mirror of
https://github.com/securego/gosec.git
synced 2025-01-16 02:33:33 +02:00
fileperms: bitwise permission comparison (#883)
* fileperms: extract existing mode comparison logic * fileperms: add failing test * fileperms: bitwise permission comparison
This commit is contained in:
parent
1af1d5bb49
commit
cf63541008
@ -50,11 +50,15 @@ func getConfiguredMode(conf map[string]interface{}, configKey string, defaultMod
|
||||
return mode
|
||||
}
|
||||
|
||||
func modeIsSubset(subset int64, superset int64) bool {
|
||||
return (subset | superset) == superset
|
||||
}
|
||||
|
||||
func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
|
||||
for _, pkg := range r.pkgs {
|
||||
if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {
|
||||
modeArg := callexpr.Args[len(callexpr.Args)-1]
|
||||
if mode, err := gosec.GetInt(modeArg); err == nil && mode > r.mode {
|
||||
if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) {
|
||||
return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
|
||||
}
|
||||
}
|
||||
|
15
rules/fileperms_test.go
Normal file
15
rules/fileperms_test.go
Normal file
@ -0,0 +1,15 @@
|
||||
package rules
|
||||
|
||||
import (
|
||||
. "github.com/onsi/ginkgo/v2"
|
||||
. "github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
var _ = Describe("modeIsSubset", func() {
|
||||
It("it compares modes correctly", func() {
|
||||
Expect(modeIsSubset(0o600, 0o600)).To(BeTrue())
|
||||
Expect(modeIsSubset(0o400, 0o600)).To(BeTrue())
|
||||
Expect(modeIsSubset(0o644, 0o600)).To(BeFalse())
|
||||
Expect(modeIsSubset(0o466, 0o600)).To(BeFalse())
|
||||
})
|
||||
})
|
Loading…
Reference in New Issue
Block a user