Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gosec for openSUSE:Factory checked in at 2022-05-05 23:06:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gosec (Old) and /work/SRC/openSUSE:Factory/.gosec.new.1538 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gosec" Thu May 5 23:06:13 2022 rev:3 rq:974964 version:2.11.0 Changes: -------- --- /work/SRC/openSUSE:Factory/gosec/gosec.changes 2022-03-02 18:22:44.668659442 +0100 +++ /work/SRC/openSUSE:Factory/.gosec.new.1538/gosec.changes 2022-05-05 23:06:52.449593308 +0200 @@ -1,0 +2,11 @@ +Tue Mar 22 08:10:13 UTC 2022 - Felix Niederwanger <[email protected]> + +* Update to version 2.11.0 + +- Enable Go 1.18 in the ci and release workflows +- Fix the lint action after upgrade (#790) +- chore(deps): update all dependencies (#789) +- Add a recursive flag -r to skip specifying ./... path +- Adds directory traversal for Http.Dir("/") + +------------------------------------------------------------------- Old: ---- gosec-2.10.0.tar.gz New: ---- gosec-2.11.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gosec.spec ++++++ --- /var/tmp/diff_new_pack.MlzAyt/_old 2022-05-05 23:06:53.149594182 +0200 +++ /var/tmp/diff_new_pack.MlzAyt/_new 2022-05-05 23:06:53.153594187 +0200 @@ -17,7 +17,7 @@ Name: gosec -Version: 2.10.0 +Version: 2.11.0 Release: 0 Summary: Golang security checker License: Apache-2.0 @@ -25,20 +25,28 @@ Source: gosec-%{version}.tar.gz Source1: vendor.tar.gz BuildRequires: golang-packaging -BuildRequires: go >= 1.11 +BuildRequires: go >= 1.16 %{go_nostrip} %description -Inspects source code for security problems by scanning the Go AST. +Inspects source code for security problems by scanning the go abstract syntax tree. %prep %autosetup -D -a 1 %build +# Native linux build includes version tags but currently works only on x86_64 +%ifarch x86_64 +GOFLAGS="-buildmode=pie" make build-linux +%else GOFLAGS="-buildmode=pie" make build +%endif -# this check is not yet working -#%%check +%check +# check if binary is working +./gosec --version +make sec +# Not yet working because it wants to pull the latest ginkgo version from GitHub #make test %install ++++++ _service ++++++ --- /var/tmp/diff_new_pack.MlzAyt/_old 2022-05-05 23:06:53.193594237 +0200 +++ /var/tmp/diff_new_pack.MlzAyt/_new 2022-05-05 23:06:53.197594242 +0200 @@ -12,6 +12,8 @@ <param name="file">*.tar</param> <param name="compression">gz</param> </service> - <service name="go_modules" mode="disabled"/> + <service name="go_modules" mode="disabled"> + <param name="compression">gz</param> + </service> </services> ++++++ gosec-2.10.0.tar.gz -> gosec-2.11.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/.github/workflows/ci.yml new/gosec-2.11.0/.github/workflows/ci.yml --- old/gosec-2.10.0/.github/workflows/ci.yml 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/.github/workflows/ci.yml 2022-03-21 16:53:22.000000000 +0100 @@ -7,38 +7,33 @@ branches: - master jobs: - golangci: - name: lint - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: golangci-lint - uses: golangci/golangci-lint-action@v2 - with: - version: latest test: - needs: [golangci] strategy: matrix: go_version: - '1.16' - '1.17' + - '1.18' runs-on: ubuntu-latest env: GO111MODULE: on steps: - name: Setup go ${{ matrix.go_version }} - uses: actions/setup-go@v2 + uses: actions/setup-go@v3 with: go-version: ${{ matrix.go_version }} - name: Checkout Source - uses: actions/checkout@v2 + uses: actions/checkout@v3 - uses: actions/cache@v2 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- + - name: lint + uses: