fix: add more rules for G204 (#677)

* fix: add more rules for G204 * fix: add extra test and comment
2025-11-29 22:37:59 +02:00 · 2021-08-16 19:31:51 +10:00
parent 9f30bb6602
commit 5a131be2ec
2 changed files with 56 additions and 3 deletions
--- a/rules/subproc.go
+++ b/rules/subproc.go
@@ -48,8 +48,32 @@ func (r *subprocess) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
 		for _, arg := range args {
 			if ident, ok := arg.(*ast.Ident); ok {
 				obj := c.Info.ObjectOf(ident)
-				if _, ok := obj.(*types.Var); ok && !gosec.TryResolve(ident, c) {
-					return gosec.NewIssue(c, n, r.ID(), "Subprocess launched with variable", gosec.Medium, gosec.High), nil
+
+				// need to cast and check whether it is for a variable ?
+				_, variable := obj.(*types.Var)
+
+				// .. indeed it is a variable then processing is different than a normal
+				// field assignment
+				if variable {
+					switch ident.Obj.Decl.(type) {
+					case *ast.AssignStmt:
+						_, assignment := ident.Obj.Decl.(*ast.AssignStmt)
+						if variable && assignment {
+							if !gosec.TryResolve(ident, c) {
+								return gosec.NewIssue(c, n, r.ID(), "Subprocess launched with variable", gosec.Medium, gosec.High), nil
+							}
+						}
+					case *ast.Field:
+						_, field := ident.Obj.Decl.(*ast.Field)
+						if variable && field {
+							// check if the variable exist in the scope
+							vv, vvok := obj.(*types.Var)
+
+							if vvok && vv.Parent().Lookup(ident.Name) == nil {
+								return gosec.NewIssue(c, n, r.ID(), "Subprocess launched with variable", gosec.Medium, gosec.High), nil
+							}
+						}
+					}
 				}
 			} else if !gosec.TryResolve(arg, c) {
 				// the arg is not a constant or a variable but instead a function call or os.Args[i]