wikipedia.org/wiki/Slowloris_(computer_security))\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_http_http_serve", - "line_number": 12, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 12, - "end": 12, - "column": { - "start": 9, - "end": 42 - } - }, - "sink": { - "start": 12, - "end": 12, - "column": { - "start": 9, - "end": 42 - }, - "content": "http.ListenAndServe(\\":8443\\", nil)" - }, - "parent_line_number": 12, - "snippet": "http.ListenAndServe(\\":8443\\", nil)", - "fingerprint": "6f179bc162124459b0090fb499c31d43_0", - "old_fingerprint": "719e09cb6b2922d8ae44e9968c9c756f_0", - "code_extract": "\\terr := http.ListenAndServe(\\":8443\\", nil)" - }, - { - "cwe_ids": [ - "400" - ], - "id": "go_gosec_http_http_serve", - "title": "Usage of vulnerable 'serve' function", - "description": "## Description\\n\\nThe \`net/http\` serve functions in Go, when used with default settings, are vulnerable to resource consumption attacks. Attackers can exploit this by creating numerous connections to the server, intentionally not completing data transfers or leaving connections open, which can exhaust the server's resources and prevent it from accepting new legitimate connections.\\n\\n## Remediations\\n\\nTo mitigate such attacks, specific server configurations are necessary:\\n\\n❌ Avoid Default Serve Functions for Production\\n\\nFunctions like \`http.ListenAndServe\` and \`http.Serve\` should not be used in a production setting as they do not allow for timeout configurations.\\n\\n✅ Configure Timeouts on Custom \`http.Server\` Object\\n\\nCreate a custom \`http.Server\` object and set appropriate timeouts to prevent resource exhaustion.\\n\\n\`\`\`go\\nimport (\\n \\"net/http\\"\\n \\"time\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n srv := &http.Server{\\n Addr: \\"localhost:8000\\",\\n ReadHeaderTimeout: 15 * time.Second,\\n ReadTimeout: 15 * time.Second,\\n WriteTimeout: 10 * time.Second,\\n IdleTimeout: 30 * time.Second,\\n }\\n\\n if err := srv.ListenAndServe(); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n\\n✅ Use \`http.TimeoutHandler\` for Per Request Timeouts\\n\\nTo set timeouts for individual requests, use the \`http.TimeoutHandler\` wrapper on your handlers. This ensures that the server does not wait indefinitely for a request to complete.\\n\\n## Resources\\n\\n- [http.Server Timeouts Documentation](https://pkg.go.dev/net/http#Server)\\n- [Guide to Setting Request-Based Timeouts](https://pkg.go.dev/net/http#TimeoutHandler)\\n- [Understanding the Slowloris Attack](https://en.wikipedia.org/wiki/Slowloris_(computer_security))\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_http_http_serve", - "line_number": 17, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 17, - "end": 17, - "column": { - "start": 9, - "end": 68 - } - }, - "sink": { - "start": 17, - "end": 17, - "column": { - "start": 9, - "end": 68 - }, - "content": "http.ListenAndServeTLS(\\":8443\\", \\"cert.pem\\", \\"key.pem\\", nil)" - }, - "parent_line_number": 17, - "snippet": "http.ListenAndServeTLS(\\":8443\\", \\"cert.pem\\", \\"key.pem\\", nil)", - "fingerprint": "6f179bc162124459b0090fb499c31d43_1", - "old_fingerprint": "719e09cb6b2922d8ae44e9968c9c756f_1", - "code_extract": "\\terr := http.ListenAndServeTLS(\\":8443\\", \\"cert.pem\\", \\"key.pem\\", nil)" - }, - { - "cwe_ids": [ - "400" - ], - "id": "go_gosec_http_http_serve", - "title": "Usage of vulnerable 'serve' function", - "description": "## Description\\n\\nThe \`net/http\` serve functions in Go, when used with default settings, are vulnerable to resource consumption attacks. Attackers can exploit this by creating numerous connections to the server, intentionally not completing data transfers or leaving connections open, which can exhaust the server's resources and prevent it from accepting new legitimate connections.\\n\\n## Remediations\\n\\nTo mitigate such attacks, specific server configurations are necessary:\\n\\n❌ Avoid Default Serve Functions for Production\\n\\nFunctions like \`http.ListenAndServe\` and \`http.Serve\` should not be used in a production setting as they do not allow for timeout configurations.\\n\\n✅ Configure Timeouts on Custom \`http.Server\` Object\\n\\nCreate a custom \`http.Server\` object and set appropriate timeouts to prevent resource exhaustion.\\n\\n\`\`\`go\\nimport (\\n \\"net/http\\"\\n \\"time\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n srv := &http.Server{\\n Addr: \\"localhost:8000\\",\\n ReadHeaderTimeout: 15 * time.Second,\\n ReadTimeout: 15 * time.Second,\\n WriteTimeout: 10 * time.Second,\\n IdleTimeout: 30 * time.Second,\\n }\\n\\n if err := srv.ListenAndServe(); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n\\n✅ Use \`http.TimeoutHandler\` for Per Request Timeouts\\n\\nTo set timeouts for individual requests, use the \`http.TimeoutHandler\` wrapper on your handlers. This ensures that the server does not wait indefinitely for a request to complete.\\n\\n## Resources\\n\\n- [http.Server Timeouts Documentation](https://pkg.go.dev/net/http#Server)\\n- [Guide to Setting Request-Based Timeouts](https://pkg.go.dev/net/http#TimeoutHandler)\\n- [Understanding the Slowloris Attack](https://en.wikipedia.org/wiki/Slowloris_(computer_security))\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_http_http_serve", - "line_number": 27, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 27, - "end": 27, - "column": { - "start": 8, - "end": 26 - } - }, - "sink": { - "start": 27, - "end": 27, - "column": { - "start": 8, - "end": 26 - }, - "content": "http.Serve(l, nil)" - }, - "parent_line_number": 27, - "snippet": "http.Serve(l, nil)", - "fingerprint": "6f179bc162124459b0090fb499c31d43_2", - "old_fingerprint": "719e09cb6b2922d8ae44e9968c9c756f_2", - "code_extract": "\\terr = http.Serve(l, nil)" - }, - { - "cwe_ids": [ - "400" - ], - "id": "go_gosec_http_http_serve", - "title": "Usage of vulnerable 'serve' function", - "description": "## Description\\n\\nThe \`net/http\` serve functions in Go, when used with default settings, are vulnerable to resource consumption attacks. Attackers can exploit this by creating numerous connections to the server, intentionally not completing data transfers or leaving connections open, which can exhaust the server's resources and prevent it from accepting new legitimate connections.\\n\\n## Remediations\\n\\nTo mitigate such attacks, specific server configurations are necessary:\\n\\n❌ Avoid Default Serve Functions for Production\\n\\nFunctions like \`http.ListenAndServe\` and \`http.Serve\` should not be used in a production setting as they do not allow for timeout configurations.\\n\\n✅ Configure Timeouts on Custom \`http.Server\` Object\\n\\nCreate a custom \`http.Server\` object and set appropriate timeouts to prevent resource exhaustion.\\n\\n\`\`\`go\\nimport (\\n \\"net/http\\"\\n \\"time\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n srv := &http.Server{\\n Addr: \\"localhost:8000\\",\\n ReadHeaderTimeout: 15 * time.Second,\\n ReadTimeout: 15 * time.Second,\\n WriteTimeout: 10 * time.Second,\\n IdleTimeout: 30 * time.Second,\\n }\\n\\n if err := srv.ListenAndServe(); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n\\n✅ Use \`http.TimeoutHandler\` for Per Request Timeouts\\n\\nTo set timeouts for individual requests, use the \`http.TimeoutHandler\` wrapper on your handlers. This ensures that the server does not wait indefinitely for a request to complete.\\n\\n## Resources\\n\\n- [http.Server Timeouts Documentation](https://pkg.go.dev/net/http#Server)\\n- [Guide to Setting Request-Based Timeouts](https://pkg.go.dev/net/http#TimeoutHandler)\\n- [Understanding the Slowloris Attack](https://en.wikipedia.org/wiki/Slowloris_(computer_security))\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_http_http_serve", - "line_number": 37, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 37, - "end": 37, - "column": { - "start": 8, - "end": 52 - } - }, - "sink": { - "start": 37, - "end": 37, - "column": { - "start": 8, - "end": 52 - }, - "content": "http.ServeTLS(l, nil, \\"cert.pem\\", \\"key.pem\\")" - }, - "parent_line_number": 37, - "snippet": "http.ServeTLS(l, nil, \\"cert.pem\\", \\"key.pem\\")", - "fingerprint": "6f179bc162124459b0090fb499c31d43_3", - "old_fingerprint": "719e09cb6b2922d8ae44e9968c9c756f_3", - "code_extract": "\\terr = http.ServeTLS(l, nil, \\"cert.pem\\", \\"key.pem\\")" - } - ] -}" -`; diff --git a/tests/go/gosec/http/http_serve/test.js b/tests/go/gosec/http/http_serve/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/http/http_serve/test.js +++ b/tests/go/gosec/http/http_serve/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/http/http_serve/testdata/main.go b/tests/go/gosec/http/http_serve/testdata/main.go index ec099cb1d..de29ee743 100644 --- a/tests/go/gosec/http/http_serve/testdata/main.go +++ b/tests/go/gosec/http/http_serve/testdata/main.go @@ -9,11 +9,13 @@ import ( ) func bad() { +// bearer:expected go_gosec_http_http_serve err := http.ListenAndServe(":8443", nil) log.Fatal(err) } func bad2() { +// bearer:expected go_gosec_http_http_serve err := http.ListenAndServeTLS(":8443", "cert.pem", "key.pem", nil) log.Fatal(err) } @@ -24,6 +26,7 @@ func bad3() { log.Fatal(err) } defer l.Close() +// bearer:expected go_gosec_http_http_serve err = http.Serve(l, nil) log.Fatal(err) } @@ -34,6 +37,7 @@ func bad4() { log.Fatal(err) } defer l.Close() +// bearer:expected go_gosec_http_http_serve err = http.ServeTLS(l, nil, "cert.pem", "key.pem") log.Fatal(err) } diff --git a/tests/go/gosec/http/http_slowloris/__snapshots__/test.js.snap b/tests/go/gosec/http/http_slowloris/__snapshots__/test.js.snap deleted file mode 100644 index c226dbd05..000000000 --- a/tests/go/gosec/http/http_slowloris/__snapshots__/test.js.snap +++ /dev/null @@ -1,144 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_http_http_slowloris test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "400" - ], - "id": "go_gosec_http_http_slowloris", - "title": "Missing protection against 'Slowloris' attack", - "description": "## Description\\n\\nThe server configuration lacks a \`ReadHeaderTimeout\`, making it vulnerable to a Slowloris attack. This type of attack occurs when an attacker opens multiple connections to the server but sends only partial requests. The server keeps each connection open, waiting for the headers to be completed, ultimately leading to resource exhaustion.\\n\\n## Remediations\\n\\nTo protect against such attacks, the following steps should be taken:\\n\\n❌ Avoid Default Serve Functions for Production\\n\\nDo not use \`http.ListenAndServe\` and \`http.Serve\` in a production environment, as they do not support timeout settings.\\n\\n✅ Configure \`http.Server\` with Timeouts\\n\\nEstablish a custom \`http.Server\` instance with appropriate timeouts to prevent attackers from exploiting the lack of \`ReadHeaderTimeout\`.\\n\\n\`\`\`go\\nimport (\\n \\"net/http\\"\\n \\"time\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n srv := &http.Server{\\n Addr: \\"localhost:8000\\",\\n ReadHeaderTimeout: 15 * time.Second,\\n ReadTimeout: 15 * time.Second,\\n WriteTimeout: 10 * time.Second,\\n IdleTimeout: 30 * time.Second,\\n }\\n\\n if err := srv.ListenAndServe(); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n\\n✅ Enforce Request Timeouts\\n\\nImplement \`http.TimeoutHandler\` to apply timeouts to individual HTTP handlers, which starts counting down only after the headers have been read.\\n\\n## Resources\\n\\n- [Configuring Timeouts in http.Server](https://pkg.go.dev/net/http#Server)\\n- [How to Set Request-Based Timeouts](https://pkg.go.dev/net/http#TimeoutHandler)\\n- [Understanding Slowloris Attacks](https://en.wikipedia.org/wiki/Slowloris_(computer_security))\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_http_http_slowloris", - "line_number": 29, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 29, - "end": 29, - "column": { - "start": 9, - "end": 32 - } - }, - "sink": { - "start": 29, - "end": 29, - "column": { - "start": 9, - "end": 32 - }, - "content": "server.ListenAndServe()" - }, - "parent_line_number": 29, - "snippet": "server.ListenAndServe()", - "fingerprint": "02c458471df80632680a2bcaf7e424f5_0", - "old_fingerprint": "16ccd1d3f814b5266924a8d012f4d13a_0", - "code_extract": "\\terr := server.ListenAndServe()" - }, - { - "cwe_ids": [ - "400" - ], - "id": "go_gosec_http_http_slowloris", - "title": "Missing protection against 'Slowloris' attack", - "description": "## Description\\n\\nThe server configuration lacks a \`ReadHeaderTimeout\`, making it vulnerable to a Slowloris attack. This type of attack occurs when an attacker opens multiple connections to the server but sends only partial requests. The server keeps each connection open, waiting for the headers to be completed, ultimately leading to resource exhaustion.\\n\\n## Remediations\\n\\nTo protect against such attacks, the following steps should be taken:\\n\\n❌ Avoid Default Serve Functions for Production\\n\\nDo not use \`http.ListenAndServe\` and \`http.Serve\` in a production environment, as they do not support timeout settings.\\n\\n✅ Configure \`http.Server\` with Timeouts\\n\\nEstablish a custom \`http.Server\` instance with appropriate timeouts to prevent attackers from exploiting the lack of \`ReadHeaderTimeout\`.\\n\\n\`\`\`go\\nimport (\\n \\"net/http\\"\\n \\"time\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n srv := &http.Server{\\n Addr: \\"localhost:8000\\",\\n ReadHeaderTimeout: 15 * time.Second,\\n ReadTimeout: 15 * time.Second,\\n WriteTimeout: 10 * time.Second,\\n IdleTimeout: 30 * time.Second,\\n }\\n\\n if err := srv.ListenAndServe(); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n\\n✅ Enforce Request Timeouts\\n\\nImplement \`http.TimeoutHandler\` to apply timeouts to individual HTTP handlers, which starts counting down only after the headers have been read.\\n\\n## Resources\\n\\n- [Configuring Timeouts in http.Server](https://pkg.go.dev/net/http#Server)\\n- [How to Set Request-Based Timeouts](https://pkg.go.dev/net/http#TimeoutHandler)\\n- [Understanding Slowloris Attacks](https://en.wikipedia.org/wiki/Slowloris_(computer_security))\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_http_http_slowloris", - "line_number": 43, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 43, - "end": 43, - "column": { - "start": 9, - "end": 32 - } - }, - "sink": { - "start": 43, - "end": 43, - "column": { - "start": 9, - "end": 32 - }, - "content": "server.ListenAndServe()" - }, - "parent_line_number": 43, - "snippet": "server.ListenAndServe()", - "fingerprint": "02c458471df80632680a2bcaf7e424f5_1", - "old_fingerprint": "16ccd1d3f814b5266924a8d012f4d13a_1", - "code_extract": "\\terr := server.ListenAndServe()" - }, - { - "cwe_ids": [ - "400" - ], - "id": "go_gosec_http_http_slowloris", - "title": "Missing protection against 'Slowloris' attack", - "description": "## Description\\n\\nThe server configuration lacks a \`ReadHeaderTimeout\`, making it vulnerable to a Slowloris attack. This type of attack occurs when an attacker opens multiple connections to the server but sends only partial requests. The server keeps each connection open, waiting for the headers to be completed, ultimately leading to resource exhaustion.\\n\\n## Remediations\\n\\nTo protect against such attacks, the following steps should be taken:\\n\\n❌ Avoid Default Serve Functions for Production\\n\\nDo not use \`http.ListenAndServe\` and \`http.Serve\` in a production environment, as they do not support timeout settings.\\n\\n✅ Configure \`http.Server\` with Timeouts\\n\\nEstablish a custom \`http.Server\` instance with appropriate timeouts to prevent attackers from exploiting the lack of \`ReadHeaderTimeout\`.\\n\\n\`\`\`go\\nimport (\\n \\"net/http\\"\\n \\"time\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n srv := &http.Server{\\n Addr: \\"localhost:8000\\",\\n ReadHeaderTimeout: 15 * time.Second,\\n ReadTimeout: 15 * time.Second,\\n WriteTimeout: 10 * time.Second,\\n IdleTimeout: 30 * time.Second,\\n }\\n\\n if err := srv.ListenAndServe(); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n\\n✅ Enforce Request Timeouts\\n\\nImplement \`http.TimeoutHandler\` to apply timeouts to individual HTTP handlers, which starts counting down only after the headers have been read.\\n\\n## Resources\\n\\n- [Configuring Timeouts in http.Server](https://pkg.go.dev/net/http#Server)\\n- [How to Set Request-Based Timeouts](https://pkg.go.dev/net/http#TimeoutHandler)\\n- [Understanding Slowloris Attacks](https://en.wikipedia.org/wiki/Slowloris_(computer_security))\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_http_http_slowloris", - "line_number": 58, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 58, - "end": 58, - "column": { - "start": 9, - "end": 32 - } - }, - "sink": { - "start": 58, - "end": 58, - "column": { - "start": 9, - "end": 32 - }, - "content": "server.ListenAndServe()" - }, - "parent_line_number": 58, - "snippet": "server.ListenAndServe()", - "fingerprint": "02c458471df80632680a2bcaf7e424f5_2", - "old_fingerprint": "16ccd1d3f814b5266924a8d012f4d13a_2", - "code_extract": "\\terr := server.ListenAndServe()" - }, - { - "cwe_ids": [ - "400" - ], - "id": "go_gosec_http_http_slowloris", - "title": "Missing protection against 'Slowloris' attack", - "description": "## Description\\n\\nThe server configuration lacks a \`ReadHeaderTimeout\`, making it vulnerable to a Slowloris attack. This type of attack occurs when an attacker opens multiple connections to the server but sends only partial requests. The server keeps each connection open, waiting for the headers to be completed, ultimately leading to resource exhaustion.