golangci/golangci-lint-action@v3 + with: + version: latest - name: Run Tests run: make test coverage: @@ -48,11 +43,11 @@ GO111MODULE: on steps: - name: Setup go - uses: actions/setup-go@v2 + uses: actions/setup-go@v3 with: - go-version: '1.17' + go-version: '1.18' - name: Checkout Source - uses: actions/checkout@v2 + uses: actions/checkout@v3 - uses: actions/cache@v2 with: path: ~/go/pkg/mod diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/.github/workflows/release.yml new/gosec-2.11.0/.github/workflows/release.yml --- old/gosec-2.10.0/.github/workflows/release.yml 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/.github/workflows/release.yml 2022-03-21 16:53:22.000000000 +0100 @@ -11,17 +11,17 @@ ACTIONS_ALLOW_UNSECURE_COMMANDS: true steps: - name: Checkout Source - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Unshallow run: git fetch --prune --unshallow - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v3 with: - go-version: 1.17 + go-version: 1.18 - name: Install Cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.5.2' + cosign-release: 'v1.6.0' - name: Store Cosign private key in a file run: 'echo "$COSIGN_KEY" > /tmp/cosign.key' shell: bash @@ -66,7 +66,7 @@ tags: ${{steps.meta.outputs.tags}} labels: ${{steps.meta.outputs.labels}} push: true - build-args: GO_VERSION=1.17 + build-args: GO_VERSION=1.18 - name: Sign Docker Image run: cosign sign -key /tmp/cosign.key ${TAGS} env: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/.github/workflows/scan.yml new/gosec-2.11.0/.github/workflows/scan.yml --- old/gosec-2.10.0/.github/workflows/scan.yml 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/.github/workflows/scan.yml 2022-03-21 16:53:22.000000000 +0100 @@ -13,7 +13,7 @@ runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Security Scan uses: securego/gosec@master with: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/Makefile new/gosec-2.11.0/Makefile --- old/gosec-2.10.0/Makefile 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/Makefile 2022-03-21 16:53:22.000000000 +0100 @@ -12,7 +12,7 @@ GOLINT ?= $(GOBIN)/golint GOSEC ?= $(GOBIN)/gosec GINKGO ?= $(GOBIN)/ginkgo -GO_VERSION = 1.17 +GO_VERSION = 1.18 default: $(MAKE) build @@ -31,12 +31,16 @@ @([ ! -z "$(FORMATTED)" ] && printf "Fixed unformatted files:\n$(FORMATTED)") || true lint: - @echo "LINTING" + @echo "LINTING: golint" $(GO_NOMOD) get -u golang.org/x/lint/golint $(GOLINT) -set_exit_status ./... @echo "VETTING" $(GO) vet ./... +golangci: + @echo "LINTING: golangci-lint" + golangci-lint run + sec: @echo "SECURITY SCANNING" ./$(BIN) ./... diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/README.md new/gosec-2.11.0/README.md --- old/gosec-2.10.0/README.md 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/README.md 2022-03-21 16:53:22.000000000 +0100 @@ -143,6 +143,7 @@ - G108: Profiling endpoint automatically exposed on /debug/pprof - G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32 - G110: Potential DoS vulnerability via decompression bomb +- G111: Potential directory traversal - G201: SQL query construction using format string - G202: SQL query construction using string concatenation - G203: Use of unescaped data in HTML templates diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/cmd/gosec/main.go new/gosec-2.11.0/cmd/gosec/main.go --- old/gosec-2.10.0/cmd/gosec/main.go 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/cmd/gosec/main.go 2022-03-21 16:53:22.000000000 +0100 @@ -133,6 +133,9 @@ // print the text report with color, this is enabled by default flagColor = flag.Bool("color", true, "Prints the text format report with colorization when it goes in the stdout") + // append ./... to the target dir. + flagRecursive = flag.Bool("r", false, "Appends \"./...