2018-07-19 18:42:25 +02:00
|
|
|
package gosec_test
|
2016-11-17 20:18:31 -08:00
|
|
|
|
|
|
|
import (
|
2020-01-28 14:11:00 +01:00
|
|
|
"go/ast"
|
2019-04-25 15:11:31 +02:00
|
|
|
"os"
|
2019-06-24 14:10:51 +02:00
|
|
|
"path/filepath"
|
2019-04-25 15:11:31 +02:00
|
|
|
"regexp"
|
|
|
|
|
2022-01-03 18:11:35 +01:00
|
|
|
. "github.com/onsi/ginkgo/v2"
|
2019-04-25 15:11:31 +02:00
|
|
|
. "github.com/onsi/gomega"
|
2023-03-30 09:31:24 +02:00
|
|
|
|
2020-04-01 22:18:39 +02:00
|
|
|
"github.com/securego/gosec/v2"
|
|
|
|
"github.com/securego/gosec/v2/testutils"
|
2016-11-17 20:18:31 -08:00
|
|
|
)
|
|
|
|
|
2017-07-19 15:17:00 -06:00
|
|
|
var _ = Describe("Helpers", func() {
|
2021-05-07 18:04:01 +02:00
|
|
|
Context("when listing package paths", func() {
|
2019-04-25 15:11:31 +02:00
|
|
|
var dir string
|
|
|
|
JustBeforeEach(func() {
|
|
|
|
var err error
|
2022-08-08 10:37:43 +02:00
|
|
|
dir, err = os.MkdirTemp("", "gosec")
|
2019-04-25 15:11:31 +02:00
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2022-08-08 10:37:43 +02:00
|
|
|
_, err = os.MkdirTemp(dir, "test*.go")
|
2019-04-25 15:11:31 +02:00
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
})
|
2019-04-27 08:30:13 +02:00
|
|
|
AfterEach(func() {
|
2019-04-25 15:11:31 +02:00
|
|
|
err := os.RemoveAll(dir)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
})
|
|
|
|
It("should return the root directory as package path", func() {
|
|
|
|
paths, err := gosec.PackagePaths(dir, nil)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
Expect(paths).Should(Equal([]string{dir}))
|
|
|
|
})
|
2023-05-26 18:03:54 +03:00
|
|
|
It("should return the package path", func() {
|
2019-04-25 15:11:31 +02:00
|
|
|
paths, err := gosec.PackagePaths(dir+"/...", nil)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
Expect(paths).Should(Equal([]string{dir}))
|
|
|
|
})
|
|
|
|
It("should exclude folder", func() {
|
|
|
|
nested := dir + "/vendor"
|
2021-08-18 13:16:21 +02:00
|
|
|
err := os.Mkdir(nested, 0o755)
|
2019-04-25 15:11:31 +02:00
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
_, err = os.Create(nested + "/test.go")
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
exclude, err := regexp.Compile(`([\\/])?vendor([\\/])?`)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2019-09-09 14:01:36 +02:00
|
|
|
paths, err := gosec.PackagePaths(dir+"/...", []*regexp.Regexp{exclude})
|
2019-04-25 15:11:31 +02:00
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
Expect(paths).Should(Equal([]string{dir}))
|
|
|
|
})
|
2021-08-04 17:31:16 +02:00
|
|
|
It("should exclude folder with subpath", func() {
|
|
|
|
nested := dir + "/pkg/generated"
|
2021-08-18 13:16:21 +02:00
|
|
|
err := os.MkdirAll(nested, 0o755)
|
2021-08-04 17:31:16 +02:00
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
_, err = os.Create(nested + "/test.go")
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
exclude, err := regexp.Compile(`([\\/])?/pkg\/generated([\\/])?`)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
paths, err := gosec.PackagePaths(dir+"/...", []*regexp.Regexp{exclude})
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
Expect(paths).Should(Equal([]string{dir}))
|
|
|
|
})
|
2019-04-25 15:11:31 +02:00
|
|
|
It("should be empty when folder does not exist", func() {
|
|
|
|
nested := dir + "/test"
|
|
|
|
paths, err := gosec.PackagePaths(nested+"/...", nil)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
Expect(paths).Should(BeEmpty())
|
2017-07-19 15:17:00 -06:00
|
|
|
})
|
|
|
|
})
|
2019-06-24 14:10:51 +02:00
|
|
|
|
|
|
|
Context("when getting the root path", func() {
|
|
|
|
It("should return the absolute path from relative path", func() {
|
|
|
|
base := "test"
|
|
|
|
cwd, err := os.Getwd()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
root, err := gosec.RootPath(base)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
Expect(root).Should(Equal(filepath.Join(cwd, base)))
|
|
|
|
})
|
2021-08-04 17:31:16 +02:00
|
|
|
It("should return the absolute path from ellipsis path", func() {
|
2019-06-24 14:10:51 +02:00
|
|
|
base := "test"
|
|
|
|
cwd, err := os.Getwd()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
root, err := gosec.RootPath(filepath.Join(base, "..."))