\\n\\n## Remediations\\n\\nTo protect against such attacks, the following steps should be taken:\\n\\n❌ Avoid Default Serve Functions for Production\\n\\nDo not use \`http.ListenAndServe\` and \`http.Serve\` in a production environment, as they do not support timeout settings.\\n\\n✅ Configure \`http.Server\` with Timeouts\\n\\nEstablish a custom \`http.Server\` instance with appropriate timeouts to prevent attackers from exploiting the lack of \`ReadHeaderTimeout\`.\\n\\n\`\`\`go\\nimport (\\n \\"net/http\\"\\n \\"time\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n srv := &http.Server{\\n Addr: \\"localhost:8000\\",\\n ReadHeaderTimeout: 15 * time.Second,\\n ReadTimeout: 15 * time.Second,\\n WriteTimeout: 10 * time.Second,\\n IdleTimeout: 30 * time.Second,\\n }\\n\\n if err := srv.ListenAndServe(); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n\\n✅ Enforce Request Timeouts\\n\\nImplement \`http.TimeoutHandler\` to apply timeouts to individual HTTP handlers, which starts counting down only after the headers have been read.\\n\\n## Resources\\n\\n- [Configuring Timeouts in http.Server](https://pkg.go.dev/net/http#Server)\\n- [How to Set Request-Based Timeouts](https://pkg.go.dev/net/http#TimeoutHandler)\\n- [Understanding Slowloris Attacks](https://en.wikipedia.org/wiki/Slowloris_(computer_security))\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_http_http_slowloris", - "line_number": 72, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 72, - "end": 72, - "column": { - "start": 9, - "end": 27 - } - }, - "sink": { - "start": 72, - "end": 72, - "column": { - "start": 9, - "end": 27 - }, - "content": "s.ListenAndServe()" - }, - "parent_line_number": 72, - "snippet": "s.ListenAndServe()", - "fingerprint": "02c458471df80632680a2bcaf7e424f5_3", - "old_fingerprint": "16ccd1d3f814b5266924a8d012f4d13a_3", - "code_extract": "\\terr := s.ListenAndServe()" - } - ] -}" -`; diff --git a/tests/go/gosec/http/http_slowloris/test.js b/tests/go/gosec/http/http_slowloris/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/http/http_slowloris/test.js +++ b/tests/go/gosec/http/http_slowloris/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/http/http_slowloris/testdata/main.go b/tests/go/gosec/http/http_slowloris/testdata/main.go index 025223388..4f46e2cc0 100644 --- a/tests/go/gosec/http/http_slowloris/testdata/main.go +++ b/tests/go/gosec/http/http_slowloris/testdata/main.go @@ -26,6 +26,7 @@ func ok() { Addr: ":1234", ReadHeaderTimeout: 3 * time.Second, } +// bearer:expected go_gosec_http_http_slowloris err := server.ListenAndServe() if err != nil { panic(err) @@ -40,6 +41,7 @@ func ok2() { Addr: ":1234", ReadTimeout: 1 * time.Second, } +// bearer:expected go_gosec_http_http_slowloris err := server.ListenAndServe() if err != nil { panic(err) @@ -55,6 +57,7 @@ func ok3() { } // FIXME: unsupported for now server.ReadHeaderTimeout = 1 * time.Second +// bearer:expected go_gosec_http_http_slowloris err := server.ListenAndServe() if err != nil { panic(err) @@ -69,6 +72,7 @@ func bad2() { Handler: router, } +// bearer:expected go_gosec_http_http_slowloris err := s.ListenAndServe() if err != nil { panic(err) diff --git a/tests/go/gosec/injection/ssrf_injection/__snapshots__/test.js.snap b/tests/go/gosec/injection/ssrf_injection/__snapshots__/test.js.snap deleted file mode 100644 index f08bf47ca..000000000 --- a/tests/go/gosec/injection/ssrf_injection/__snapshots__/test.js.snap +++ /dev/null @@ -1,144 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_injection_ssrf_injection test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "918" - ], - "id": "go_gosec_injection_ssrf_injection", - "title": "Unsanitized user input in HTTP request (SSRF)", - "description": "## Description\\n\\nServer-Side Request Forgery (SSRF) is a security vulnerability that occurs when a server-side application makes HTTP requests to arbitrary URLs controlled by the user. SSRF can be exploited by attackers to target internal systems behind firewalls that are otherwise inaccessible from the external network, by tricking the server into making requests to these systems.\\n\\n## Remediations\\n\\nTo mitigate SSRF vulnerabilities, follow these guidelines:\\n\\n✅ Validate User Input\\n\\nAvoid using direct user input to construct URLs for backend requests. If you must use user input, validate or sanitize it rigorously.\\n\\n✅ Restrict URLs to Known Safe Domains\\n\\nWhere possible, limit requests to a predefined set of safe URLs or domains. This can be done using server-side mapping from user-supplied keys to URLs.\\n\\n✅ Implement IP Safelists and Blocklists\\n\\nUse an HTTP client that allows customizing and blocking specific IP ranges, such as private network addresses and other non-routable IP ranges.\\n\\n✅ Use Network-Level Security\\n\\nIf the HTTP client doesn't support IP range blocking, consider running it with restricted system permissions, or within a secure network where firewall rules can block dangerous addresses.\\n\\n✅ Leverage a Secure HTTP Proxy\\n\\nAs a last resort, route all backend HTTP requests through a secure proxy that can filter out and block requests to potentially harmful addresses.\\n\\n\`\`\`go\\nimport (\\n \\"context\\"\\n \\"crypto/tls\\"\\n \\"errors\\"\\n \\"net\\"\\n \\"net/http\\"\\n \\"time\\"\\n)\\n\\n// IsDisallowedIP checks if an IP address falls within a range of disallowed IPs.\\nfunc IsDisallowedIP(hostIP string) bool {\\n ip := net.ParseIP(hostIP)\\n // Add more checks as necessary\\n return ip.IsMulticast() || ip.IsUnspecified() || ip.IsLoopback() || ip.IsPrivate()\\n}\\n\\n// SafeTransport defines a custom transport that filters out disallowed IP addresses.\\nfunc SafeTransport(timeout time.Duration) *http.Transport {\\n return &http.Transport{\\n DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {\\n c, err := net.DialTimeout(network, addr, timeout)\\n if err != nil {\\n return nil, err\\n }\\n ip, _, _ := net.SplitHostPort(c.RemoteAddr().String())\\n if IsDisallowedIP(ip) {\\n c.Close()\\n return nil, errors.New(\\"ip address is not allowed\\")\\n }\\n return c, err\\n },\\n DialTLS: func(network, addr string) (net.Conn, error) {\\n dialer := &net.Dialer{Timeout: timeout}\\n c, err := tls.DialWithDialer(dialer, network, addr, &tls.Config{})\\n if err != nil {\\n return nil, err\\n }\\n ip, _, _ := net.SplitHostPort(c.RemoteAddr().String())\\n if IsDisallowedIP(ip) {\\n c.Close()\\n return nil, errors.New(\\"ip address is not allowed\\")\\n }\\n return c, c.Handshake()\\n },\\n TLSHandshakeTimeout: timeout,\\n }\\n}\\n\\n// httpRequest performs a secure HTTP request, filtering out disallowed IPs.\\nfunc httpRequest(requestUrl string) {\\n const clientConnectTimeout = time.Second * 10\\n httpClient := &http.Client{\\n Transport: SafeTransport(clientConnectTimeout),\\n }\\n resp, err := httpClient.Get(requestUrl)\\n if err != nil {\\n log.Fatal(err)\\n }\\n defer resp.Body.Close()\\n // Process response\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP SSRF Prevention Cheat Sheet](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_ssrf_injection", - "line_number": 19, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 19, - "end": 19, - "column": { - "start": 15, - "end": 28 - } - }, - "sink": { - "start": 19, - "end": 19, - "column": { - "start": 15, - "end": 28 - }, - "content": "http.Get(url)" - }, - "parent_line_number": 19, - "snippet": "http.Get(url)", - "fingerprint": "9be6d64d7285e77ffafc4015fe97ab33_0", - "old_fingerprint": "3062d5fa090e29d011c48ba41511badf_0", - "code_extract": "\\tresp, err := http.Get(url)" - }, - { - "cwe_ids": [ - "918" - ], - "id": "go_gosec_injection_ssrf_injection", - "title": "Unsanitized user input in HTTP request (SSRF)", - "description": "## Description\\n\\nServer-Side Request Forgery (SSRF) is a security vulnerability that occurs when a server-side application makes HTTP requests to arbitrary URLs controlled by the user. SSRF can be exploited by attackers to target internal systems behind firewalls that are otherwise inaccessible from the external network, by tricking the server into making requests to these systems.\\n\\n## Remediations\\n\\nTo mitigate SSRF vulnerabilities, follow these guidelines:\\n\\n✅ Validate User Input\\n\\nAvoid using direct user input to construct URLs for backend requests. If you must use user input, validate or sanitize it rigorously.\\n\\n✅ Restrict URLs to Known Safe Domains\\n\\nWhere possible, limit requests to a predefined set of safe URLs or domains. This can be done using server-side mapping from user-supplied keys to URLs.\\n\\n✅ Implement IP Safelists and Blocklists\\n\\nUse an HTTP client that allows customizing and blocking specific IP ranges, such as private network addresses and other non-routable IP ranges.\\n\\n✅ Use Network-Level Security\\n\\nIf the HTTP client doesn't support IP range blocking, consider running it with restricted system permissions, or within a secure network where firewall rules can block dangerous addresses.\\n\\n✅ Leverage a Secure HTTP Proxy\\n\\nAs a last resort, route all backend HTTP requests through a secure proxy that can filter out and block requests to potentially harmful addresses.\\n\\n\`\`\`go\\nimport (\\n \\"context\\"\\n \\"crypto/tls\\"\\n \\"errors\\"\\n \\"net\\"\\n \\"net/http\\"\\n \\"time\\"\\n)\\n\\n// IsDisallowedIP checks if an IP address falls within a range of disallowed IPs.\\nfunc IsDisallowedIP(hostIP string) bool {\\n ip := net.ParseIP(hostIP)\\n // Add more checks as necessary\\n return ip.IsMulticast() || ip.IsUnspecified() || ip.IsLoopback() || ip.IsPrivate()\\n}\\n\\n// SafeTransport defines a custom transport that filters out disallowed IP addresses.\\nfunc SafeTransport(timeout time.Duration) *http.Transport {\\n return &http.Transport{\\n DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {\\n c, err := net.DialTimeout(network, addr, timeout)\\n if err != nil {\\n return nil, err\\n }\\n ip, _, _ := net.SplitHostPort(c.RemoteAddr().String())\\n if IsDisallowedIP(ip) {\\n c.Close()\\n return nil, errors.New(\\"ip address is not allowed\\")\\n }\\n return c, err\\n },\\n DialTLS: func(network, addr string) (net.Conn, error) {\\n dialer := &net.Dialer{Timeout: timeout}\\n c, err := tls.DialWithDialer(dialer, network, addr, &tls.Config{})\\n if err != nil {\\n return nil, err\\n }\\n ip, _, _ := net.SplitHostPort(c.RemoteAddr().String())\\n if IsDisallowedIP(ip) {\\n c.Close()\\n return nil, errors.New(\\"ip address is not allowed\\")\\n }\\n return c, c.Handshake()\\n },\\n TLSHandshakeTimeout: timeout,\\n }\\n}\\n\\n// httpRequest performs a secure HTTP request, filtering out disallowed IPs.\\nfunc httpRequest(requestUrl string) {\\n const clientConnectTimeout = time.Second * 10\\n httpClient := &http.Client{\\n Transport: SafeTransport(clientConnectTimeout),\\n }\\n resp, err := httpClient.Get(requestUrl)\\n if err != nil {\\n log.Fatal(err)\\n }\\n defer resp.Body.Close()\\n // Process response\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP SSRF Prevention Cheat Sheet](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_ssrf_injection", - "line_number": 48, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 48, - "end": 48, - "column": { - "start": 15, - "end": 28 - } - }, - "sink": { - "start": 48, - "end": 48, - "column": { - "start": 15, - "end": 28 - }, - "content": "http.Get(url)" - }, - "parent_line_number": 48, - "snippet": "http.Get(url)", - "fingerprint": "9be6d64d7285e77ffafc4015fe97ab33_1", - "old_fingerprint": "3062d5fa090e29d011c48ba41511badf_1", - "code_extract": "\\tresp, err := http.Get(url)" - }, - { - "cwe_ids": [ - "918" - ], - "id": "go_gosec_injection_ssrf_injection", - "title": "Unsanitized user input in HTTP request (SSRF)", - "description": "## Description\\n\\nServer-Side Request Forgery (SSRF) is a security vulnerability that occurs when a server-side application makes HTTP requests to arbitrary URLs controlled by the user. SSRF can be exploited by attackers to target internal systems behind firewalls that are otherwise inaccessible from the external network, by tricking the server into making requests to these systems.\\n\\n## Remediations\\n\\nTo mitigate SSRF vulnerabilities, follow these guidelines:\\n\\n✅ Validate User Input\\n\\nAvoid using direct user input to construct URLs for backend requests. If you must use user input, validate or sanitize it rigorously.\\n\\n✅ Restrict URLs to Known Safe Domains\\n\\nWhere possible, limit requests to a predefined set of safe URLs or domains. This can be done using server-side mapping from user-supplied keys to URLs.\\n\\n✅ Implement IP Safelists and Blocklists\\n\\nUse an HTTP client that allows customizing and blocking specific IP ranges, such as private network addresses and other non-routable IP ranges.\\n\\n✅ Use Network-Level Security\\n\\nIf the HTTP client doesn't support IP range blocking, consider running it with restricted system permissions, or within a secure network where firewall rules can block dangerous addresses.\\n\\n✅ Leverage a Secure HTTP Proxy\\n\\nAs a last resort, route all backend HTTP requests through a secure proxy that can filter out and block requests to potentially harmful addresses.\\n\\n\`\`\`go\\nimport (\\n \\"context\\"\\n \\"crypto/tls\\"\\n \\"errors\\"\\n \\"net\\"\\n \\"net/http\\"\\n \\"time\\"\\n)\\n\\n// IsDisallowedIP checks if an IP address falls within a range of disallowed IPs.\\nfunc IsDisallowedIP(hostIP string) bool {\\n ip := net.ParseIP(hostIP)\\n // Add more checks as necessary\\n return ip.IsMulticast() || ip.IsUnspecified() || ip.IsLoopback() || ip.IsPrivate()\\n}\\n\\n// SafeTransport defines a custom transport that filters out disallowed IP addresses.\\nfunc SafeTransport(timeout time.Duration) *http.Transport {\\n return &http.Transport{\\n DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {\\n c, err := net.DialTimeout(network, addr, timeout)\\n if err != nil {\\n return nil, err\\n }\\n ip, _, _ := net.SplitHostPort(c.RemoteAddr().String())\\n if IsDisallowedIP(ip) {\\n c.Close()\\n return nil, errors.New(\\"ip address is not allowed\\")\\n }\\n return c, err\\n },\\n DialTLS: func(network, addr string) (net.Conn, error) {\\n dialer := &net.Dialer{Timeout: timeout}\\n c, err := tls.DialWithDialer(dialer, network, addr, &tls.Config{})\\n if err != nil {\\n return nil, err\\n }\\n ip, _, _ := net.SplitHostPort(c.RemoteAddr().String())\\n if IsDisallowedIP(ip) {\\n c.Close()\\n return nil, errors.New(\\"ip address is not allowed\\")\\n }\\n return c, c.Handshake()\\n },\\n TLSHandshakeTimeout: timeout,\\n }\\n}\\n\\n// httpRequest performs a secure HTTP request, filtering out disallowed IPs.\\nfunc httpRequest(requestUrl string) {\\n const clientConnectTimeout = time.Second * 10\\n httpClient := &http.Client{\\n Transport: SafeTransport(clientConnectTimeout),\\n }\\n resp, err := httpClient.Get(requestUrl)\\n if err != nil {\\n log.Fatal(err)\\n }\\n defer resp.Body.Close()\\n // Process response\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP SSRF Prevention Cheat Sheet](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_ssrf_injection", - "line_number": 110, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 110, - "end": 110, - "column": { - "start": 15, - "end": 28 - } - }, - "sink": { - "start": 110, - "end": 110, - "column": { - "start": 15, - "end": 28 - }, - "content": "http.Get(url)" - }, - "parent_line_number": 110, - "snippet": "http.Get(url)", - "fingerprint": "9be6d64d7285e77ffafc4015fe97ab33_2", - "old_fingerprint": "3062d5fa090e29d011c48ba41511badf_2", - "code_extract": "\\tresp, err := http.Get(url)" - }, - { - "cwe_ids": [ - "918" - ], - "id": "go_gosec_injection_ssrf_injection", - "title": "Unsanitized user input in HTTP request (SSRF)", - "description": "## Description\\n\\nServer-Side Request Forgery (SSRF) is a security vulnerability that occurs when a server-side application makes HTTP requests to arbitrary URLs controlled by the user. SSRF can be exploited by attackers to target internal systems behind firewalls that are otherwise inaccessible from the external network, by tricking the server into making requests to these systems.\\n\\n## Remediations\\n\\nTo mitigate SSRF vulnerabilities, follow these guidelines:\\n\\n✅ Validate User Input\\n\\nAvoid using direct user input to construct URLs for backend requests. If you must use user input, validate or sanitize it rigorously.