\" to the target dir.") + // overrides the output format when stdout the results while saving them in the output file flagVerbose = flag.String("verbose", "", "Overrides the output format when stdout the results while saving them in the output file.\nValid options are: json, yaml, csv, junit-xml, html, sonarqube, golint, sarif or text") @@ -319,9 +322,9 @@ os.Exit(0) } - // Ensure at least one file was specified - if flag.NArg() == 0 { - fmt.Fprintf(os.Stderr, "\nError: FILE [FILE...] or './...' expected\n") //#nosec + // Ensure at least one file was specified or that the recursive -r flag was set. + if flag.NArg() == 0 && !*flagRecursive { + fmt.Fprintf(os.Stderr, "\nError: FILE [FILE...] or './...' or -r expected\n") //#nosec flag.Usage() os.Exit(1) } @@ -380,13 +383,19 @@ excludedDirs := gosec.ExcludedDirsRegExp(flagDirsExclude) var packages []string - for _, path := range flag.Args() { + + paths := flag.Args() + if len(paths) == 0 { + paths = append(paths, "./...") + } + for _, path := range paths { pcks, err := gosec.PackagePaths(path, excludedDirs) if err != nil { logger.Fatal(err) } packages = append(packages, pcks...) } + if len(packages) == 0 { logger.Fatal("No packages found") } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/cmd/tlsconfig/tls_version.go new/gosec-2.11.0/cmd/tlsconfig/tls_version.go --- old/gosec-2.10.0/cmd/tlsconfig/tls_version.go 1970-01-01 01:00:00.000000000 +0100 +++ new/gosec-2.11.0/cmd/tlsconfig/tls_version.go 2022-03-21 16:53:22.000000000 +0100 @@ -0,0 +1,26 @@ +package main + +import ( + "crypto/tls" + "sort" +) + +func mapTLSVersions(tlsVersions []string) []int { + var versions []int + for _, tlsVersion := range tlsVersions { + switch tlsVersion { + case "TLSv1.3": + versions = append(versions, tls.VersionTLS13) + case "TLSv1.2": + versions = append(versions, tls.VersionTLS12) + case "TLSv1.1": + versions = append(versions, tls.VersionTLS11) + case "TLSv1": + versions = append(versions, tls.VersionTLS10) + default: + continue + } + } + sort.Ints(versions) + return versions +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/cmd/tlsconfig/tls_version_go12_go13.go new/gosec-2.11.0/cmd/tlsconfig/tls_version_go12_go13.go --- old/gosec-2.10.0/cmd/tlsconfig/tls_version_go12_go13.go 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/cmd/tlsconfig/tls_version_go12_go13.go 1970-01-01 01:00:00.000000000 +0100 @@ -1,34 +0,0 @@ -//go:build go1.12 && !go1.14 -// +build go1.12,!go1.14 - -// This file can be removed once go1.13 is no longer supported - -package main - -import ( - "crypto/tls" - "sort" -) - -func mapTLSVersions(tlsVersions []string) []int { - var versions []int - for _, tlsVersion := range tlsVersions { - switch tlsVersion { - case "TLSv1.3": - versions = append(versions, tls.VersionTLS13) - case "TLSv1.2": - versions = append(versions, tls.VersionTLS12) - case "TLSv1.1": - versions = append(versions, tls.VersionTLS11) - case "TLSv1": - versions = append(versions, tls.VersionTLS10) - case "SSLv3": - // unsupported from go1.14 - versions = append(versions, tls.VersionSSL30) - default: - continue - } - } - sort.Ints(versions) - return versions -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/cmd/tlsconfig/tls_version_go14.go new/gosec-2.11.0/cmd/tlsconfig/tls_version_go14.go --- old/gosec-2.10.0/cmd/tlsconfig/tls_version_go14.go 