Skip to content

Commit

Permalink
fix: remove golang patterns for deserialization that generate FP (#459)
Browse files Browse the repository at this point in the history
  • Loading branch information
gotbadger authored Jul 22, 2024
1 parent 4b1294d commit 7f40bb3
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 39 deletions.
16 changes: 1 addition & 15 deletions rules/go/lang/deserialization_of_user_input.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,28 +13,13 @@ patterns:
detection: go_lang_deserialization_of_user_input_encoder
- variable: USER_INPUT
detection: go_shared_lang_dynamic_input_combined
- pattern: $<CALLER>.$<METHOD>($<...>$<USER_INPUT>$<...>);
filters:
- variable: CALLER
values:
- yaml
- json
- proto
- variable: METHOD
values:
- Unmarshal
- Marshal
- variable: USER_INPUT
detection: go_shared_lang_dynamic_input_combined
auxiliary:
- id: go_lang_deserialization_of_user_input_decoder
patterns:
- gob.NewDecoder();
- json.NewDecoder();
- id: go_lang_deserialization_of_user_input_encoder
patterns:
- gob.NewEncoder();
- json.NewEncoder();
languages:
- go
metadata:
Expand All @@ -51,6 +36,7 @@ metadata:
## References
- [Gob Security Documentation](https://pkg.go.dev/encoding/gob#hdr-Security)
- [OWASP Deserialization cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)
cwe_id:
- 502
Expand Down
35 changes: 11 additions & 24 deletions tests/go/lang/deserialization_of_user_input/testdata/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,34 +8,21 @@ import (
"fmt"
)

func bad() {
decoder := gob.NewDecoder(os.Args[0])
// bearer:expected go_lang_deserialization_of_user_input
decoder.Decode(os.Args[0])
// ...
type Employee struct {
Name string
Role string
}

func bad2() {
// bearer:expected go_lang_deserialization_of_user_input
yaml.Unmarshal(os.Args[0])
// bearer:expected go_lang_deserialization_of_user_input
yaml.Marshal(os.Args[0])
// ...
}
func bad() {

func bad3() {
// bearer:expected go_lang_deserialization_of_user_input
json.Unmarshal(os.Args[0])
dec := gob.NewDecoder(&os.Args[0])
var v Vector
err = dec.Decode(&v)
// bearer:expected go_lang_deserialization_of_user_input
json.Marshal(os.Args[0])
// ...
}

func bad4() {
newMessage := &example.Message{}
// bearer:expected go_lang_deserialization_of_user_input
proto.Unmarshal(os.Args[0], newMessage)
// bearer:expected go_lang_deserialization_of_user_input
proto.Marshal(os.Args[0])
// ...
func ok() {
data = &Employee{}
json.Unmarshal(os.Args[0], data)
json.Marshal(data)
}

0 comments on commit 7f40bb3

Please sign in to comment.