\\n\\n✅ Restrict URLs to Known Safe Domains\\n\\nWhere possible, limit requests to a predefined set of safe URLs or domains. This can be done using server-side mapping from user-supplied keys to URLs.\\n\\n✅ Implement IP Safelists and Blocklists\\n\\nUse an HTTP client that allows customizing and blocking specific IP ranges, such as private network addresses and other non-routable IP ranges.\\n\\n✅ Use Network-Level Security\\n\\nIf the HTTP client doesn't support IP range blocking, consider running it with restricted system permissions, or within a secure network where firewall rules can block dangerous addresses.\\n\\n✅ Leverage a Secure HTTP Proxy\\n\\nAs a last resort, route all backend HTTP requests through a secure proxy that can filter out and block requests to potentially harmful addresses.\\n\\n\`\`\`go\\nimport (\\n \\"context\\"\\n \\"crypto/tls\\"\\n \\"errors\\"\\n \\"net\\"\\n \\"net/http\\"\\n \\"time\\"\\n)\\n\\n// IsDisallowedIP checks if an IP address falls within a range of disallowed IPs.\\nfunc IsDisallowedIP(hostIP string) bool {\\n ip := net.ParseIP(hostIP)\\n // Add more checks as necessary\\n return ip.IsMulticast() || ip.IsUnspecified() || ip.IsLoopback() || ip.IsPrivate()\\n}\\n\\n// SafeTransport defines a custom transport that filters out disallowed IP addresses.\\nfunc SafeTransport(timeout time.Duration) *http.Transport {\\n return &http.Transport{\\n DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {\\n c, err := net.DialTimeout(network, addr, timeout)\\n if err != nil {\\n return nil, err\\n }\\n ip, _, _ := net.SplitHostPort(c.RemoteAddr().String())\\n if IsDisallowedIP(ip) {\\n c.Close()\\n return nil, errors.New(\\"ip address is not allowed\\")\\n }\\n return c, err\\n },\\n DialTLS: func(network, addr string) (net.Conn, error) {\\n dialer := &net.Dialer{Timeout: timeout}\\n c, err := tls.DialWithDialer(dialer, network, addr, &tls.Config{})\\n if err != nil {\\n return nil, err\\n }\\n ip, _, _ := net.SplitHostPort(c.RemoteAddr().String())\\n if IsDisallowedIP(ip) {\\n c.Close()\\n return nil, errors.New(\\"ip address is not allowed\\")\\n }\\n return c, c.Handshake()\\n },\\n TLSHandshakeTimeout: timeout,\\n }\\n}\\n\\n// httpRequest performs a secure HTTP request, filtering out disallowed IPs.\\nfunc httpRequest(requestUrl string) {\\n const clientConnectTimeout = time.Second * 10\\n httpClient := &http.Client{\\n Transport: SafeTransport(clientConnectTimeout),\\n }\\n resp, err := httpClient.Get(requestUrl)\\n if err != nil {\\n log.Fatal(err)\\n }\\n defer resp.Body.Close()\\n // Process response\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP SSRF Prevention Cheat Sheet](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_ssrf_injection", - "line_number": 125, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 125, - "end": 125, - "column": { - "start": 14, - "end": 62 - } - }, - "sink": { - "start": 125, - "end": 125, - "column": { - "start": 14, - "end": 62 - }, - "content": "http.NewRequest(\\"POST\\", url, bytes.NewBuffer(q))" - }, - "parent_line_number": 125, - "snippet": "http.NewRequest(\\"POST\\", url, bytes.NewBuffer(q))", - "fingerprint": "9be6d64d7285e77ffafc4015fe97ab33_3", - "old_fingerprint": "3062d5fa090e29d011c48ba41511badf_3", - "code_extract": "\\treq, err := http.NewRequest(\\"POST\\", url, bytes.NewBuffer(q))" - } - ] -}" -`; diff --git a/tests/go/gosec/injection/ssrf_injection/test.js b/tests/go/gosec/injection/ssrf_injection/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/injection/ssrf_injection/test.js +++ b/tests/go/gosec/injection/ssrf_injection/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/injection/ssrf_injection/testdata/main.go b/tests/go/gosec/injection/ssrf_injection/testdata/main.go index 3b42b9862..e43810146 100644 --- a/tests/go/gosec/injection/ssrf_injection/testdata/main.go +++ b/tests/go/gosec/injection/ssrf_injection/testdata/main.go @@ -16,6 +16,7 @@ func foo1() { if err != nil { panic(err) } +// bearer:expected go_gosec_injection_ssrf_injection resp, err := http.Get(url) if err != nil { panic(err) @@ -45,6 +46,7 @@ func foo2() { func foo3() { url := os.Getenv("tainted_url") +// bearer:expected go_gosec_injection_ssrf_injection resp, err := http.Get(url) if err != nil { panic(err) @@ -107,6 +109,7 @@ func foo8() { } func get(url string) { +// bearer:expected go_gosec_injection_ssrf_injection resp, err := http.Get(url) if err != nil { fmt.Println(err) @@ -122,6 +125,7 @@ func foo9() { func foo10() { url := os.Args[0] var q = []byte(`your query`) +// bearer:expected go_gosec_injection_ssrf_injection req, err := http.NewRequest("POST", url, bytes.NewBuffer(q)) req.Header.Set("X-Custom-Header", "myvalue") req.Header.Set("Content-Type", "text/plain") diff --git a/tests/go/gosec/injection/subproc_injection/__snapshots__/test.js.snap b/tests/go/gosec/injection/subproc_injection/__snapshots__/test.js.snap deleted file mode 100644 index cf358b16d..000000000 --- a/tests/go/gosec/injection/subproc_injection/__snapshots__/test.js.snap +++ /dev/null @@ -1,280 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_injection_subproc_injection test 1`] = ` -"{ - "high": [ - { - "cwe_ids": [ - "78" - ], - "id": "go_gosec_injection_subproc_injection", - "title": "Unsanitized dynamic input in OS command", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes external input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct External Input\\n\\nDo not use externally-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any external input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that external input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct external input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", - "line_number": 23, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 23, - "end": 23, - "column": { - "start": 9, - "end": 67 - } - }, - "sink": { - "start": 23, - "end": 23, - "column": { - "start": 9, - "end": 67 - }, - "content": "exec.CommandContext(context.Background(), os.Args[0], \\"5\\")" - }, - "parent_line_number": 23, - "snippet": "exec.CommandContext(context.Background(), os.Args[0], \\"5\\")", - "fingerprint": "e873320a35cd659369a6c8d2ac40f9cd_0", - "old_fingerprint": "f4ac6999992abf88d09564e3aebce4fb_0", - "code_extract": "\\terr := exec.CommandContext(context.Background(), os.Args[0], \\"5\\").Run() // detected" - }, - { - "cwe_ids": [ - "78" - ], - "id": "go_gosec_injection_subproc_injection", - "title": "Unsanitized dynamic input in OS command", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes external input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct External Input\\n\\nDo not use externally-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any external input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that external input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct external input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", - "line_number": 33, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 33, - "end": 33, - "column": { - "start": 9, - "end": 31 - } - }, - "sink": { - "start": 33, - "end": 33, - "column": { - "start": 9, - "end": 31 - }, - "content": "exec.Command(run, \\"5\\")" - }, - "parent_line_number": 33, - "snippet": "exec.Command(run, \\"5\\")", - "fingerprint": "e873320a35cd659369a6c8d2ac40f9cd_1", - "old_fingerprint": "f4ac6999992abf88d09564e3aebce4fb_1", - "code_extract": "\\tcmd := exec.Command(run, \\"5\\") // detected" - }, - { - "cwe_ids": [ - "78" - ], - "id": "go_gosec_injection_subproc_injection", - "title": "Unsanitized dynamic input in OS command", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes external input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct External Input\\n\\nDo not use externally-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any external input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that external input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct external input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", - "line_number": 45, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 45, - "end": 45, - "column": { - "start": 9, - "end": 35 - } - }, - "sink": { - "start": 45, - "end": 45, - "column": { - "start": 9, - "end": 35 - }, - "content": "exec.Command(command, \\"5\\")" - }, - "parent_line_number": 45, - "snippet": "exec.Command(command, \\"5\\")", - "fingerprint": "e873320a35cd659369a6c8d2ac40f9cd_2", - "old_fingerprint": "f4ac6999992abf88d09564e3aebce4fb_2", - "code_extract": "\\tcmd := exec.Command(command, \\"5\\")" - }, - { - "cwe_ids": [ - "78" - ], - "id": "go_gosec_injection_subproc_injection", - "title": "Unsanitized dynamic input in OS command", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes external input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct External Input\\n\\nDo not use externally-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any external input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that external input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct external input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", - "line_number": 60, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 60, - "end": 60, - "column": { - "start": 9, - "end": 24 - } - }, - "sink": { - "start": 60, - "end": 60, - "column": { - "start": 9, - "end": 24 - }, - "content": "exec.Command(c)" - }, - "parent_line_number": 60, - "snippet": "exec.Command(c)", - "fingerprint": "e873320a35cd659369a6c8d2ac40f9cd_3", - "old_fingerprint": "f4ac6999992abf88d09564e3aebce4fb_3", - "code_extract": "\\tcmd := exec.Command(c)" - }, - { - "cwe_ids": [ - "78" - ], - "id": "go_gosec_injection_subproc_injection", - "title": "Unsanitized dynamic input in OS command", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes external input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct External Input\\n\\nDo not use externally-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any external input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that external input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct external input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", - "line_number": 68, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 68, - "end": 68, - "column": { - "start": 8, - "end": 23 - } - }, - "sink": { - "start": 68, - "end": 68, - "column": { - "start": 8, - "end": 23 - }, - "content": "exec.Command(a)" - }, - "parent_line_number": 68, - "snippet": "exec.Command(a)", - "fingerprint": "e873320a35cd659369a6c8d2ac40f9cd_4", - "old_fingerprint": "f4ac6999992abf88d09564e3aebce4fb_4", - "code_extract": "\\tcmd = exec.Command(a)" - }, - { - "cwe_ids": [ - "78" - ], - "id": "go_gosec_injection_subproc_injection", - "title": "Unsanitized dynamic input in OS command", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes external input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct External Input\\n\\nDo not use externally-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any external input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that external input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct external input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", - "line_number": 90, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 90, - "end": 90, - "column": { - "start": 12, - "end": 54 - } - }, - "sink": { - "start": 90, - "end": 90, - "column": { - "start": 12, - "end": 54 - }, - "content": "syscall.ForkExec(command, []string{}, nil)" - }, - "parent_line_number": 90, - "snippet": "syscall.ForkExec(command, []string{}, nil)", - "fingerprint": "e873320a35cd659369a6c8d2ac40f9cd_5", - "old_fingerprint": "f4ac6999992abf88d09564e3aebce4fb_5", - "code_extract": "\\t_, err := syscall.ForkExec(command, []string{}, nil)" - }, - { - "cwe_ids": [ - "78" - ], - "id": "go_gosec_injection_subproc_injection", - "title": "Unsanitized dynamic input in OS command", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes external input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct External Input\\n\\nDo not use externally-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any external input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that external input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct external input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", - "line_number": 102, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 102, - "end": 102, - "column": { - "start": 15, - "end": 61 - } - }, - "sink": { - "start": 102, - "end": 102, - "column": { - "start": 15, - "end": 61 - }, - "content": "syscall.StartProcess(command, []string{}, nil)" - }, - "parent_line_number": 102, - "snippet": "syscall.StartProcess(command, []string{}, nil)", - "fingerprint": "e873320a35cd659369a6c8d2ac40f9cd_6", - "old_fingerprint": "f4ac6999992abf88d09564e3aebce4fb_6", - "code_extract": "\\t_, _, err := syscall.StartProcess(command, []string{}, nil)" - }, - { - "cwe_ids": [ - "78" - ], - "id": "go_gosec_injection_subproc_injection", - "title": "Unsanitized dynamic input in OS command", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes external input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct External Input\\n\\nDo not use externally-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any external input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that external input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct external input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", - "line_number": 126, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 126, - "end": 126, - "column": { - "start": 9, - "end": 67 - } - }, - "sink": { - "start": 126, - "end": 126, - "column": { - "start": 9, - "end": 67 - }, - "content": "exec.CommandContext(context.Background(), os.Args[0], \\"5\\")" - }, - "parent_line_number": 126, - "snippet": "exec.CommandContext(context.Background(), os.Args[0], \\"5\\")", - "fingerprint": "e873320a35cd659369a6c8d2ac40f9cd_7", - "old_fingerprint": "f4ac6999992abf88d09564e3aebce4fb_7", - "code_extract": "\\terr := exec.CommandContext(context.Background(), os.Args[0], \\"5\\").Run() // detected" - } - ] -}" -`; diff --git a/tests/go/gosec/injection/subproc_injection/test.js b/tests/go/gosec/injection/subproc_injection/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/injection/subproc_injection/test.js +++ b/tests/go/gosec/injection/subproc_injection/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/injection/subproc_injection/testdata/main.go b/tests/go/gosec/injection/subproc_injection/testdata/main.go index b7c5c5cf4..578381435 100644 --- a/tests/go/gosec/injection/subproc_injection/testdata/main.go +++ b/tests/go/gosec/injection/subproc_injection/testdata/main.go @@ -20,6 +20,7 @@ func foo1() { func foo2() { // ruleid +// bearer:expected go_gosec_injection_subproc_injection err := exec.CommandContext(context.Background(), os.Args[0], "5").Run() // detected if err != nil { log.Fatal(err) @@ -30,6 +31,7 @@ func foo2() { func foo3() { run := "sleep" + os.Getenv("SOMETHING") // ruleid +// bearer:expected go_gosec_injection_subproc_injection cmd := exec.Command(run, "5") // detected err := cmd.Start() if err != nil { @@ -42,6 +44,7 @@ func foo3() { func foo4(command string) { // ruleid +// bearer:expected go_gosec_injection_subproc_injection cmd := exec.Command(command, "5") err := cmd.Start() if err != nil { @@ -57,6 +60,7 @@ func foo5() { func foo6(a string, c string) { // ruleid +// bearer:expected go_gosec_injection_subproc_injection cmd := exec.Command(c) err := cmd.Start() if err != nil { @@ -65,6 +69,7 @@ func foo6(a string, c string) { log.Printf("Waiting for command to finish...") err = cmd.Wait() // ruleid +// bearer:expected go_gosec_injection_subproc_injection cmd = exec.Command(a) err = cmd.Start() if err != nil { @@ -87,6 +92,7 @@ func foo8() { func foo9(command string) { // ruleid +// bearer:expected go_gosec_injection_subproc_injection _, err := syscall.ForkExec(command, []string{}, nil) if err != nil { fmt.Printf("Error: %v\n", err) @@ -99,6 +105,7 @@ func foo10() { func foo11(command string) { // ruleid +// bearer:expected go_gosec_injection_subproc_injection _, _, err := syscall.StartProcess(command, []string{}, nil) if err != nil { fmt.Printf("Error: %v\n", err) @@ -123,6 +130,7 @@ func foo13() { func foo14() { // ruleid +// bearer:expected go_gosec_injection_subproc_injection err := exec.CommandContext(context.Background(), os.Args[0], "5").Run() // detected if err != nil { log.Fatal(err) diff --git a/tests/go/gosec/injection/template_injection/__snapshots__/test.js.snap b/tests/go/gosec/injection/template_injection/__snapshots__/test.js.snap deleted file mode 100644 index d03c54d0b..000000000 --- a/tests/go/gosec/injection/template_injection/__snapshots__/test.js.snap +++ /dev/null @@ -1,110 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_injection_template_injection test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "79" - ], - "id": "go_gosec_injection_template_injection", - "title": "Unsanitized user input in web page generation (XSS)", - "description": "## Description\\n\\nCross-Site Scripting (XSS) is a vulnerability that allows attackers to run malicious scripts in the context of a trusted web application. This can happen when an application includes untrusted data without proper validation or escaping. There are several contexts where XSS can occur, each requiring specific encoding strategies to mitigate the risk.\\n\\n## Remediations\\n\\nTo defend against XSS attacks, consider the following measures:\\n\\n✅ Encode Based on Context\\n\\nWhen user input is reflected back in HTML, ensure it is encoded based on the context in which it is used (e.g., HTML content, HTML attributes, JavaScript context, CSS context, etc.).\\n\\n✅ Template Safely\\n\\nUtilize templating engines that automatically encode data based on context, and be cautious not to override these safeguards.\\n\\n✅ Sanitize Data\\n\\nUse libraries or functions designed to sanitize user input, particularly when inserting content into a web page.\\n\\n✅ Separate Data from Code\\n\\nAvoid inline scripting and event handlers, and instead use separate JavaScript files to handle events. This reduces the risk of script injection through event attributes.\\n\\n✅ Avoid Mixing Templating Systems\\n\\nDo not mix server-side and client-side templating systems, as server-side systems may not escape output in a way that is safe for client-side use.\\n\\n❌ Do Not Encode Before Storing\\n\\nAvoid encoding user input before storing it in a database. The encoding should be applied when the data is output, not before storage, to ensure that it is encoded appropriately for its context.\\n\\nHere's an example of using Go’s \`html/template\` package to safely render HTML content:\\n\\n\`\`\`go\\nimport (\\n \\"html/template\\"\\n \\"os\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n // Define a template with a function to safely render HTML\\n testTemplate, err := template.New(\\"testTemplate\\").Funcs(template.FuncMap{\\n \\"SafeHTML\\": func() template.HTML {\\n const safeHTML = \\"