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
Expect(root).Should(Equal(filepath.Join(cwd, base)))
|
|
|
|
})
|
|
|
|
})
|
2019-09-09 14:01:36 +02:00
|
|
|
|
|
|
|
Context("when excluding the dirs", func() {
|
|
|
|
It("should create a proper regexp", func() {
|
|
|
|
r := gosec.ExcludedDirsRegExp([]string{"test"})
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(r).Should(HaveLen(1))
|
2019-09-09 14:01:36 +02:00
|
|
|
match := r[0].MatchString("/home/go/src/project/test/pkg")
|
|
|
|
Expect(match).Should(BeTrue())
|
|
|
|
match = r[0].MatchString("/home/go/src/project/vendor/pkg")
|
|
|
|
Expect(match).Should(BeFalse())
|
|
|
|
})
|
|
|
|
|
2021-08-04 17:31:16 +02:00
|
|
|
It("should create a proper regexp for dir with subdir", func() {
|
|
|
|
r := gosec.ExcludedDirsRegExp([]string{`test/generated`})
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(r).Should(HaveLen(1))
|
2021-08-04 17:31:16 +02:00
|
|
|
match := r[0].MatchString("/home/go/src/project/test/generated")
|
|
|
|
Expect(match).Should(BeTrue())
|
|
|
|
match = r[0].MatchString("/home/go/src/project/test/pkg")
|
|
|
|
Expect(match).Should(BeFalse())
|
|
|
|
match = r[0].MatchString("/home/go/src/project/vendor/pkg")
|
|
|
|
Expect(match).Should(BeFalse())
|
|
|
|
})
|
|
|
|
|
2019-09-09 14:01:36 +02:00
|
|
|
It("should create no regexp when dir list is empty", func() {
|
|
|
|
r := gosec.ExcludedDirsRegExp(nil)
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(r).Should(BeEmpty())
|
2019-09-09 14:01:36 +02:00
|
|
|
r = gosec.ExcludedDirsRegExp([]string{})
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(r).Should(BeEmpty())
|
2019-09-09 14:01:36 +02:00
|
|
|
})
|
|
|
|
})
|
2020-01-28 14:11:00 +01:00
|
|
|
|
|
|
|
Context("when getting call info", func() {
|
|
|
|
It("should return the type and call name for selector expression", func() {
|
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("main.go", `
|
|
|
|
package main
|
|
|
|
|
|
|
|
import(
|
|
|
|
"bytes"
|
|
|
|
)
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
b := new(bytes.Buffer)
|
|
|
|
_, err := b.WriteString("test")
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
ctx := pkg.CreateContext("main.go")
|
|
|
|
result := map[string]string{}
|
|
|
|
visitor := testutils.NewMockVisitor()
|
|
|
|
visitor.Context = ctx
|
|
|
|
visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool {
|
|
|
|
typeName, call, err := gosec.GetCallInfo(n, ctx)
|
|
|
|
if err == nil {
|
|
|
|
result[typeName] = call
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
ast.Walk(visitor, ctx.Root)
|
|
|
|
|
|
|
|
Expect(result).Should(HaveKeyWithValue("*bytes.Buffer", "WriteString"))
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should return the type and call name for new selector expression", func() {
|
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("main.go", `
|
|
|
|
package main
|
|
|
|
|
|
|
|
import(
|
|
|
|
"bytes"
|
|
|
|
)
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
_, err := new(bytes.Buffer).WriteString("test")
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
ctx := pkg.CreateContext("main.go")
|
|
|
|
result := map[string]string{}
|
|
|
|
visitor := testutils.NewMockVisitor()
|
|
|
|
visitor.Context = ctx
|
|
|
|
visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool {
|
|
|
|
typeName, call, err := gosec.GetCallInfo(n, ctx)
|
|
|
|
if err == nil {
|
|
|
|
result[typeName] = call
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
ast.Walk(visitor, ctx.Root)
|
|
|
|
|
|
|
|
Expect(result).Should(HaveKeyWithValue("bytes.Buffer", "WriteString"))
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should return the type and call name for function selector expression", func() {
|
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("main.go", `
|
|
|
|
package main
|
|
|
|
|
|
|
|
import(
|
|
|
|
"bytes"
|
|
|
|
)
|
|
|
|
|
|
|
|
func createBuffer() *bytes.Buffer {
|
|
|
|
return new(bytes.Buffer)
|
|
|
|
}
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
_, err := createBuffer().WriteString("test")
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
ctx := pkg.CreateContext("main.go")
|
|
|
|
result := map[string]string{}
|
|
|
|
visitor := testutils.NewMockVisitor()
|
|
|
|
visitor.Context = ctx
|
|
|
|
visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool {
|