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/cmd/tlsconfig/tls_version_go14.go 1970-01-01 01:00:00.000000000 +0100 @@ -1,30 +0,0 @@ -//go:build go1.14 || !go1.11 -// +build go1.14 !go1.11 - -// main -package main - -import ( - "crypto/tls" - "sort" -) - -func mapTLSVersions(tlsVersions []string) []int { - var versions []int - for _, tlsVersion := range tlsVersions { - switch tlsVersion { - case "TLSv1.3": - versions = append(versions, tls.VersionTLS13) - case "TLSv1.2": - versions = append(versions, tls.VersionTLS12) - case "TLSv1.1": - versions = append(versions, tls.VersionTLS11) - case "TLSv1": - versions = append(versions, tls.VersionTLS10) - default: - continue - } - } - sort.Ints(versions) - return versions -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/cmd/tlsconfig/tlsconfig.go new/gosec-2.11.0/cmd/tlsconfig/tlsconfig.go --- old/gosec-2.10.0/cmd/tlsconfig/tlsconfig.go 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/cmd/tlsconfig/tlsconfig.go 2022-03-21 16:53:22.000000000 +0100 @@ -1,6 +1,3 @@ -//go:build go1.12 -// +build go1.12 - package main import ( @@ -14,9 +11,10 @@ "log" "net/http" "path/filepath" - "strings" "github.com/mozilla/tls-observatory/constants" + "golang.org/x/text/cases" + "golang.org/x/text/language" ) var ( @@ -82,7 +80,8 @@ } func getGoCipherConfig(name string, sstls ServerSideTLSJson) (goCipherConfiguration, error) { - cipherConf := goCipherConfiguration{Name: strings.Title(name)} + caser := cases.Title(language.English) + cipherConf := goCipherConfiguration{Name: caser.String(name)} conf, ok := sstls.Configurations[name] if !ok { return cipherConf, fmt.Errorf("TLS configuration '%s' not found", name) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/go.mod new/gosec-2.11.0/go.mod --- old/gosec-2.10.0/go.mod 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/go.mod 2022-03-21 16:53:22.000000000 +0100 @@ -8,7 +8,7 @@ github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354 github.com/onsi/ginkgo/v2 v2.1.3 github.com/onsi/gomega v1.18.1 - golang.org/x/crypto v0.0.0-20220214200702-86341886e292 + golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000 golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 golang.org/x/text v0.3.7 golang.org/x/tools v0.1.9 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/go.sum new/gosec-2.11.0/go.sum --- old/gosec-2.10.0/go.sum 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/go.sum 2022-03-21 16:53:22.000000000 +0100 @@ -376,8 +376,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= -golang.org/x/crypto v0.0.0-20220214200702-86341886e292 h1:f+lwQ+GtmgoY+A2YaQxlSOnDjXcQ7ZRLWOHbC6HtRqE= -golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000 h1:SL+8VVnkqyshUSz5iNnXtrBQzvFF2SkROm6t5RczFAE= +golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/issue.go new/gosec-2.11.0/issue.go --- old/gosec-2.10.0/issue.go 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/issue.go 2022-03-21 16:53:22.000000000 +0100 @@ -63,6 +63,7 @@ "G108": "200", "G109": "190", "G110": "409", + "G111": "22", "G201": "89", "G202": "89", "G203": "79", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/report/formatter_test.go new/gosec-2.11.0/report/formatter_test.go --- old/gosec-2.10.0/report/formatter_test.go 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/report/formatter_test.go 2022-03-21 16:53:22.000000000 +0100 @@ -276,10 +276,10 @@ }) Context("When using different report formats", func() { grules := []string{ - "G101", "G102", "G103", "G104", "G106", - "G107", "G109", "G110", "G201", "G202", "G203", "G204", - "G301", "G302", "G303", "G304", "G305", "G401", "G402", - "G403", "G404", "G501", "G502", "G503", "G504", "G505", + "G101", "G102", "G103", "G104", "G106", "G107", "G109", + "G110", "G111", "G201", "G202", "G203", "G204", "G301", + "G302", "G303", "G304", "G305", "G401", "G402", "G403", + "G404", "G501", "G502", "G503", "G504", "G505", } It("csv formatted report should contain the CWE mapping", func() { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/report/html/template.html new/gosec-2.11.0/report/html/template.html --- old/gosec-2.10.0/report/html/template.html 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/report/html/template.html 2022-03-21 16:53:22.000000000 +0100 @@ -5,9 +5,9 @@ <title>Golang Security Checker</title> <link rel="shortcut icon" type="image/png" href="https://securego.io/img/favicon.png";> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/0.9.3/css/bulma.min.css"; integrity="sha512-IgmDkwzs96t4SrChW29No3NXBIBv8baW490zk5aXvhCD8vuZM3yUSkbyTBcXohkySecyzIrUwiF/qV0cuPcL3Q==" crossorigin="anonymous"/> - <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.4.0/styles/default.min.css"; integrity="sha512-hasIneQUHlh06VNBe7f6ZcHmeRTLIaQWFd43YriJ0UND19bvYRauxthDg8E4eVNPm9bRUhr5JGeqH7FRFXQu5g==" crossorigin="anonymous"/> - <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.4.0/highlight.min.js"; integrity="sha512-IaaKO80nPNs5j+VLxd42eK/7sYuXQmr+fyywCNA0e+C6gtQnuCXNtORe9xR4LqGPz5U9VpH+ff41wKs/ZmC3iA==" crossorigin="anonymous"></script> - <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.4.0/languages/go.min.js"; integrity="sha512-cSV8KK6UAf1DR6Fh7+AU8Vn9q/X1CX60ktQ4R1gfaWuRnGL30r7LPiCdI3AdyiIjcalKZnyAkw5xH1QZQkDT7A==" crossorigin="anonymous"></script> + <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.5.0/styles/default.min.css"; integrity="sha512-hasIneQUHlh06VNBe7f6ZcHmeRTLIaQWFd43YriJ0UND19bvYRauxthDg8E4eVNPm9bRUhr5JGeqH7FRFXQu5g==" crossorigin="anonymous"/> + <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.5.0/highlight.min.js"; integrity="sha512-BNc7saQYlxCL10lykUYhFBcnzdKMnjx5fp5s5wPucDyZ7rKNwCoqJh1GwEAIhuePEK4WM9askJBRsu7ma0Rzvg==" crossorigin="anonymous"></script> + <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.5.0/languages/go.min.js"; integrity="sha512-5FrrCMl+OdDp4V0/+Og+q950cGMbPLR0D9o3rE0d9e7VYfGkci4zIrwqTXQOvv5Oo4ZhMaZGwZHXH2uKxfe+iw==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/react/15.7.0/react.min.js"; integrity="sha512-+TFn1Gqbwx/qgwW3NU1/YtFYTfHGeD1e/8YfJZzkb6TFEZP4SUwp1Az9DMeWh3qC0F+YPKXbV3YclMUwBTvO3g==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/react/15.6.1/react-dom.min.js"; integrity="sha512-8C49ZG/SaQnWaUgCHTU1o8uIQNYE6R8me38SwF26g2Q0byEXF4Jlvm+T/JAMHMeTBiEVPslSZRv9Xt4AV0pfmw==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/6.26.0/babel.min.js"; integrity="sha512-kp7YHLxuJDJcOzStgd6vtpxr4ZU9kjn77e6dBsivSz+pUuAuMlE2UTdKB7jjsWT84qbS8kdCWHPETnP/ctrFsA==" crossorigin="anonymous"></script> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/rules/directory-traversal.go new/gosec-2.11.0/rules/directory-traversal.go --- old/gosec-2.10.0/rules/directory-traversal.go 1970-01-01 01:00:00.000000000 +0100 +++ new/gosec-2.11.0/rules/directory-traversal.go 2022-03-21 16:53:22.000000000 +0100 @@ -0,0 +1,64 @@ +package rules + +import ( + "go/ast" + "regexp" + + "github.com/securego/gosec/v2" +) + +type traversal struct { + pattern *regexp.Regexp + gosec.MetaData +} + +func (r *traversal) ID() string { + return r.MetaData.ID +} + +func (r *traversal) Match(n ast.Node, ctx *gosec.Context) (*gosec.Issue, error) { + switch node := n.