hardcoded, safe html
\\"\\n return template.HTML(safeHTML)\\n },\\n }).Parse(\`{{ SafeHTML }}\`)\\n\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute the template and ensure proper encoding\\n if err := testTemplate.Execute(os.Stdout, nil); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n- [Go html/template Documentation](https://pkg.go.dev/html/template)\\n- [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_template_injection", - "line_number": 23, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 23, - "end": 23, - "column": { - "start": 12, - "end": 28 - } - }, - "sink": { - "start": 23, - "end": 23, - "column": { - "start": 12, - "end": 28 - }, - "content": "template.HTML(a)" - }, - "parent_line_number": 23, - "snippet": "template.HTML(a)", - "fingerprint": "681dfcec8a0252d95ac5e3fdfd0130f4_0", - "old_fingerprint": "264c42ced6ea2219364b42acf3794d16_0", - "code_extract": "\\t\\t\\"Body\\": template.HTML(a)," - }, - { - "cwe_ids": [ - "79" - ], - "id": "go_gosec_injection_template_injection", - "title": "Unsanitized user input in web page generation (XSS)", - "description": "## Description\\n\\nCross-Site Scripting (XSS) is a vulnerability that allows attackers to run malicious scripts in the context of a trusted web application. This can happen when an application includes untrusted data without proper validation or escaping. There are several contexts where XSS can occur, each requiring specific encoding strategies to mitigate the risk.\\n\\n## Remediations\\n\\nTo defend against XSS attacks, consider the following measures:\\n\\n✅ Encode Based on Context\\n\\nWhen user input is reflected back in HTML, ensure it is encoded based on the context in which it is used (e.g., HTML content, HTML attributes, JavaScript context, CSS context, etc.).\\n\\n✅ Template Safely\\n\\nUtilize templating engines that automatically encode data based on context, and be cautious not to override these safeguards.\\n\\n✅ Sanitize Data\\n\\nUse libraries or functions designed to sanitize user input, particularly when inserting content into a web page.\\n\\n✅ Separate Data from Code\\n\\nAvoid inline scripting and event handlers, and instead use separate JavaScript files to handle events. This reduces the risk of script injection through event attributes.\\n\\n✅ Avoid Mixing Templating Systems\\n\\nDo not mix server-side and client-side templating systems, as server-side systems may not escape output in a way that is safe for client-side use.\\n\\n❌ Do Not Encode Before Storing\\n\\nAvoid encoding user input before storing it in a database. The encoding should be applied when the data is output, not before storage, to ensure that it is encoded appropriately for its context.\\n\\nHere's an example of using Go’s \`html/template\` package to safely render HTML content:\\n\\n\`\`\`go\\nimport (\\n \\"html/template\\"\\n \\"os\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n // Define a template with a function to safely render HTML\\n testTemplate, err := template.New(\\"testTemplate\\").Funcs(template.FuncMap{\\n \\"SafeHTML\\": func() template.HTML {\\n const safeHTML = \\"
hardcoded, safe html
\\"\\n return template.HTML(safeHTML)\\n },\\n }).Parse(\`{{ SafeHTML }}\`)\\n\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute the template and ensure proper encoding\\n if err := testTemplate.Execute(os.Stdout, nil); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n- [Go html/template Documentation](https://pkg.go.dev/html/template)\\n- [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_template_injection", - "line_number": 32, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 32, - "end": 32, - "column": { - "start": 12, - "end": 26 - } - }, - "sink": { - "start": 32, - "end": 32, - "column": { - "start": 12, - "end": 26 - }, - "content": "template.JS(a)" - }, - "parent_line_number": 32, - "snippet": "template.JS(a)", - "fingerprint": "681dfcec8a0252d95ac5e3fdfd0130f4_1", - "old_fingerprint": "264c42ced6ea2219364b42acf3794d16_1", - "code_extract": "\\t\\t\\"Body\\": template.JS(a)," - }, - { - "cwe_ids": [ - "79" - ], - "id": "go_gosec_injection_template_injection", - "title": "Unsanitized user input in web page generation (XSS)", - "description": "## Description\\n\\nCross-Site Scripting (XSS) is a vulnerability that allows attackers to run malicious scripts in the context of a trusted web application. This can happen when an application includes untrusted data without proper validation or escaping. There are several contexts where XSS can occur, each requiring specific encoding strategies to mitigate the risk.\\n\\n## Remediations\\n\\nTo defend against XSS attacks, consider the following measures:\\n\\n✅ Encode Based on Context\\n\\nWhen user input is reflected back in HTML, ensure it is encoded based on the context in which it is used (e.g., HTML content, HTML attributes, JavaScript context, CSS context, etc.).\\n\\n✅ Template Safely\\n\\nUtilize templating engines that automatically encode data based on context, and be cautious not to override these safeguards.\\n\\n✅ Sanitize Data\\n\\nUse libraries or functions designed to sanitize user input, particularly when inserting content into a web page.\\n\\n✅ Separate Data from Code\\n\\nAvoid inline scripting and event handlers, and instead use separate JavaScript files to handle events. This reduces the risk of script injection through event attributes.\\n\\n✅ Avoid Mixing Templating Systems\\n\\nDo not mix server-side and client-side templating systems, as server-side systems may not escape output in a way that is safe for client-side use.\\n\\n❌ Do Not Encode Before Storing\\n\\nAvoid encoding user input before storing it in a database. The encoding should be applied when the data is output, not before storage, to ensure that it is encoded appropriately for its context.\\n\\nHere's an example of using Go’s \`html/template\` package to safely render HTML content:\\n\\n\`\`\`go\\nimport (\\n \\"html/template\\"\\n \\"os\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n // Define a template with a function to safely render HTML\\n testTemplate, err := template.New(\\"testTemplate\\").Funcs(template.FuncMap{\\n \\"SafeHTML\\": func() template.HTML {\\n const safeHTML = \\"
hardcoded, safe html
\\"\\n return template.HTML(safeHTML)\\n },\\n }).Parse(\`{{ SafeHTML }}\`)\\n\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute the template and ensure proper encoding\\n if err := testTemplate.Execute(os.Stdout, nil); err != nil {\\n log.Fatal(err)\\n }\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n- [Go html/template Documentation](https://pkg.go.dev/html/template)\\n- [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_template_injection", - "line_number": 41, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 41, - "end": 41, - "column": { - "start": 12, - "end": 27 - } - }, - "sink": { - "start": 41, - "end": 41, - "column": { - "start": 12, - "end": 27 - }, - "content": "template.URL(a)" - }, - "parent_line_number": 41, - "snippet": "template.URL(a)", - "fingerprint": "681dfcec8a0252d95ac5e3fdfd0130f4_2", - "old_fingerprint": "264c42ced6ea2219364b42acf3794d16_2", - "code_extract": "\\t\\t\\"Body\\": template.URL(a)," - } - ] -}" -`; diff --git a/tests/go/gosec/injection/template_injection/test.js b/tests/go/gosec/injection/template_injection/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/injection/template_injection/test.js +++ b/tests/go/gosec/injection/template_injection/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/injection/template_injection/testdata/main.go b/tests/go/gosec/injection/template_injection/testdata/main.go index f0d97a68e..e79bfad30 100644 --- a/tests/go/gosec/injection/template_injection/testdata/main.go +++ b/tests/go/gosec/injection/template_injection/testdata/main.go @@ -20,6 +20,7 @@ func foo2(a string) { t := template.Must(template.New("ex").Parse(tmpl)) v := map[string]interface{}{ "Title": "Test World", +// bearer:expected go_gosec_injection_template_injection "Body": template.HTML(a), } t.Execute(os.Stdout, v) @@ -29,6 +30,7 @@ func foo3(a string) { t := template.Must(template.New("ex").Parse(tmpl)) v := map[string]interface{}{ "Title": "Test World", +// bearer:expected go_gosec_injection_template_injection "Body": template.JS(a), } t.Execute(os.Stdout, v) @@ -38,6 +40,7 @@ func foo4(a string) { t := template.Must(template.New("ex").Parse(tmpl)) v := map[string]interface{}{ "Title": "Test World", +// bearer:expected go_gosec_injection_template_injection "Body": template.URL(a), } t.Execute(os.Stdout, v) diff --git a/tests/go/gosec/leak/pprof_endpoint/__snapshots__/test.js.snap b/tests/go/gosec/leak/pprof_endpoint/__snapshots__/test.js.snap deleted file mode 100644 index 13ea0e52a..000000000 --- a/tests/go/gosec/leak/pprof_endpoint/__snapshots__/test.js.snap +++ /dev/null @@ -1,42 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_leak_pprof_endpoint test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "200" - ], - "id": "go_gosec_leak_pprof_endpoint", - "title": "Usage of active debug code (pprof enabled)", - "description": "## Description\\n\\nGo's standard library includes a profiling tool that can be enabled by importing \`net/http/pprof\`. This tool provides a \`/debug/pprof\` endpoint that exposes runtime profiling data over HTTP. When enabled in a production environment, it can present a significant security risk as it lacks authentication controls and can potentially leak sensitive information about the application's runtime state and environment.\\n\\n## Remediations\\n\\nTo prevent unintended exposure of profiling information:\\n\\n✅ Remove \`net/http/pprof\` in Production\\n\\nBefore deploying your application to a production environment, remove any import statements for \`net/http/pprof\` from your codebase. Ensure that the profiling endpoint is not available in the live environment.\\n\\n\`\`\`go\\n// +build !production\\n\\npackage main\\n\\nimport (\\n _ \\"net/http/pprof\\" // Ensure this line is not present in your production builds\\n \\"net/http\\"\\n)\\n\\nfunc main() {\\n // ... your application code ...\\n\\n // Start the server (omit the pprof import and handler in production)\\n log.Println(http.ListenAndServe(\\"localhost:6060\\", nil))\\n}\\n\`\`\`\\n\\n✅ Conditional Compilation\\n\\nUse build tags to include profiling only in non-production builds.\\n\\n✅ Use Environment Configurations\\n\\nConfigure environment-specific settings to conditionally enable or disable the profiling endpoints.\\n\\n✅ Implement Authentication\\n\\nIf profiling is necessary in a controlled production scenario, secure the endpoint with strong authentication mechanisms.\\n\\n## Resources\\n\\n- [Go net/http/pprof Package Documentation](https://pkg.go.dev/net/http/pprof)\\n- [Go Build Constraints Documentation](https://pkg.go.dev/go/build#hdr-Build_Constraints)\\n- [OWASP Security by Design Principles](https://owasp.org/www-project-security-by-design/)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_leak_pprof_endpoint", - "line_number": 7, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 7, - "end": 7, - "column": { - "start": 4, - "end": 20 - } - }, - "sink": { - "start": 7, - "end": 7, - "column": { - "start": 4, - "end": 20 - }, - "content": "\\"net/http/pprof\\"" - }, - "parent_line_number": 7, - "snippet": "\\"net/http/pprof\\"", - "fingerprint": "76d7f307921424da0f234602dea9aaa7_0", - "old_fingerprint": "402bf06eb23c86740dd7ee778fce3c5f_0", - "code_extract": "\\t_ \\"net/http/pprof\\"" - } - ] -}" -`; diff --git a/tests/go/gosec/leak/pprof_endpoint/test.js b/tests/go/gosec/leak/pprof_endpoint/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/leak/pprof_endpoint/test.js +++ b/tests/go/gosec/leak/pprof_endpoint/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/leak/pprof_endpoint/testdata/main.go b/tests/go/gosec/leak/pprof_endpoint/testdata/main.go index 91845b558..3128485c3 100644 --- a/tests/go/gosec/leak/pprof_endpoint/testdata/main.go +++ b/tests/go/gosec/leak/pprof_endpoint/testdata/main.go @@ -4,6 +4,7 @@ import ( "fmt" "log" "net/http" +// bearer:expected go_gosec_leak_pprof_endpoint _ "net/http/pprof" ) diff --git a/tests/go/gosec/memory/integer_overflow/__snapshots__/test.js.snap b/tests/go/gosec/memory/integer_overflow/__snapshots__/test.js.snap deleted file mode 100644 index 0c6d334ef..000000000 --- a/tests/go/gosec/memory/integer_overflow/__snapshots__/test.js.snap +++ /dev/null @@ -1,76 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_memory_integer_overflow test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "190" - ], - "id": "go_gosec_memory_integer_overflow", - "title": "Possible integer overflow", - "description": "## Description\\n\\nIn Go, the size of the \`int\` type varies with the system architecture: it's 32 bits on a 32-bit system and 64 bits on a 64-bit system. This variability can lead to integer overflow issues when a value returned from \`strconv.Atoi\` is cast to a smaller integer type, such as \`int32\` or \`int16\`, and the original number exceeds the maximum value that can be stored in the smaller type. Integer overflow can cause erratic behavior and potentially serious bugs.\\n\\n## Remediations\\n\\nTo prevent integer overflow and ensure safe type conversion:\\n\\n✅ Check Values Before Conversion\\n\\nBefore casting an \`int\` to a smaller type, compare it against the maximum values that the target type can hold.\\n\\n\`\`\`go\\nimport (\\n \\"strconv\\"\\n \\"fmt\\"\\n \\"log\\"\\n \\"math\\"\\n)\\n\\nfunc main() {\\n // Convert the string to an int\\n bigValue, err := strconv.Atoi(\\"32768\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Ensure the value does not exceed int16's maximum limit\\n if bigValue > math.MaxInt16 {\\n log.Fatal(\\"value too large to fit in int16\\")\\n }\\n\\n // Safely convert to int16\\n value := int16(bigValue)\\n fmt.Println(value)\\n}\\n\`\`\`\\n\\n✅ Use Appropriate Types\\n\\nWhere possible, use fixed-size types like \`int32\` or \`int64\` to avoid overflow issues related to architecture-dependent sizes.\\n\\n✅ Handle Errors\\n\\nAlways handle errors returned from conversion functions like \`strconv.Atoi\` to detect and manage conversion issues immediately.