From 5012c34d48945966f52f3f7c0697973c7e9f910b Mon Sep 17 00:00:00 2001 From: Grant Murphy Date: Mon, 14 Nov 2016 13:57:55 -0800 Subject: [PATCH 1/2] Handle inbalanced declaration of constants The following code would create a panic condition: const foo, bar = "some thing" Fixes #84 --- rules/hardcoded_credentials.go | 4 ++++ rules/hardcoded_credentials_test.go | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/rules/hardcoded_credentials.go b/rules/hardcoded_credentials.go index 45a7993..d9af97e 100644 --- a/rules/hardcoded_credentials.go +++ b/rules/hardcoded_credentials.go @@ -59,6 +59,10 @@ func (r *Credentials) matchGenDecl(decl *ast.GenDecl, ctx *gas.Context) (*gas.Is if valueSpec, ok := spec.(*ast.ValueSpec); ok { for index, ident := range valueSpec.Names { if r.pattern.MatchString(ident.Name) { + // const foo, bar = "same value" + if len(valueSpec.Values) <= index { + index = len(valueSpec.Values) - 1 + } if _, ok := valueSpec.Values[index].(*ast.BasicLit); ok { return gas.NewIssue(ctx, decl, r.What, r.Severity, r.Confidence), nil } diff --git a/rules/hardcoded_credentials_test.go b/rules/hardcoded_credentials_test.go index a7a2bd5..23d0e4d 100644 --- a/rules/hardcoded_credentials_test.go +++ b/rules/hardcoded_credentials_test.go @@ -79,3 +79,22 @@ func TestHardcodedConstant(t *testing.T) { checkTestResults(t, issues, 1, "Potential hardcoded credentials") } + +func TestHardcodedConstantMulti(t *testing.T) { + config := map[string]interface{}{"ignoreNosec": false} + analyzer := gas.NewAnalyzer(config, nil) + analyzer.AddRule(NewHardcodedCredentials(config)) + + issues := gasTestRunner(` + package samples + + import "fmt" + + const username, password = "secret" + + func main() { + fmt.Println("Doing something with: ", username, password) + }`, analyzer) + + checkTestResults(t, issues, 1, "Potential hardcoded credentials") +} From c7bb2dd3b79ef487466335590467839d8a0e67bf Mon Sep 17 00:00:00 2001 From: Grant Murphy Date: Mon, 14 Nov 2016 15:15:17 -0800 Subject: [PATCH 2/2] Fix additional crash condition A var GenDecl may not have a value assigned. This error case must be handled. --- rules/hardcoded_credentials.go | 2 +- rules/hardcoded_credentials_test.go | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/rules/hardcoded_credentials.go b/rules/hardcoded_credentials.go index d9af97e..3c1a985 100644 --- a/rules/hardcoded_credentials.go +++ b/rules/hardcoded_credentials.go @@ -58,7 +58,7 @@ func (r *Credentials) matchGenDecl(decl *ast.GenDecl, ctx *gas.Context) (*gas.Is for _, spec := range decl.Specs { if valueSpec, ok := spec.(*ast.ValueSpec); ok { for index, ident := range valueSpec.Names { - if r.pattern.MatchString(ident.Name) { + if r.pattern.MatchString(ident.Name) && valueSpec.Values != nil { // const foo, bar = "same value" if len(valueSpec.Values) <= index { index = len(valueSpec.Values) - 1 diff --git a/rules/hardcoded_credentials_test.go b/rules/hardcoded_credentials_test.go index 23d0e4d..0b32e8b 100644 --- a/rules/hardcoded_credentials_test.go +++ b/rules/hardcoded_credentials_test.go @@ -98,3 +98,16 @@ func TestHardcodedConstantMulti(t *testing.T) { checkTestResults(t, issues, 1, "Potential hardcoded credentials") } + +func TestHardecodedVarsNotAssigned(t *testing.T) { + config := map[string]interface{}{"ignoreNosec": false} + analyzer := gas.NewAnalyzer(config, nil) + analyzer.AddRule(NewHardcodedCredentials(config)) + issues := gasTestRunner(` + package main + var password string + func init() { + password = "this is a secret string" + }`, analyzer) + checkTestResults(t, issues, 1, "Potential hardcoded credentials") +}