(type) { + case *ast.CallExpr: + return r.matchCallExpr(node, ctx) + } + return nil, nil +} + +func (r *traversal) matchCallExpr(assign *ast.CallExpr, ctx *gosec.Context) (*gosec.Issue, error) { + for _, i := range assign.Args { + if basiclit, ok1 := i.(*ast.BasicLit); ok1 { + if fun, ok2 := assign.Fun.(*ast.SelectorExpr); ok2 { + if x, ok3 := fun.X.(*ast.Ident); ok3 { + string := x.Name + "." + fun.Sel.Name + "(" + basiclit.Value + ")" + if r.pattern.MatchString(string) { + return gosec.NewIssue(ctx, assign, r.ID(), r.What, r.Severity, r.Confidence), nil + } + } + } + } + } + return nil, nil +} + +// NewDirectoryTraversal attempts to find the use of http.Dir("/") +func NewDirectoryTraversal(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { + pattern := `http\.Dir\("\/"\)|http\.Dir\('\/'\)` + if val, ok := conf["G101"]; ok { + conf := val.(map[string]interface{}) + if configPattern, ok := conf["pattern"]; ok { + if cfgPattern, ok := configPattern.(string); ok { + pattern = cfgPattern + } + } + } + + return &traversal{ + pattern: regexp.MustCompile(pattern), + MetaData: gosec.MetaData{ + ID: id, + What: "Potential directory traversal", + Confidence: gosec.Medium, + Severity: gosec.Medium, + }, + }, []ast.Node{(*ast.CallExpr)(nil)} +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/rules/rulelist.go new/gosec-2.11.0/rules/rulelist.go --- old/gosec-2.10.0/rules/rulelist.go 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/rules/rulelist.go 2022-03-21 16:53:22.000000000 +0100 @@ -73,6 +73,7 @@ {"G108", "Profiling endpoint is automatically exposed", NewPprofCheck}, {"G109", "Converting strconv.Atoi result to int32/int16", NewIntegerOverflowCheck}, {"G110", "Detect io.Copy instead of io.CopyN when decompression", NewDecompressionBombCheck}, + {"G111", "Detect http.Dir('/') as a potential risk", NewDirectoryTraversal}, // injection {"G201", "SQL query construction using format string", NewSQLStrFormat}, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/rules/rules_test.go new/gosec-2.11.0/rules/rules_test.go --- old/gosec-2.10.0/rules/rules_test.go 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/rules/rules_test.go 2022-03-21 16:53:22.000000000 +0100 @@ -90,6 +90,10 @@ runner("G110", testutils.SampleCodeG110) }) + It("should detect potential directory traversal", func() { + runner("G111", testutils.SampleCodeG111) + }) + It("should detect sql injection via format strings", func() { runner("G201", testutils.SampleCodeG201) }) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.10.0/testutils/source.go new/gosec-2.11.0/testutils/source.go --- old/gosec-2.10.0/testutils/source.go 2022-02-22 21:33:42.000000000 +0100 +++ new/gosec-2.11.0/testutils/source.go 2022-03-21 16:53:22.000000000 +0100 @@ -982,6 +982,29 @@ }`}, 0, gosec.NewConfig()}, } + // SampleCodeG111 - potential directory traversal + SampleCodeG111 = []CodeSample{ + {[]string{` +package main + +import ( + "fmt" + "log" + "net/http" + "os" +) + +func main() { + http.Handle("/bad/", http.StripPrefix("/bad/", http.FileServer(http.Dir("/")))) + http.HandleFunc("/", HelloServer) + log.Fatal(http.ListenAndServe(":"+os.Getenv("PORT"), nil)) +} + +func HelloServer(w http.ResponseWriter, r *http.Request) { + fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) +}`}, 1, gosec.NewConfig()}, + } + // SampleCodeG201 - SQL injection via format string SampleCodeG201 = []CodeSample{ {[]string{` ++++++ vendor.tar.gz ++++++ ++++ 54339 lines of diff (skipped)
![https://securego.io/img/favicon.png"](https://securego.io/img/favicon.png"){kind=link}