\\n\\n## Resources\\n\\n- [Go math package for integer limits](https://pkg.go.dev/math#pkg-constants)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_memory_integer_overflow", - "line_number": 10, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 10, - "end": 10, - "column": { - "start": 11, - "end": 26 - } - }, - "sink": { - "start": 10, - "end": 10, - "column": { - "start": 11, - "end": 26 - }, - "content": "int32(bigValue)" - }, - "parent_line_number": 10, - "snippet": "int32(bigValue)", - "fingerprint": "b5f27376bfb10d4674975a3b925e7fa8_0", - "old_fingerprint": "eb680ca9957c3112000a5ec4865bdca7_0", - "code_extract": "\\tvalue := int32(bigValue)" - }, - { - "cwe_ids": [ - "190" - ], - "id": "go_gosec_memory_integer_overflow", - "title": "Possible integer overflow", - "description": "## Description\\n\\nIn Go, the size of the \`int\` type varies with the system architecture: it's 32 bits on a 32-bit system and 64 bits on a 64-bit system. This variability can lead to integer overflow issues when a value returned from \`strconv.Atoi\` is cast to a smaller integer type, such as \`int32\` or \`int16\`, and the original number exceeds the maximum value that can be stored in the smaller type. Integer overflow can cause erratic behavior and potentially serious bugs.\\n\\n## Remediations\\n\\nTo prevent integer overflow and ensure safe type conversion:\\n\\n✅ Check Values Before Conversion\\n\\nBefore casting an \`int\` to a smaller type, compare it against the maximum values that the target type can hold.\\n\\n\`\`\`go\\nimport (\\n \\"strconv\\"\\n \\"fmt\\"\\n \\"log\\"\\n \\"math\\"\\n)\\n\\nfunc main() {\\n // Convert the string to an int\\n bigValue, err := strconv.Atoi(\\"32768\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Ensure the value does not exceed int16's maximum limit\\n if bigValue > math.MaxInt16 {\\n log.Fatal(\\"value too large to fit in int16\\")\\n }\\n\\n // Safely convert to int16\\n value := int16(bigValue)\\n fmt.Println(value)\\n}\\n\`\`\`\\n\\n✅ Use Appropriate Types\\n\\nWhere possible, use fixed-size types like \`int32\` or \`int64\` to avoid overflow issues related to architecture-dependent sizes.\\n\\n✅ Handle Errors\\n\\nAlways handle errors returned from conversion functions like \`strconv.Atoi\` to detect and manage conversion issues immediately.\\n\\n## Resources\\n\\n- [Go math package for integer limits](https://pkg.go.dev/math#pkg-constants)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_memory_integer_overflow", - "line_number": 16, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 16, - "end": 16, - "column": { - "start": 5, - "end": 20 - } - }, - "sink": { - "start": 16, - "end": 16, - "column": { - "start": 5, - "end": 20 - }, - "content": "int16(bigValue)" - }, - "parent_line_number": 16, - "snippet": "int16(bigValue)", - "fingerprint": "b5f27376bfb10d4674975a3b925e7fa8_1", - "old_fingerprint": "eb680ca9957c3112000a5ec4865bdca7_1", - "code_extract": "\\tif int16(bigValue) < 0 {" - } - ] -}" -`; diff --git a/tests/go/gosec/memory/integer_overflow/test.js b/tests/go/gosec/memory/integer_overflow/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/memory/integer_overflow/test.js +++ b/tests/go/gosec/memory/integer_overflow/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/memory/integer_overflow/testdata/main.go b/tests/go/gosec/memory/integer_overflow/testdata/main.go index 41cc79c94..5a9862764 100644 --- a/tests/go/gosec/memory/integer_overflow/testdata/main.go +++ b/tests/go/gosec/memory/integer_overflow/testdata/main.go @@ -7,12 +7,14 @@ import ( func foo1() { bigValue, _ := strconv.Atoi("2147483648") +// bearer:expected go_gosec_memory_integer_overflow value := int32(bigValue) fmt.Println(value) } func foo2() { bigValue, _ := strconv.Atoi("32768") +// bearer:expected go_gosec_memory_integer_overflow if int16(bigValue) < 0 { fmt.Println(bigValue) } diff --git a/tests/go/gosec/memory/math_big_rat/__snapshots__/test.js.snap b/tests/go/gosec/memory/math_big_rat/__snapshots__/test.js.snap deleted file mode 100644 index b90002bd2..000000000 --- a/tests/go/gosec/memory/math_big_rat/__snapshots__/test.js.snap +++ /dev/null @@ -1,76 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_memory_math_big_rat test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "190" - ], - "id": "go_gosec_memory_math_big_rat", - "title": "Possible integer overflow when converting strings", - "description": "## Description\\n\\nWhen converting strings to integers using \`strconv.Atoi\` in Go, there's a risk of integer overflow if the result is assigned to a smaller integer type such as \`int16\` or \`int32\`. The size of the default \`int\` type in Go is platform-dependent—64 bits on a 64-bit system and 32 bits on a 32-bit system. Overflow can occur when the value returned from \`strconv.Atoi\` exceeds the range of the target integer type.\\n\\n## Remediations\\n\\n✅ Check Before Conversion\\n\\nAlways verify that the value returned from \`strconv.Atoi\` is within the range of the target type before conversion.\\n\\n\`\`\`go\\nif intValue, err := strconv.Atoi(stringValue); err == nil {\\n if intValue >= math.MinInt16 && intValue <= math.MaxInt16 {\\n int16Value := int16(intValue)\\n // Use int16Value safely\\n }\\n}\\n\`\`\`\\n\\n✅ Use Specific Type Conversion Functions\\n\\nUse type-specific parsing functions such as \`strconv.ParseInt\` with the appropriate bit size to directly obtain the desired type.\\n\\n\`\`\`go\\nif int64Value, err := strconv.ParseInt(stringValue, 10, 16); err == nil {\\n int16Value := int16(int64Value)\\n // Use int16Value safely\\n}\\n\`\`\`\\n\\n❌ Avoid Blind Type Casting\\n\\nDo not cast the result of \`strconv.Atoi\` to a smaller integer type without validating that the value fits within the smaller type's range.\\n\\n❌ Don't Ignore Errors\\n\\nNever ignore the error returned by \`strconv.Atoi\`. Always handle it to catch conversion issues, including potential overflows.\\n\\n## Resources\\n\\n- [Go strconv package](https://pkg.go.dev/strconv)\\n- [Go math package for min/max constants](https://pkg.go.dev/math#pkg-constants)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_memory_math_big_rat", - "line_number": 10, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 10, - "end": 10, - "column": { - "start": 2, - "end": 40 - } - }, - "sink": { - "start": 10, - "end": 10, - "column": { - "start": 2, - "end": 40 - }, - "content": "r.SetString(\\"13e-9223372036854775808\\")" - }, - "parent_line_number": 10, - "snippet": "r.SetString(\\"13e-9223372036854775808\\")", - "fingerprint": "c052fe4b2e2d5b3e93126e805db0f49b_0", - "old_fingerprint": "9eef1553c0a08adba87fa4949d1507b3_0", - "code_extract": "\\tr.SetString(\\"13e-9223372036854775808\\")" - }, - { - "cwe_ids": [ - "190" - ], - "id": "go_gosec_memory_math_big_rat", - "title": "Possible integer overflow when converting strings", - "description": "## Description\\n\\nWhen converting strings to integers using \`strconv.Atoi\` in Go, there's a risk of integer overflow if the result is assigned to a smaller integer type such as \`int16\` or \`int32\`. The size of the default \`int\` type in Go is platform-dependent—64 bits on a 64-bit system and 32 bits on a 32-bit system. Overflow can occur when the value returned from \`strconv.Atoi\` exceeds the range of the target integer type.\\n\\n## Remediations\\n\\n✅ Check Before Conversion\\n\\nAlways verify that the value returned from \`strconv.Atoi\` is within the range of the target type before conversion.\\n\\n\`\`\`go\\nif intValue, err := strconv.Atoi(stringValue); err == nil {\\n if intValue >= math.MinInt16 && intValue <= math.MaxInt16 {\\n int16Value := int16(intValue)\\n // Use int16Value safely\\n }\\n}\\n\`\`\`\\n\\n✅ Use Specific Type Conversion Functions\\n\\nUse type-specific parsing functions such as \`strconv.ParseInt\` with the appropriate bit size to directly obtain the desired type.\\n\\n\`\`\`go\\nif int64Value, err := strconv.ParseInt(stringValue, 10, 16); err == nil {\\n int16Value := int16(int64Value)\\n // Use int16Value safely\\n}\\n\`\`\`\\n\\n❌ Avoid Blind Type Casting\\n\\nDo not cast the result of \`strconv.Atoi\` to a smaller integer type without validating that the value fits within the smaller type's range.\\n\\n❌ Don't Ignore Errors\\n\\nNever ignore the error returned by \`strconv.Atoi\`. Always handle it to catch conversion issues, including potential overflows.\\n\\n## Resources\\n\\n- [Go strconv package](https://pkg.go.dev/strconv)\\n- [Go math package for min/max constants](https://pkg.go.dev/math#pkg-constants)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_memory_math_big_rat", - "line_number": 16, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 16, - "end": 16, - "column": { - "start": 2, - "end": 20 - } - }, - "sink": { - "start": 16, - "end": 16, - "column": { - "start": 2, - "end": 20 - }, - "content": "r.SetString(input)" - }, - "parent_line_number": 16, - "snippet": "r.SetString(input)", - "fingerprint": "c052fe4b2e2d5b3e93126e805db0f49b_1", - "old_fingerprint": "9eef1553c0a08adba87fa4949d1507b3_1", - "code_extract": "\\tr.SetString(input)" - } - ] -}" -`; diff --git a/tests/go/gosec/memory/math_big_rat/test.js b/tests/go/gosec/memory/math_big_rat/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/memory/math_big_rat/test.js +++ b/tests/go/gosec/memory/math_big_rat/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/memory/math_big_rat/testdata/main.go b/tests/go/gosec/memory/math_big_rat/testdata/main.go index 30fd3dd99..e4d63db58 100644 --- a/tests/go/gosec/memory/math_big_rat/testdata/main.go +++ b/tests/go/gosec/memory/math_big_rat/testdata/main.go @@ -7,12 +7,14 @@ import ( func bad1() { r := big.Rat{} +// bearer:expected go_gosec_memory_math_big_rat r.SetString("13e-9223372036854775808") fmt.Println(r) } func bad2(input string) { r := big.Rat{} +// bearer:expected go_gosec_memory_math_big_rat r.SetString(input) fmt.Println(r) } diff --git a/tests/go/gosec/memory/memory_aliasing/__snapshots__/test.js.snap b/tests/go/gosec/memory/memory_aliasing/__snapshots__/test.js.snap deleted file mode 100644 index ec31d5896..000000000 --- a/tests/go/gosec/memory/memory_aliasing/__snapshots__/test.js.snap +++ /dev/null @@ -1,76 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_memory_memory_aliasing test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "118" - ], - "id": "go_gosec_memory_memory_aliasing", - "title": "Incorrect access of indexable resource (Range Error)", - "description": "## Description\\n\\nGo's \`for ... range\` constructs allocate a single iteration variable for the loop's duration, which can cause confusion when addresses of this variable are stored or used beyond a single iteration. Since the iteration variable's address remains constant, subsequent iterations overwrite the previously referenced values, leading to unexpected results, particularly when using go routines or deferred functions within the loop.\\n\\n## Remediations\\n\\n✅ Create a New Variable Inside the Loop\\n\\nDeclare a new local variable within the loop's scope to hold the iteration value. This ensures a unique address is used for each iteration.\\n\\n\`\`\`go\\nfor _, n := range []someStruct{{1}, {2}, {3}, {4}} {\\n localVar := n\\n // Use localVar instead of n\\n}\\n\`\`\`\\n\\n✅ Use Indexed Addressing\\n\\nInstead of the iteration variable, directly reference the indexed element within the array or slice.\\n\\n\`\`\`go\\nfor i := range mySlice {\\n // Use &mySlice[i] to obtain a stable address\\n}\\n\`\`\`\\n\\n❌ Do Not Store the Address of the Iteration Variable\\n\\nAvoid taking the address of the iteration variable and storing it, as it leads to all references pointing to the same memory location.\\n\\n❌ Avoid Using the Iteration Variable's Address in Goroutines\\n\\nUsing the iteration variable's address directly in goroutines can cause race conditions or logical errors, as the variable's value may change before the goroutine accesses it.\\n\\n## Resources\\n\\n- [Go For Statements](https://go.dev/ref/spec#For_statements)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_memory_memory_aliasing", - "line_number": 27, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 27, - "end": 27, - "column": { - "start": 16, - "end": 21 - } - }, - "sink": { - "start": 27, - "end": 27, - "column": { - "start": 16, - "end": 21 - }, - "content": "&item" - }, - "parent_line_number": 27, - "snippet": "&item", - "fingerprint": "48f24a9e016ac12602af8f93ed78cac9_0", - "old_fingerprint": "f4242521fe214000ea523c0029908b3d_0", - "code_extract": "\\t\\tappendVector(&item)" - }, - { - "cwe_ids": [ - "118" - ], - "id": "go_gosec_memory_memory_aliasing", - "title": "Incorrect access of indexable resource (Range Error)", - "description": "## Description\\n\\nGo's \`for ... range\` constructs allocate a single iteration variable for the loop's duration, which can cause confusion when addresses of this variable are stored or used beyond a single iteration. Since the iteration variable's address remains constant, subsequent iterations overwrite the previously referenced values, leading to unexpected results, particularly when using go routines or deferred functions within the loop.\\n\\n## Remediations\\n\\n✅ Create a New Variable Inside the Loop\\n\\nDeclare a new local variable within the loop's scope to hold the iteration value. This ensures a unique address is used for each iteration.\\n\\n\`\`\`go\\nfor _, n := range []someStruct{{1}, {2}, {3}, {4}} {\\n localVar := n\\n // Use localVar instead of n\\n}\\n\`\`\`\\n\\n✅ Use Indexed Addressing\\n\\nInstead of the iteration variable, directly reference the indexed element within the array or slice.\\n\\n\`\`\`go\\nfor i := range mySlice {\\n // Use &mySlice[i] to obtain a stable address\\n}\\n\`\`\`\\n\\n❌ Do Not Store the Address of the Iteration Variable\\n\\nAvoid taking the address of the iteration variable and storing it, as it leads to all references pointing to the same memory location.\\n\\n❌ Avoid Using the Iteration Variable's Address in Goroutines\\n\\nUsing the iteration variable's address directly in goroutines can cause race conditions or logical errors, as the variable's value may change before the goroutine accesses it.\\n\\n## Resources\\n\\n- [Go For Statements](https://go.dev/ref/spec#For_statements)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_memory_memory_aliasing", - "line_number": 54, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 54, - "end": 54, - "column": { - "start": 27, - "end": 29 - } - }, - "sink": { - "start": 54, - "end": 54, - "column": { - "start": 27, - "end": 29 - }, - "content": "&s" - }, - "parent_line_number": 54, - "snippet": "&s", - "fingerprint": "48f24a9e016ac12602af8f93ed78cac9_1", - "old_fingerprint": "f4242521fe214000ea523c0029908b3d_1", - "code_extract": "\\t\\tfmt.Println(\\"%d %p\\", i, &s)" - } - ] -}" -`; diff --git a/tests/go/gosec/memory/memory_aliasing/test.js b/tests/go/gosec/memory/memory_aliasing/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/memory/memory_aliasing/test.js +++ b/tests/go/gosec/memory/memory_aliasing/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/memory/memory_aliasing/testdata/main.go b/tests/go/gosec/memory/memory_aliasing/testdata/main.go index 64c7f296e..6ebbcce9f 100644 --- a/tests/go/gosec/memory/memory_aliasing/testdata/main.go +++ b/tests/go/gosec/memory/memory_aliasing/testdata/main.go @@ -24,6 +24,7 @@ func foo() (int, **string, *string) { func appendrange() { for _, item := range []string{"A", "B", "C"} { +// bearer:expected go_gosec_memory_memory_aliasing appendVector(&item) } @@ -51,6 +52,7 @@ func shouldNotBeReported() { func shouldBeReported() { array := []string{"a", "b"} for i, s := range array { +// bearer:expected go_gosec_memory_memory_aliasing fmt.Println("%d %p", i, &s) } } diff --git a/tests/go/gosec/network/bind_to_all_interfaces/__snapshots__/test.js.snap b/tests/go/gosec/network/bind_to_all_interfaces/__snapshots__/test.js.snap deleted file mode 100644 index aee91ac9c..000000000 --- a/tests/go/gosec/network/bind_to_all_interfaces/__snapshots__/test.js.snap +++ /dev/null @@ -1,42 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_network_bind_to_all_interfaces test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "200" - ], - "id": "go_gosec_network_bind_to_all_interfaces", - "title": "Permissive server network interface configuration", - "description": "## Description\\n\\nBinding to \\"0.0.0.0\\" allows a service to accept connections on all network interfaces. While this can be useful for services meant to be widely accessible, it can also unintentionally expose the service on network interfaces that are not secure or intended for such traffic, potentially leading to security vulnerabilities.\\n\\n## Remediations\\n\\nTo mitigate the risks associated with binding to all network interfaces:\\n\\n✅ Bind to a Specific Interface\\n\\nConfigure your service to listen on a specific IP address or network interface. This can be controlled through:\\n\\n- **Environment Variable**: Use an environment variable to specify the IP address, making the configuration more flexible and secure.\\n- **Configuration File**: Define the IP address in a configuration file which the application reads at startup.\\n- **Programmatic Identification**: Programmatically determine the appropriate network interface and bind the service to its IP address.