|
|
|
typeName, call, err := gosec.GetCallInfo(n, ctx)
|
|
|
|
if err == nil {
|
|
|
|
result[typeName] = call
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
ast.Walk(visitor, ctx.Root)
|
|
|
|
|
|
|
|
Expect(result).Should(HaveKeyWithValue("*bytes.Buffer", "WriteString"))
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should return the type and call name for package function", func() {
|
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("main.go", `
|
|
|
|
package main
|
|
|
|
|
|
|
|
import(
|
|
|
|
"fmt"
|
|
|
|
)
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
fmt.Println("test")
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
ctx := pkg.CreateContext("main.go")
|
|
|
|
result := map[string]string{}
|
|
|
|
visitor := testutils.NewMockVisitor()
|
|
|
|
visitor.Context = ctx
|
|
|
|
visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool {
|
|
|
|
typeName, call, err := gosec.GetCallInfo(n, ctx)
|
|
|
|
if err == nil {
|
|
|
|
result[typeName] = call
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
ast.Walk(visitor, ctx.Root)
|
|
|
|
|
|
|
|
Expect(result).Should(HaveKeyWithValue("fmt", "Println"))
|
|
|
|
})
|
2023-10-12 10:01:41 +02:00
|
|
|
|
2023-10-12 10:08:25 +02:00
|
|
|
It("should return the type and call name when built-in new function is overridden", func() {
|
2023-10-12 10:01:41 +02:00
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("main.go", `
|
|
|
|
package main
|
|
|
|
|
|
|
|
type S struct{ F int }
|
|
|
|
|
|
|
|
func (f S) Fun() {}
|
|
|
|
|
|
|
|
func new() S { return S{} }
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
new().Fun()
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
ctx := pkg.CreateContext("main.go")
|
|
|
|
result := map[string]string{}
|
|
|
|
visitor := testutils.NewMockVisitor()
|
|
|
|
visitor.Context = ctx
|
|
|
|
visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool {
|
|
|
|
typeName, call, err := gosec.GetCallInfo(n, ctx)
|
|
|
|
if err == nil {
|
|
|
|
result[typeName] = call
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
ast.Walk(visitor, ctx.Root)
|
|
|
|
|
|
|
|
Expect(result).Should(HaveKeyWithValue("main", "new"))
|
|
|
|
})
|
2020-01-28 14:11:00 +01:00
|
|
|
})
|
2020-05-25 15:42:43 +02:00
|
|
|
Context("when getting binary expression operands", func() {
|
2021-04-16 00:50:34 -07:00
|
|
|
It("should return all operands of a binary expression", func() {
|
2020-05-25 15:42:43 +02:00
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("main.go", `
|
|
|
|
package main
|
|
|
|
|
|
|
|
import(
|
|
|
|
"fmt"
|
|
|
|
)
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
be := "test1" + "test2"
|
|
|
|
fmt.Println(be)
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
ctx := pkg.CreateContext("main.go")
|
|
|
|
var be *ast.BinaryExpr
|
|
|
|
visitor := testutils.NewMockVisitor()
|
|
|
|
visitor.Context = ctx
|
|
|
|
visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool {
|
|
|
|
if expr, ok := n.(*ast.BinaryExpr); ok {
|
|
|
|
be = expr
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
ast.Walk(visitor, ctx.Root)
|
|
|
|
|
|
|
|
operands := gosec.GetBinaryExprOperands(be)
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(operands).Should(HaveLen(2))
|
2020-05-25 15:42:43 +02:00
|
|
|
})
|
2021-04-16 00:50:34 -07:00
|
|
|
It("should return all operands of complex binary expression", func() {
|
2020-05-25 15:42:43 +02:00
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("main.go", `
|
|
|
|
package main
|
|
|
|
|
|
|
|
import(
|
|
|
|
"fmt"
|
|
|
|
)
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
be := "test1" + "test2" + "test3" + "test4"
|
|
|
|
fmt.Println(be)
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
ctx := pkg.CreateContext("main.go")
|
|
|
|
var be *ast.BinaryExpr
|
|
|
|
visitor := testutils.NewMockVisitor()
|
|
|
|
visitor.Context = ctx
|
|
|
|
visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool {
|
|
|
|
if expr, ok := n.(*ast.BinaryExpr); ok {
|
|
|
|
if be == nil {
|
|
|
|
be = expr
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
ast.Walk(visitor, ctx.Root)
|
|
|
|
|
|
|
|
operands := gosec.GetBinaryExprOperands(be)
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(operands).Should(HaveLen(4))
|
2020-05-25 15:42:43 +02:00
|
|
|
})
|
|
|
|
})
|
2017-07-19 15:17:00 -06:00
|
|
|
})
|