From 40fa36d1de69eaa5b7374d0fba7c11088218ade5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ville=20Skytt=C3=A4?= <ville.skytta@iki.fi>
Date: Tue, 9 Nov 2021 22:13:45 +0200
Subject: [PATCH] G303: catch with os.WriteFile, add os.Create test case (#718)

* Add G303 os.Create test case

* Catch G303 with os.WriteFile too
---
 rules/tempfiles.go  |  2 +-
 testutils/source.go | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/rules/tempfiles.go b/rules/tempfiles.go
index 36f0f97..a2aed07 100644
--- a/rules/tempfiles.go
+++ b/rules/tempfiles.go
@@ -44,7 +44,7 @@ func (t *badTempFile) Match(n ast.Node, c *gosec.Context) (gi *gosec.Issue, err
 func NewBadTempFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
 	calls := gosec.NewCallList()
 	calls.Add("io/ioutil", "WriteFile")
-	calls.Add("os", "Create")
+	calls.AddAll("os", "Create", "WriteFile")
 	return &badTempFile{
 		calls: calls,
 		args:  regexp.MustCompile(`^/tmp/.*$|^/var/tmp/.*$`),
diff --git a/testutils/source.go b/testutils/source.go
index 766becb..b389db2 100644
--- a/testutils/source.go
+++ b/testutils/source.go
@@ -1757,6 +1757,7 @@ package samples
 import (
 	"fmt"
 	"io/ioutil"
+	"os"
 )
 
 func main() {
@@ -1764,7 +1765,17 @@ func main() {
 	if err != nil {
 		fmt.Println("Error while writing!")
 	}
-}`}, 1, gosec.NewConfig()}}
+	f, err := os.Create("/tmp/demo2")
+	if err != nil {
+		fmt.Println("Error while writing!")
+	} else if err = f.Close(); err != nil {
+		fmt.Println("Error while closing!")
+	}
+	err = os.WriteFile("/tmp/demo2", []byte("This is some data"), 0644)
+	if err != nil {
+		fmt.Println("Error while writing!")
+	}
+}`}, 3, gosec.NewConfig()}}
 
 	// SampleCodeG304 - potential file inclusion vulnerability
 	SampleCodeG304 = []CodeSample{{[]string{`