\\n\\n\`\`\`go\\nimport (\\n \\"net\\"\\n \\"os\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n // Retrieve the IP address from an environment variable\\n addr := os.Getenv(\\"IP_ADDRESS\\")\\n\\n // Listen on the specified interface\\n listener, err := net.Listen(\\"tcp\\", addr)\\n if err != nil {\\n log.Fatalf(\\"Failed to listen on %s: %v\\", addr, err)\\n }\\n\\n // Continue to set up your server (e.g., http.Serve(listener, handler))\\n}\\n\`\`\`\\n\\n✅ **Security Best Practices**: Always follow security best practices when configuring network services, such as using firewalls to restrict access and encrypting traffic with TLS.\\n\\n## Resources\\n\\n- [Go net package](https://pkg.go.dev/net)\\n- [Go os package for environment variables](https://pkg.go.dev/os)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_network_bind_to_all_interfaces", - "line_number": 9, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 9, - "end": 9, - "column": { - "start": 12, - "end": 45 - } - }, - "sink": { - "start": 9, - "end": 9, - "column": { - "start": 12, - "end": 45 - }, - "content": "net.Listen(\\"tcp\\", \\"0.0.0.0:2000\\")" - }, - "parent_line_number": 9, - "snippet": "net.Listen(\\"tcp\\", \\"0.0.0.0:2000\\")", - "fingerprint": "d05a76cad778494c80db77eefff794f0_0", - "old_fingerprint": "88d3e0294f3fbf9ccbfc760132ed18ca_0", - "code_extract": "\\tl, err := net.Listen(\\"tcp\\", \\"0.0.0.0:2000\\")" - } - ] -}" -`; diff --git a/tests/go/gosec/network/bind_to_all_interfaces/test.js b/tests/go/gosec/network/bind_to_all_interfaces/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/network/bind_to_all_interfaces/test.js +++ b/tests/go/gosec/network/bind_to_all_interfaces/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/network/bind_to_all_interfaces/testdata/main.go b/tests/go/gosec/network/bind_to_all_interfaces/testdata/main.go index 4ace82cf2..1ec41f820 100644 --- a/tests/go/gosec/network/bind_to_all_interfaces/testdata/main.go +++ b/tests/go/gosec/network/bind_to_all_interfaces/testdata/main.go @@ -6,6 +6,7 @@ import ( ) func main() { +// bearer:expected go_gosec_network_bind_to_all_interfaces l, err := net.Listen("tcp", "0.0.0.0:2000") if err != nil { log.Fatal(err) diff --git a/tests/go/gosec/secrets/secrets/__snapshots__/test.js.snap b/tests/go/gosec/secrets/secrets/__snapshots__/test.js.snap deleted file mode 100644 index 55b16bfcb..000000000 --- a/tests/go/gosec/secrets/secrets/__snapshots__/test.js.snap +++ /dev/null @@ -1,110 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_secrets_secrets test 1`] = ` -"{ - "high": [ - { - "cwe_ids": [ - "798" - ], - "id": "go_gosec_secrets_secrets", - "title": "Usage of hard-coded password", - "description": "## Description\\n\\nStoring sensitive information such as secret keys, passwords, or API tokens directly in source code can lead to security vulnerabilities. This practice makes it easy for malicious actors to access these secrets if the codebase is exposed or improperly accessed.\\n\\n## Remediations\\n\\nTo protect sensitive information:\\n\\n✅ Dynamic Secret Retrieval\\n\\nImplement mechanisms to retrieve secrets dynamically at runtime from a secure source rather than hardcoding them in the source files.\\n\\n✅ Environment Variables\\n\\nUse environment variables to inject secrets into the application at runtime, keeping them out of the codebase.\\n\\n✅ Secrets Management Systems\\n\\nUtilize dedicated secrets management tools and services that securely store and manage sensitive information.\\n\\n✅ Encrypted Configuration Files\\n\\nStore secrets in configuration files that are encrypted and decrypt them at runtime within the application.\\n\\n✅ Access Control\\n\\nEnsure that the storage location for secrets has strict access controls to prevent unauthorized access.\\n\\n✅ Audit and Rotate Secrets\\n\\nRegularly audit access to secrets and rotate them to minimize the risk if they are compromised.\\n\\n## Resources\\n\\n- [OWASP: Use of Hard-coded Passwords](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password)\\n- [OWASP: Secrets Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html#21-high-availability)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_secrets_secrets", - "line_number": 7, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 7, - "end": 7, - "column": { - "start": 2, - "end": 59 - } - }, - "sink": { - "start": 7, - "end": 7, - "column": { - "start": 2, - "end": 59 - }, - "content": "var password = \\"f62e5bcda4fae4f82370da0c6f20697b8f8447ef\\"" - }, - "parent_line_number": 7, - "snippet": "var password = \\"f62e5bcda4fae4f82370da0c6f20697b8f8447ef\\"", - "fingerprint": "9e734ddc60109624107631b0392de18d_0", - "old_fingerprint": "ed5cd88d67a7df70d3590175a0307c35_0", - "code_extract": "\\tvar password = \\"f62e5bcda4fae4f82370da0c6f20697b8f8447ef\\"" - }, - { - "cwe_ids": [ - "798" - ], - "id": "go_gosec_secrets_secrets", - "title": "Usage of hard-coded password", - "description": "## Description\\n\\nStoring sensitive information such as secret keys, passwords, or API tokens directly in source code can lead to security vulnerabilities. This practice makes it easy for malicious actors to access these secrets if the codebase is exposed or improperly accessed.\\n\\n## Remediations\\n\\nTo protect sensitive information:\\n\\n✅ Dynamic Secret Retrieval\\n\\nImplement mechanisms to retrieve secrets dynamically at runtime from a secure source rather than hardcoding them in the source files.\\n\\n✅ Environment Variables\\n\\nUse environment variables to inject secrets into the application at runtime, keeping them out of the codebase.\\n\\n✅ Secrets Management Systems\\n\\nUtilize dedicated secrets management tools and services that securely store and manage sensitive information.\\n\\n✅ Encrypted Configuration Files\\n\\nStore secrets in configuration files that are encrypted and decrypt them at runtime within the application.\\n\\n✅ Access Control\\n\\nEnsure that the storage location for secrets has strict access controls to prevent unauthorized access.\\n\\n✅ Audit and Rotate Secrets\\n\\nRegularly audit access to secrets and rotate them to minimize the risk if they are compromised.\\n\\n## Resources\\n\\n- [OWASP: Use of Hard-coded Passwords](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password)\\n- [OWASP: Secrets Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html#21-high-availability)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_secrets_secrets", - "line_number": 15, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 15, - "end": 15, - "column": { - "start": 2, - "end": 55 - } - }, - "sink": { - "start": 15, - "end": 15, - "column": { - "start": 2, - "end": 55 - }, - "content": "password = \\"f62e5bcda4fae4f82370da0c6f20697b8f8447ef\\"" - }, - "parent_line_number": 15, - "snippet": "password = \\"f62e5bcda4fae4f82370da0c6f20697b8f8447ef\\"", - "fingerprint": "9e734ddc60109624107631b0392de18d_1", - "old_fingerprint": "ed5cd88d67a7df70d3590175a0307c35_1", - "code_extract": "\\tpassword = \\"f62e5bcda4fae4f82370da0c6f20697b8f8447ef\\"" - }, - { - "cwe_ids": [ - "798" - ], - "id": "go_gosec_secrets_secrets", - "title": "Usage of hard-coded password", - "description": "## Description\\n\\nStoring sensitive information such as secret keys, passwords, or API tokens directly in source code can lead to security vulnerabilities. This practice makes it easy for malicious actors to access these secrets if the codebase is exposed or improperly accessed.\\n\\n## Remediations\\n\\nTo protect sensitive information:\\n\\n✅ Dynamic Secret Retrieval\\n\\nImplement mechanisms to retrieve secrets dynamically at runtime from a secure source rather than hardcoding them in the source files.\\n\\n✅ Environment Variables\\n\\nUse environment variables to inject secrets into the application at runtime, keeping them out of the codebase.\\n\\n✅ Secrets Management Systems\\n\\nUtilize dedicated secrets management tools and services that securely store and manage sensitive information.\\n\\n✅ Encrypted Configuration Files\\n\\nStore secrets in configuration files that are encrypted and decrypt them at runtime within the application.\\n\\n✅ Access Control\\n\\nEnsure that the storage location for secrets has strict access controls to prevent unauthorized access.\\n\\n✅ Audit and Rotate Secrets\\n\\nRegularly audit access to secrets and rotate them to minimize the risk if they are compromised.\\n\\n## Resources\\n\\n- [OWASP: Use of Hard-coded Passwords](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password)\\n- [OWASP: Secrets Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html#21-high-availability)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_secrets_secrets", - "line_number": 22, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 22, - "end": 22, - "column": { - "start": 2, - "end": 56 - } - }, - "sink": { - "start": 22, - "end": 22, - "column": { - "start": 2, - "end": 56 - }, - "content": "password := \\"f62e5bcda4fae4f82370da0c6f20697b8f8447ef\\"" - }, - "parent_line_number": 22, - "snippet": "password := \\"f62e5bcda4fae4f82370da0c6f20697b8f8447ef\\"", - "fingerprint": "9e734ddc60109624107631b0392de18d_2", - "old_fingerprint": "ed5cd88d67a7df70d3590175a0307c35_2", - "code_extract": "\\tpassword := \\"f62e5bcda4fae4f82370da0c6f20697b8f8447ef\\"" - } - ] -}" -`; diff --git a/tests/go/gosec/secrets/secrets/test.js b/tests/go/gosec/secrets/secrets/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/secrets/secrets/test.js +++ b/tests/go/gosec/secrets/secrets/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/secrets/secrets/testdata/main.go b/tests/go/gosec/secrets/secrets/testdata/main.go index bd9be3fad..94564580e 100644 --- a/tests/go/gosec/secrets/secrets/testdata/main.go +++ b/tests/go/gosec/secrets/secrets/testdata/main.go @@ -4,6 +4,7 @@ import "fmt" func bad1() { username := "admin" +// bearer:expected go_gosec_secrets_secrets var password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" fmt.Println("Doing something with: ", username, password) @@ -12,6 +13,7 @@ func bad1() { func bad2() { username := "admin" var password string +// bearer:expected go_gosec_secrets_secrets password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" fmt.Println("Doing something with: ", username, password) @@ -19,6 +21,7 @@ func bad2() { func bad3() { username := "admin" +// bearer:expected go_gosec_secrets_secrets password := "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" fmt.Println("Doing something with: ", username, password) diff --git a/tests/go/gosec/sql/concat_sqli/__snapshots__/test.js.snap b/tests/go/gosec/sql/concat_sqli/__snapshots__/test.js.snap deleted file mode 100644 index 1c8900a41..000000000 --- a/tests/go/gosec/sql/concat_sqli/__snapshots__/test.js.snap +++ /dev/null @@ -1,355 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_sql_concat_sqli test 1`] = ` -"{ - "high": [ - { - "cwe_ids": [ - "89" - ], - "id": "go_gosec_sql_concat_sqli", - "title": "Unsanitized user input in SQL query", - "description": "## Description\\n\\nSQL Injection represents a severe vulnerability that can culminate in the compromise of data or entire systems. When SQL query strings are crafted dynamically based on user inputs, there's potential for malicious users to manipulate the logic of the SQL statement. Such tampering could provide adversaries unauthorized access to sensitive data or even allow them to execute system-level operations or code.\\n\\n## Remediations\\n\\n✅ Use Parameterized Queries\\n\\nAlways opt for parameterized queries over dynamically generated SQL queries to prevent SQL injection.\\n\\n\`\`\`go\\nrows, err := db.Query(\\"SELECT * FROM users WHERE userName = ?\\", userName)\\nif err != nil {\\n return nil, err\\n}\\ndefer rows.Close()\\nfor rows.Next() {\\n // ... process rows\\n}\\n\`\`\`\\n\\n✅ Avoid Direct User Input in Dynamic Queries\\n\\nIf there's an absolute need to formulate dynamic queries, ensure that direct user input is never utilized. Instead, leverage a map or dictionary containing valid values and determine them through a user-provided key.\\n\\nFor instance, certain database drivers do not support parameterized queries for operators like \`>\` or \`<\`. Instead of directly using user-input values, allow users to provide substitutes like \`gt\` for \`>\` and \`lt\` for \`<\`. Subsequently, use these alphabetical inputs to retrieve the actual operators for your query. Implement a similar approach for queries requiring non-parameterizable column or table names.\\n\\n## Resources\\n\\n- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_sql_concat_sqli", - "line_number": 15, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 15, - "end": 15, - "column": { - "start": 15, - "end": 71 - } - }, - "sink": { - "start": 15, - "end": 15, - "column": { - "start": 15, - "end": 71 - }, - "content": "db.Query(\\"SELECT * FROM foo WHERE name = \\" + os.Args[1])" - }, - "parent_line_number": 15, - "snippet": "db.Query(\\"SELECT * FROM foo WHERE name = \\" + os.Args[1])", - "fingerprint": "ca1a3415f7df18be8dec85c9d74eb890_0", - "old_fingerprint": "3350ddd230bfd667e45a89b42b9b1b39_0", - "code_extract": "\\trows, err := db.Query(\\"SELECT * FROM foo WHERE name = \\" + os.Args[1])" - }, - { - "cwe_ids": [ - "89" - ], - "id": "go_gosec_sql_concat_sqli", - "title": "Unsanitized user input in SQL query", - "description": "## Description\\n\\nSQL Injection represents a severe vulnerability that can culminate in the compromise of data or entire systems. When SQL query strings are crafted dynamically based on user inputs, there's potential for malicious users to manipulate the logic of the SQL statement. Such tampering could provide adversaries unauthorized access to sensitive data or even allow them to execute system-level operations or code.\\n\\n## Remediations\\n\\n✅ Use Parameterized Queries\\n\\nAlways opt for parameterized queries over dynamically generated SQL queries to prevent SQL injection.\\n\\n\`\`\`go\\nrows, err := db.Query(\\"SELECT * FROM users WHERE userName = ?\\", userName)\\nif err != nil {\\n return nil, err\\n}\\ndefer rows.Close()\\nfor rows.Next() {\\n // ... process rows\\n}\\n\`\`\`\\n\\n✅ Avoid Direct User Input in Dynamic Queries\\n\\nIf there's an absolute need to formulate dynamic queries, ensure that direct user input is never utilized. Instead, leverage a map or dictionary containing valid values and determine them through a user-provided key.\\n\\nFor instance, certain database drivers do not support parameterized queries for operators like \`>\` or \`<\`. Instead of directly using user-input values, allow users to provide substitutes like \`gt\` for \`>\` and \`lt\` for \`<\`. Subsequently, use these alphabetical inputs to retrieve the actual operators for your query. Implement a similar approach for queries requiring non-parameterizable column or table names.\\n\\n## Resources\\n\\n- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_sql_concat_sqli", - "line_number": 27, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 27, - "end": 27, - "column": { - "start": 15, - "end": 71 - } - }, - "sink": { - "start": 27, - "end": 27, - "column": { - "start": 15, - "end": 71 - }, - "content": "db.Query(\\"select * from foo where name = \\" + os.Args[1])" - }, - "parent_line_number": 27, - "snippet": "db.Query(\\"select * from foo where name = \\" + os.Args[1])", - "fingerprint": "ca1a3415f7df18be8dec85c9d74eb890_1", - "old_fingerprint": "3350ddd230bfd667e45a89b42b9b1b39_1", - "code_extract": "\\trows, err := db.Query(\\"select * from foo where name = \\" + os.Args[1])" - }, - { - "cwe_ids": [ - "89" - ], - "id": "go_gosec_sql_concat_sqli", - "title": "Unsanitized user input in SQL query", - "description": "## Description\\n\\nSQL Injection represents a severe vulnerability that can culminate in the compromise of data or entire systems. When SQL query strings are crafted dynamically based on user inputs, there's potential for malicious users to manipulate the logic of the SQL statement. Such tampering could provide adversaries unauthorized access to sensitive data or even allow them to execute system-level operations or code.\\n\\n## Remediations\\n\\n✅ Use Parameterized Queries\\n\\nAlways opt for parameterized queries over dynamically generated SQL queries to prevent SQL injection.\\n\\n\`\`\`go\\nrows, err := db.Query(\\"SELECT * FROM users WHERE userName = ?\\", userName)\\nif err != nil {\\n return nil, err\\n}\\ndefer rows.Close()\\nfor rows.Next() {\\n // ... process rows\\n}\\n\`\`\`\\n\\n✅ Avoid Direct User Input in Dynamic Queries\\n\\nIf there's an absolute need to formulate dynamic queries, ensure that direct user input is never utilized. Instead, leverage a map or dictionary containing valid values and determine them through a user-provided key.\\n\\nFor instance, certain database drivers do not support parameterized queries for operators like \`>\` or \`<\`. Instead of directly using user-input values, allow users to provide substitutes like \`gt\` for \`>\` and \`lt\` for \`<\`. Subsequently, use these alphabetical inputs to retrieve the actual operators for your query. Implement a similar approach for queries requiring non-parameterizable column or table names.