go/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2025-11-25 22:22:17 +02:00
Code Issues Releases Activity

Small update to G201 and added ConcatString Function (#228)

Browse Source
This commit is contained in:
cschoenduve-splunk
2018-08-19 10:57:36 -07:00
committed by Cosmin Cojocar
parent 1c438e36af
commit a7cff91312
2 changed files with 35 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
rules/sql.go
View File

@@ -106,6 +106,16 @@ func (s *sqlStrFormat) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error)
// TODO(gm) improve confidence if database/sql is being used
if node := s.calls.ContainsCallExpr(n, c); node != nil {
// concats callexpr arg strings together if needed before regex evaluation
if argExpr, ok := node.Args[0].(*ast.BinaryExpr); ok {
if fullStr, ok := gosec.ConcatString(argExpr); ok {
if s.MatchPatterns(fullStr) {
return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence),
nil
}
}
}
if arg, e := gosec.GetString(node.Args[0]); s.MatchPatterns(arg) && e == nil {
return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil
}