\\n\\n## Resources\\n\\n- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_sql_concat_sqli", - "line_number": 39, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 39, - "end": 39, - "column": { - "start": 15, - "end": 98 - } - }, - "sink": { - "start": 39, - "end": 39, - "column": { - "start": 15, - "end": 98 - }, - "content": "db.QueryContext(context.Background(), \\"select * from foo where name = \\"+os.Args[1])" - }, - "parent_line_number": 39, - "snippet": "db.QueryContext(context.Background(), \\"select * from foo where name = \\"+os.Args[1])", - "fingerprint": "ca1a3415f7df18be8dec85c9d74eb890_2", - "old_fingerprint": "3350ddd230bfd667e45a89b42b9b1b39_2", - "code_extract": "\\trows, err := db.QueryContext(context.Background(), \\"select * from foo where name = \\"+os.Args[1])" - }, - { - "cwe_ids": [ - "89" - ], - "id": "go_gosec_sql_concat_sqli", - "title": "Unsanitized user input in SQL query", - "description": "## Description\\n\\nSQL Injection represents a severe vulnerability that can culminate in the compromise of data or entire systems. When SQL query strings are crafted dynamically based on user inputs, there's potential for malicious users to manipulate the logic of the SQL statement. Such tampering could provide adversaries unauthorized access to sensitive data or even allow them to execute system-level operations or code.\\n\\n## Remediations\\n\\n✅ Use Parameterized Queries\\n\\nAlways opt for parameterized queries over dynamically generated SQL queries to prevent SQL injection.\\n\\n\`\`\`go\\nrows, err := db.Query(\\"SELECT * FROM users WHERE userName = ?\\", userName)\\nif err != nil {\\n return nil, err\\n}\\ndefer rows.Close()\\nfor rows.Next() {\\n // ... process rows\\n}\\n\`\`\`\\n\\n✅ Avoid Direct User Input in Dynamic Queries\\n\\nIf there's an absolute need to formulate dynamic queries, ensure that direct user input is never utilized. Instead, leverage a map or dictionary containing valid values and determine them through a user-provided key.\\n\\nFor instance, certain database drivers do not support parameterized queries for operators like \`>\` or \`<\`. Instead of directly using user-input values, allow users to provide substitutes like \`gt\` for \`>\` and \`lt\` for \`<\`. Subsequently, use these alphabetical inputs to retrieve the actual operators for your query. Implement a similar approach for queries requiring non-parameterizable column or table names.\\n\\n## Resources\\n\\n- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_sql_concat_sqli", - "line_number": 56, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 56, - "end": 56, - "column": { - "start": 15, - "end": 98 - } - }, - "sink": { - "start": 56, - "end": 56, - "column": { - "start": 15, - "end": 98 - }, - "content": "tx.QueryContext(context.Background(), \\"select * from foo where name = \\"+os.Args[1])" - }, - "parent_line_number": 56, - "snippet": "tx.QueryContext(context.Background(), \\"select * from foo where name = \\"+os.Args[1])", - "fingerprint": "ca1a3415f7df18be8dec85c9d74eb890_3", - "old_fingerprint": "3350ddd230bfd667e45a89b42b9b1b39_3", - "code_extract": "\\trows, err := tx.QueryContext(context.Background(), \\"select * from foo where name = \\"+os.Args[1])" - }, - { - "cwe_ids": [ - "89" - ], - "id": "go_gosec_sql_concat_sqli", - "title": "Unsanitized user input in SQL query", - "description": "## Description\\n\\nSQL Injection represents a severe vulnerability that can culminate in the compromise of data or entire systems. When SQL query strings are crafted dynamically based on user inputs, there's potential for malicious users to manipulate the logic of the SQL statement. Such tampering could provide adversaries unauthorized access to sensitive data or even allow them to execute system-level operations or code.\\n\\n## Remediations\\n\\n✅ Use Parameterized Queries\\n\\nAlways opt for parameterized queries over dynamically generated SQL queries to prevent SQL injection.\\n\\n\`\`\`go\\nrows, err := db.Query(\\"SELECT * FROM users WHERE userName = ?\\", userName)\\nif err != nil {\\n return nil, err\\n}\\ndefer rows.Close()\\nfor rows.Next() {\\n // ... process rows\\n}\\n\`\`\`\\n\\n✅ Avoid Direct User Input in Dynamic Queries\\n\\nIf there's an absolute need to formulate dynamic queries, ensure that direct user input is never utilized. Instead, leverage a map or dictionary containing valid values and determine them through a user-provided key.\\n\\nFor instance, certain database drivers do not support parameterized queries for operators like \`>\` or \`<\`. Instead of directly using user-input values, allow users to provide substitutes like \`gt\` for \`>\` and \`lt\` for \`<\`. Subsequently, use these alphabetical inputs to retrieve the actual operators for your query. Implement a similar approach for queries requiring non-parameterizable column or table names.\\n\\n## Resources\\n\\n- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_sql_concat_sqli", - "line_number": 71, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 71, - "end": 71, - "column": { - "start": 15, - "end": 75 - } - }, - "sink": { - "start": 71, - "end": 71, - "column": { - "start": 15, - "end": 75 - }, - "content": "db.Query(\\"SELECT * FROM foo\\" + \\"WHERE name = \\" + os.Args[1])" - }, - "parent_line_number": 71, - "snippet": "db.Query(\\"SELECT * FROM foo\\" + \\"WHERE name = \\" + os.Args[1])", - "fingerprint": "ca1a3415f7df18be8dec85c9d74eb890_4", - "old_fingerprint": "3350ddd230bfd667e45a89b42b9b1b39_4", - "code_extract": "\\trows, err := db.Query(\\"SELECT * FROM foo\\" + \\"WHERE name = \\" + os.Args[1])" - }, - { - "cwe_ids": [ - "89" - ], - "id": "go_gosec_sql_concat_sqli", - "title": "Unsanitized user input in SQL query", - "description": "## Description\\n\\nSQL Injection represents a severe vulnerability that can culminate in the compromise of data or entire systems. When SQL query strings are crafted dynamically based on user inputs, there's potential for malicious users to manipulate the logic of the SQL statement. Such tampering could provide adversaries unauthorized access to sensitive data or even allow them to execute system-level operations or code.\\n\\n## Remediations\\n\\n✅ Use Parameterized Queries\\n\\nAlways opt for parameterized queries over dynamically generated SQL queries to prevent SQL injection.\\n\\n\`\`\`go\\nrows, err := db.Query(\\"SELECT * FROM users WHERE userName = ?\\", userName)\\nif err != nil {\\n return nil, err\\n}\\ndefer rows.Close()\\nfor rows.Next() {\\n // ... process rows\\n}\\n\`\`\`\\n\\n✅ Avoid Direct User Input in Dynamic Queries\\n\\nIf there's an absolute need to formulate dynamic queries, ensure that direct user input is never utilized. Instead, leverage a map or dictionary containing valid values and determine them through a user-provided key.\\n\\nFor instance, certain database drivers do not support parameterized queries for operators like \`>\` or \`<\`. Instead of directly using user-input values, allow users to provide substitutes like \`gt\` for \`>\` and \`lt\` for \`<\`. Subsequently, use these alphabetical inputs to retrieve the actual operators for your query. Implement a similar approach for queries requiring non-parameterizable column or table names.\\n\\n## Resources\\n\\n- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_sql_concat_sqli", - "line_number": 142, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 142, - "end": 142, - "column": { - "start": 15, - "end": 38 - } - }, - "sink": { - "start": 142, - "end": 142, - "column": { - "start": 15, - "end": 38 - }, - "content": "DB.Query(getProfileSql)" - }, - "parent_line_number": 142, - "snippet": "DB.Query(getProfileSql)", - "fingerprint": "ca1a3415f7df18be8dec85c9d74eb890_5", - "old_fingerprint": "3350ddd230bfd667e45a89b42b9b1b39_5", - "code_extract": "\\trows, err := DB.Query(getProfileSql)" - } - ] -}" -`; - -exports[`go_gosec_sql_concat_sqli test 2 1`] = ` -"{ - "high": [ - { - "cwe_ids": [ - "89" - ], - "id": "go_gosec_sql_concat_sqli", - "title": "Unsanitized user input in SQL query", - "description": "## Description\\n\\nSQL Injection represents a severe vulnerability that can culminate in the compromise of data or entire systems. When SQL query strings are crafted dynamically based on user inputs, there's potential for malicious users to manipulate the logic of the SQL statement. Such tampering could provide adversaries unauthorized access to sensitive data or even allow them to execute system-level operations or code.\\n\\n## Remediations\\n\\n✅ Use Parameterized Queries\\n\\nAlways opt for parameterized queries over dynamically generated SQL queries to prevent SQL injection.\\n\\n\`\`\`go\\nrows, err := db.Query(\\"SELECT * FROM users WHERE userName = ?\\", userName)\\nif err != nil {\\n return nil, err\\n}\\ndefer rows.Close()\\nfor rows.Next() {\\n // ... process rows\\n}\\n\`\`\`\\n\\n✅ Avoid Direct User Input in Dynamic Queries\\n\\nIf there's an absolute need to formulate dynamic queries, ensure that direct user input is never utilized. Instead, leverage a map or dictionary containing valid values and determine them through a user-provided key.\\n\\nFor instance, certain database drivers do not support parameterized queries for operators like \`>\` or \`<\`. Instead of directly using user-input values, allow users to provide substitutes like \`gt\` for \`>\` and \`lt\` for \`<\`. Subsequently, use these alphabetical inputs to retrieve the actual operators for your query. Implement a similar approach for queries requiring non-parameterizable column or table names.\\n\\n## Resources\\n\\n- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_sql_concat_sqli", - "line_number": 18, - "full_filename": "/tmp/bearer-scan/main2.go", - "filename": ".", - "source": { - "start": 18, - "end": 18, - "column": { - "start": 15, - "end": 26 - } - }, - "sink": { - "start": 18, - "end": 18, - "column": { - "start": 15, - "end": 26 - }, - "content": "db.Query(q)" - }, - "parent_line_number": 18, - "snippet": "db.Query(q)", - "fingerprint": "ca1a3415f7df18be8dec85c9d74eb890_0", - "old_fingerprint": "a93104166356c0a2709944f5e9659abf_0", - "code_extract": "\\trows, err := db.Query(q)" - }, - { - "cwe_ids": [ - "89" - ], - "id": "go_gosec_sql_concat_sqli", - "title": "Unsanitized user input in SQL query", - "description": "## Description\\n\\nSQL Injection represents a severe vulnerability that can culminate in the compromise of data or entire systems. When SQL query strings are crafted dynamically based on user inputs, there's potential for malicious users to manipulate the logic of the SQL statement. Such tampering could provide adversaries unauthorized access to sensitive data or even allow them to execute system-level operations or code.\\n\\n## Remediations\\n\\n✅ Use Parameterized Queries\\n\\nAlways opt for parameterized queries over dynamically generated SQL queries to prevent SQL injection.\\n\\n\`\`\`go\\nrows, err := db.Query(\\"SELECT * FROM users WHERE userName = ?\\", userName)\\nif err != nil {\\n return nil, err\\n}\\ndefer rows.Close()\\nfor rows.Next() {\\n // ... process rows\\n}\\n\`\`\`\\n\\n✅ Avoid Direct User Input in Dynamic Queries\\n\\nIf there's an absolute need to formulate dynamic queries, ensure that direct user input is never utilized. Instead, leverage a map or dictionary containing valid values and determine them through a user-provided key.\\n\\nFor instance, certain database drivers do not support parameterized queries for operators like \`>\` or \`<\`. Instead of directly using user-input values, allow users to provide substitutes like \`gt\` for \`>\` and \`lt\` for \`<\`. Subsequently, use these alphabetical inputs to retrieve the actual operators for your query. Implement a similar approach for queries requiring non-parameterizable column or table names.\\n\\n## Resources\\n\\n- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_sql_concat_sqli", - "line_number": 31, - "full_filename": "/tmp/bearer-scan/main2.go", - "filename": ".", - "source": { - "start": 31, - "end": 31, - "column": { - "start": 15, - "end": 26 - } - }, - "sink": { - "start": 31, - "end": 31, - "column": { - "start": 15, - "end": 26 - }, - "content": "db.Query(q)" - }, - "parent_line_number": 31, - "snippet": "db.Query(q)", - "fingerprint": "ca1a3415f7df18be8dec85c9d74eb890_1", - "old_fingerprint": "a93104166356c0a2709944f5e9659abf_1", - "code_extract": "\\trows, err := db.Query(q)" - }, - { - "cwe_ids": [ - "89" - ], - "id": "go_gosec_sql_concat_sqli", - "title": "Unsanitized user input in SQL query", - "description": "## Description\\n\\nSQL Injection represents a severe vulnerability that can culminate in the compromise of data or entire systems. When SQL query strings are crafted dynamically based on user inputs, there's potential for malicious users to manipulate the logic of the SQL statement. Such tampering could provide adversaries unauthorized access to sensitive data or even allow them to execute system-level operations or code.\\n\\n## Remediations\\n\\n✅ Use Parameterized Queries\\n\\nAlways opt for parameterized queries over dynamically generated SQL queries to prevent SQL injection.\\n\\n\`\`\`go\\nrows, err := db.Query(\\"SELECT * FROM users WHERE userName = ?\\", userName)\\nif err != nil {\\n return nil, err\\n}\\ndefer rows.Close()\\nfor rows.Next() {\\n // ... process rows\\n}\\n\`\`\`\\n\\n✅ Avoid Direct User Input in Dynamic Queries\\n\\nIf there's an absolute need to formulate dynamic queries, ensure that direct user input is never utilized. Instead, leverage a map or dictionary containing valid values and determine them through a user-provided key.\\n\\nFor instance, certain database drivers do not support parameterized queries for operators like \`>\` or \`<\`. Instead of directly using user-input values, allow users to provide substitutes like \`gt\` for \`>\` and \`lt\` for \`<\`. Subsequently, use these alphabetical inputs to retrieve the actual operators for your query. Implement a similar approach for queries requiring non-parameterizable column or table names.\\n\\n## Resources\\n\\n- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_sql_concat_sqli", - "line_number": 44, - "full_filename": "/tmp/bearer-scan/main2.go", - "filename": ".", - "source": { - "start": 44, - "end": 44, - "column": { - "start": 15, - "end": 55 - } - }, - "sink": { - "start": 44, - "end": 44, - "column": { - "start": 15, - "end": 55 - }, - "content": "db.QueryContext(context.Background(), q)" - }, - "parent_line_number": 44, - "snippet": "db.QueryContext(context.Background(), q)", - "fingerprint": "ca1a3415f7df18be8dec85c9d74eb890_2", - "old_fingerprint": "a93104166356c0a2709944f5e9659abf_2", - "code_extract": "\\trows, err := db.QueryContext(context.Background(), q)" - }, - { - "cwe_ids": [ - "89" - ], - "id": "go_gosec_sql_concat_sqli", - "title": "Unsanitized user input in SQL query", - "description": "## Description\\n\\nSQL Injection represents a severe vulnerability that can culminate in the compromise of data or entire systems. When SQL query strings are crafted dynamically based on user inputs, there's potential for malicious users to manipulate the logic of the SQL statement. Such tampering could provide adversaries unauthorized access to sensitive data or even allow them to execute system-level operations or code.\\n\\n## Remediations\\n\\n✅ Use Parameterized Queries\\n\\nAlways opt for parameterized queries over dynamically generated SQL queries to prevent SQL injection.\\n\\n\`\`\`go\\nrows, err := db.Query(\\"SELECT * FROM users WHERE userName = ?\\", userName)\\nif err != nil {\\n return nil, err\\n}\\ndefer rows.Close()\\nfor rows.Next() {\\n // ... process rows\\n}\\n\`\`\`\\n\\n✅ Avoid Direct User Input in Dynamic Queries\\n\\nIf there's an absolute need to formulate dynamic queries, ensure that direct user input is never utilized. Instead, leverage a map or dictionary containing valid values and determine them through a user-provided key.\\n\\nFor instance, certain database drivers do not support parameterized queries for operators like \`>\` or \`<\`. Instead of directly using user-input values, allow users to provide substitutes like \`gt\` for \`>\` and \`lt\` for \`<\`. Subsequently, use these alphabetical inputs to retrieve the actual operators for your query. Implement a similar approach for queries requiring non-parameterizable column or table names.\\n\\n## Resources\\n\\n- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_sql_concat_sqli", - "line_number": 62, - "full_filename": "/tmp/bearer-scan/main2.go", - "filename": ".", - "source": { - "start": 62, - "end": 62, - "column": { - "start": 15, - "end": 55 - } - }, - "sink": { - "start": 62, - "end": 62, - "column": { - "start": 15, - "end": 55 - }, - "content": "tx.QueryContext(context.Background(), q)" - }, - "parent_line_number": 62, - "snippet": "tx.QueryContext(context.Background(), q)", - "fingerprint": "ca1a3415f7df18be8dec85c9d74eb890_3", - "old_fingerprint": "a93104166356c0a2709944f5e9659abf_3", - "code_extract": "\\trows, err := tx.QueryContext(context.Background(), q)" - } - ] -}" -`; diff --git a/tests/go/gosec/sql/concat_sqli/test.js b/tests/go/gosec/sql/concat_sqli/test.js index b28b4f3cf..1b9efe52d 100644 --- a/tests/go/gosec/sql/concat_sqli/test.js +++ b/tests/go/gosec/sql/concat_sqli/test.js @@ -1,253 +1,310 @@ const { - createInvoker, createNewInvoker, getEnvironment, -} = require("../../../../helper.js") +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) - test("test 2", () => { - const testCase = "main2.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + test("function", () => { + const testCase = "function.go" -describe(`${ruleId}-xx`, () => { - const invoke = createNewInvoker(ruleId, ruleFile, testBase) + const results = invoke(testCase) - test("test", () => { - const testCase = "function.go" + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + test("main", () => { + const testCase = "main.go" - test("test1", () => { - const testCase = "test01.go" - const results = invoke(testCase) + const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - test("test2", () => { - const testCase = "test02.go" - const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + test("main2", () => { + const testCase = "main2.go" - test("test3", () => { - const testCase = "test03.go" - const results = invoke(testCase) + const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - test("test4", () => { - const testCase = "test04.go" - const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + test("test01", () => { + const testCase = "test01.go" - test("test5", () => { - const testCase = "test05.go" - const results = invoke(testCase) + const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - test("test6", () => { - const testCase = "test06.go" - const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + test("test02", () => { + const testCase = "test02.go" - test("test7", () => { - const testCase = "test07.go" - const results = invoke(testCase) + const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - test("test8", () => { - const testCase = "test08.go" - const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + test("test03", () => { + const testCase = "test03.go" - test("test9", () => { - const testCase = "test09.go" - const results = invoke(testCase) + const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - test("test10", () => { - const testCase = "test10.go" - const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + test("test04", () => { + const testCase = "test04.go" - test("test11", () => { - const testCase = "test11.go" - const results = invoke(testCase) + const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - test("test12", () => { - const testCase = "test12.go" - const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + test("test05", () => { + const testCase = "test05.go" - test("test13", () => { - const testCase = "test13.go" - const results = invoke(testCase) + const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - test("test14", () => { - const testCase = "test14.go" - const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + test("test06", () => { + const testCase = "test06.go" - test("test15", () => { - const testCase = "test15.go" - const results = invoke(testCase) + const results = invoke(testCase) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) -}) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test07", () => { + const testCase = "test07.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test08", () => { + const testCase = "test08.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test09", () => { + const testCase = "test09.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test10", () => { + const testCase = "test10.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test101", () => { + const testCase = "test101.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test102", () => { + const testCase = "test102.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test103", () => { + const testCase = "test103.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test104", () => { + const testCase = "test104.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test105", () => { + const testCase = "test105.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test106", () => { + const testCase = "test106.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test107", () => { + const testCase = "test107.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test108", () => { + const testCase = "test108.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test109", () => { + const testCase = "test109.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test11", () => { + const testCase = "test11.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("test110", () => { + const testCase = "test110.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) -describe(`${ruleId}-1xx`, () => { - const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test101", () => { - const testCase = "test101.go" - const results = invoke(testCase) + test("test111", () => { + const testCase = "test111.go" - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + const results = invoke(testCase) - test("test102", () => { - const testCase = "test102.go" - const results = invoke(testCase) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) - test("test103", () => { - const testCase = "test103.go" - const results = invoke(testCase) + test("test112", () => { + const testCase = "test112.go" - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + const results = invoke(testCase) - test("test104", () => { - const testCase = "test104.go" - const results = invoke(testCase) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) - test("test105", () => { - const testCase = "test105.go" - const results = invoke(testCase) + test("test12", () => { + const testCase = "test12.go" - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + const results = invoke(testCase) - test("test106", () => { - const testCase = "test106.go" - const results = invoke(testCase) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) - test("test107", () => { - const testCase = "test107.go" - const results = invoke(testCase) + test("test13", () => { + const testCase = "test13.go" - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + const results = invoke(testCase) - test("test108", () => { - const testCase = "test108.go" - const results = invoke(testCase) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) - test("test109", () => { - const testCase = "test109.go" - const results = invoke(testCase) + test("test14", () => { + const testCase = "test14.go" - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + const results = invoke(testCase) - test("test110", () => { - const testCase = "test110.go" - const results = invoke(testCase) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) - test("test111", () => { - const testCase = "test111.go" - const results = invoke(testCase) + test("test15", () => { + const testCase = "test15.go" - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + const results = invoke(testCase) - test("test112", () => { - const testCase = "test112.go" - const results = invoke(testCase) + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) -}) +}) \ No newline at end of file diff --git a/tests/go/gosec/sql/concat_sqli/testdata/main.go b/tests/go/gosec/sql/concat_sqli/testdata/main.go index f8f3fd519..52dd7e142 100644 --- a/tests/go/gosec/sql/concat_sqli/testdata/main.go +++ b/tests/go/gosec/sql/concat_sqli/testdata/main.go @@ -12,6 +12,7 @@ func foo1() { if err != nil { panic(err) } +// bearer:expected go_gosec_sql_concat_sqli rows, err := db.Query("SELECT * FROM foo WHERE name = " + os.Args[1]) if err != nil { panic(err) @@ -24,6 +25,7 @@ func foo2() { if err != nil { panic(err) } +// bearer:expected go_gosec_sql_concat_sqli rows, err := db.Query("select * from foo where name = " + os.Args[1]) if err != nil { panic(err) @@ -36,6 +38,7 @@ func foo3() { if err != nil { panic(err) } +// bearer:expected go_gosec_sql_concat_sqli rows, err := db.QueryContext(context.Background(), "select * from foo where name = "+os.Args[1]) if err != nil { panic(err) @@ -53,6 +56,7 @@ func foo4() { panic(err) } defer tx.Rollback() +// bearer:expected go_gosec_sql_concat_sqli rows, err := tx.QueryContext(context.Background(), "select * from foo where name = "+os.Args[1]) if err != nil { panic(err) @@ -68,6 +72,7 @@ func foo5() { if err != nil { panic(err) } +// bearer:expected go_gosec_sql_concat_sqli rows, err := db.Query("SELECT * FROM foo" + "WHERE name = " + os.Args[1]) if err != nil { panic(err) @@ -139,5 +144,6 @@ func foo10(uid string) { FROM Profile as p,Users as u where p.user_id = u.id and u.id=%s`, uid) //here is the vulnerable query +// bearer:expected go_gosec_sql_concat_sqli rows, err := DB.Query(getProfileSql) } diff --git a/tests/go/gosec/sql/concat_sqli/testdata/main2.go b/tests/go/gosec/sql/concat_sqli/testdata/main2.go index d7e291197..f627bff97 100644 --- a/tests/go/gosec/sql/concat_sqli/testdata/main2.go +++ b/tests/go/gosec/sql/concat_sqli/testdata/main2.go @@ -15,6 +15,7 @@ func foo1() { panic(err) } q := fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1]) +// bearer:expected go_gosec_sql_concat_sqli rows, err := db.Query(q) if err != nil { panic(err) @@ -28,6 +29,7 @@ func foo2() { panic(err) } q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1]) +// bearer:expected go_gosec_sql_concat_sqli rows, err := db.Query(q) if err != nil { panic(err) @@ -41,6 +43,7 @@ func foo3() { panic(err) } q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1]) +// bearer:expected go_gosec_sql_concat_sqli rows, err := db.QueryContext(context.Background(), q) if err != nil { panic(err) @@ -59,6 +62,7 @@ func foo4() { } defer tx.Rollback() q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1]) +// bearer:expected go_gosec_sql_concat_sqli rows, err := tx.QueryContext(context.Background(), q) if err != nil { panic(err) diff --git a/tests/go/gosec/subproc/subproc/test.js b/tests/go/gosec/subproc/subproc/test.js index 0054426d3..828d49a2e 100644 --- a/tests/go/gosec/subproc/subproc/test.js +++ b/tests/go/gosec/subproc/subproc/test.js @@ -1,7 +1,7 @@ const { createNewInvoker, getEnvironment, -} = require("../../../../helper.js") +} = require("../../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { diff --git a/tests/go/gosec/unsafe/unsafe/__snapshots__/test.js.snap b/tests/go/gosec/unsafe/unsafe/__snapshots__/test.js.snap deleted file mode 100644 index 25ad02bd8..000000000 --- a/tests/go/gosec/unsafe/unsafe/__snapshots__/test.js.snap +++ /dev/null @@ -1,76 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`go_gosec_unsafe_unsafe test 1`] = ` -"{ - "low": [ - { - "cwe_ids": [ - "242" - ], - "id": "go_gosec_unsafe_unsafe", - "title": "Usage of vulnerable 'unsafe' package", - "description": "## Description\\n\\nThe Go programming language features the \`unsafe\` package which grants low-level memory management capabilities, inclusive of direct memory access and pointer manipulation. Though the \`unsafe\` package can be quite potent, its usage sidesteps the Go compiler's type safety checks. This can lead to an array of security vulnerabilities and unpredictable system behavior.\\n\\n## Remediations\\n\\n✅ Avoid \`unsafe\` Unless Absolutely Necessary\\n\\nThe overarching guidance here is to steer clear of the \`unsafe\` package unless there's an absolute necessity for its functions. When opting for low-level memory operations, ensure that their implications are well-understood and that their deployment is preceded by rigorous testing.\\n\\n✅ Be Wary of Buffer Overflows\\n\\nDirect manipulation of memory can lead to buffer overflows, potentially enabling unauthorized code execution. Ensure buffer boundaries are always respected.\\n\\n✅ Avoid Use After Free\\n\\nAccessing memory that has already been freed can result in unintended code execution or unpredictable behaviors. Ensure that once memory has been freed, it isn't accessed further.\\n\\n✅ Prevent Information/Memory Leaks\\n\\nUnintended memory retention or unintended disclosure of information in memory can occur when using unsafe functions. This can compromise other security defenses or lead to system failures due to exhausted memory. Regularly review and audit your code to check for such leaks.\\n\\n## Resources\\n\\n- [Buffer Overflows - OWASP](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow)\\n- [Using Freed Memory - OWASP](https://owasp.org/www-community/vulnerabilities/Using_freed_memory)\\n- [Memory Leaks - OWASP](https://owasp.org/www-community/vulnerabilities/Memory_leak)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_unsafe_unsafe", - "line_number": 19, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 19, - "end": 19, - "column": { - "start": 53, - "end": 79 - } - }, - "sink": { - "start": 19, - "end": 19, - "column": { - "start": 27, - "end": 49 - }, - "content": "unsafe.Pointer(intPtr)" - }, - "parent_line_number": 19, - "snippet": "unsafe.Pointer(intPtr)", - "fingerprint": "db1c9d5a44e2bb335daa53a4b208a682_0", - "old_fingerprint": "0787e01535ffb4d4e7052dfb097bcfdb_0", - "code_extract": "\\taddressHolder := uintptr(unsafe.Pointer(intPtr)) + unsafe.Sizeof(intArray[0])" - }, - { - "cwe_ids": [ - "242" - ], - "id": "go_gosec_unsafe_unsafe", - "title": "Usage of vulnerable 'unsafe' package", - "description": "## Description\\n\\nThe Go programming language features the \`unsafe\` package which grants low-level memory management capabilities, inclusive of direct memory access and pointer manipulation. Though the \`unsafe\` package can be quite potent, its usage sidesteps the Go compiler's type safety checks. This can lead to an array of security vulnerabilities and unpredictable system behavior.\\n\\n## Remediations\\n\\n✅ Avoid \`unsafe\` Unless Absolutely Necessary\\n\\nThe overarching guidance here is to steer clear of the \`unsafe\` package unless there's an absolute necessity for its functions. When opting for low-level memory operations, ensure that their implications are well-understood and that their deployment is preceded by rigorous testing.\\n\\n✅ Be Wary of Buffer Overflows\\n\\nDirect manipulation of memory can lead to buffer overflows, potentially enabling unauthorized code execution. Ensure buffer boundaries are always respected.\\n\\n✅ Avoid Use After Free\\n\\nAccessing memory that has already been freed can result in unintended code execution or unpredictable behaviors. Ensure that once memory has been freed, it isn't accessed further.\\n\\n✅ Prevent Information/Memory Leaks\\n\\nUnintended memory retention or unintended disclosure of information in memory can occur when using unsafe functions. This can compromise other security defenses or lead to system failures due to exhausted memory. Regularly review and audit your code to check for such leaks.\\n\\n## Resources\\n\\n- [Buffer Overflows - OWASP](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow)\\n- [Using Freed Memory - OWASP](https://owasp.org/www-community/vulnerabilities/Using_freed_memory)\\n- [Memory Leaks - OWASP](https://owasp.org/www-community/vulnerabilities/Memory_leak)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_unsafe_unsafe", - "line_number": 20, - "full_filename": "/tmp/bearer-scan/main.go", - "filename": ".", - "source": { - "start": 20, - "end": 20, - "column": { - "start": 18, - "end": 47 - } - }, - "sink": { - "start": 20, - "end": 20, - "column": { - "start": 18, - "end": 47 - }, - "content": "unsafe.Pointer(addressHolder)" - }, - "parent_line_number": 20, - "snippet": "unsafe.Pointer(addressHolder)", - "fingerprint": "db1c9d5a44e2bb335daa53a4b208a682_2", - "old_fingerprint": "0787e01535ffb4d4e7052dfb097bcfdb_2", - "code_extract": "\\tintPtr = (*int)(unsafe.Pointer(addressHolder))" - } - ] -}" -`; diff --git a/tests/go/gosec/unsafe/unsafe/test.js b/tests/go/gosec/unsafe/unsafe/test.js index 12471991f..1311a0975 100644 --- a/tests/go/gosec/unsafe/unsafe/test.js +++ b/tests/go/gosec/unsafe/unsafe/test.js @@ -1,11 +1,20 @@ -const { createInvoker, getEnvironment } = require("../../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("test", () => { - const testCase = "main.go" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + + test("main", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/go/gosec/unsafe/unsafe/testdata/main.go b/tests/go/gosec/unsafe/unsafe/testdata/main.go index 8717aa1c8..f57f99a14 100644 --- a/tests/go/gosec/unsafe/unsafe/testdata/main.go +++ b/tests/go/gosec/unsafe/unsafe/testdata/main.go @@ -16,7 +16,9 @@ func main() { fmt.Printf("\nintArray: %v\n", intArray) intPtr := &intArray[0] fmt.Printf("\nintPtr=%p, *intPtr=%d.\n", intPtr, *intPtr) +// bearer:expected go_gosec_unsafe_unsafe addressHolder := uintptr(unsafe.Pointer(intPtr)) + unsafe.Sizeof(intArray[0]) +// bearer:expected go_gosec_unsafe_unsafe intPtr = (*int)(unsafe.Pointer(addressHolder)) fmt.Printf("\nintPtr=%p, *intPtr=%d.\n\n", intPtr, *intPtr) }