Migrated old test cases.

2025-07-09 00:45:40 +02:00 · 2017-12-28 16:54:10 +10:00
parent 25d74c6b20
commit e925d3c347
6 changed files with 562 additions and 40 deletions
--- a/testutils/source.go
+++ b/testutils/source.go
@ -166,6 +166,269 @@ func main() {
 	fmt.Println(e)
 }`, 0}}

+	// SampleCodeG105 - bignum overflow
+	SampleCodeG105 = []CodeSample{{`
+package main
+import (
+	"math/big"
+)
+func main() {
+	z := new(big.Int)
+	x := new(big.Int)
+	x = x.SetUint64(2)
+	y := new(big.Int)
+    y = y.SetUint64(4)
+   	m := new(big.Int)
+    m = m.SetUint64(0)
+    z = z.Exp(x, y, m)
+}`, 1}}
+
+	// SampleCodeG201 - SQL injection via format string
+	SampleCodeG201 = []CodeSample{
+		{`
+// Format string without proper quoting
+package main
+import (
+	"database/sql"
+	"fmt"
+	"os"
+	//_ "github.com/mattn/go-sqlite3"
+)
+
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1])
+	rows, err := db.Query(q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+}`, 1}, {
+			`
+// Format string false positive
+package main
+import (
+		"database/sql"
+		//_ "github.com/mattn/go-sqlite3"
+)
+var staticQuery = "SELECT * FROM foo WHERE age < 32"
+func main(){
+		db, err := sql.Open("sqlite3", ":memory:")
+		if err != nil {
+				panic(err)
+		}
+		rows, err := db.Query(staticQuery)
+		if err != nil {
+				panic(err)
+		}
+		defer rows.Close()
+}`, 0}}
+
+	// SampleCodeG202 - SQL query string building via string concatenation
+	SampleCodeG202 = []CodeSample{
+		{`
+package main
+import (
+	"database/sql"
+	//_ "github.com/mattn/go-sqlite3"
+	"os"
+)
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	rows, err := db.Query("SELECT * FROM foo WHERE name = " + os.Args[1])
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+}`, 1}, {`
+// false positive
+package main
+import (
+	"database/sql"
+	//_ "github.com/mattn/go-sqlite3"
+)
+var staticQuery = "SELECT * FROM foo WHERE age < "
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+    if err != nil {
+		panic(err)
+	}
+	rows, err := db.Query(staticQuery + "32")
+	if err != nil {
+		panic(err)
+	}
+    defer rows.Close()
+}`, 0}, {`
+package main
+import (
+		"database/sql"
+		//_ "github.com/mattn/go-sqlite3"
+)
+const age = "32"
+var staticQuery = "SELECT * FROM foo WHERE age < "
+func main(){
+		db, err := sql.Open("sqlite3", ":memory:")
+		if err != nil {
+				panic(err)
+		}
+		rows, err := db.Query(staticQuery + age)
+		if err != nil {
+				panic(err)
+		}
+		defer rows.Close()
+}
+`, 0}}
+
+	// SampleCodeG203 - Template checks
+	SampleCodeG203 = []CodeSample{
+		{`
+// We assume that hardcoded template strings are safe as the programmer would
+// need to be explicitly shooting themselves in the foot (as below)
+package main
+import (
+	"html/template"
+	"os"
+)
+const tmpl = ""
+func main() {
+	t := template.Must(template.New("ex").Parse(tmpl))
+	v := map[string]interface{}{
+		"Title":    "Test <b>World</b>",
+		"Body":     template.HTML("<script>alert(1)</script>"),
+	}
+	t.Execute(os.Stdout, v)
+}`, 0}, {
+			`
+// Using a variable to initialize could potentially be dangerous. Under the
+// current model this will likely produce some false positives.
+package main
+import (
+	"html/template"
+	"os"
+)
+const tmpl = ""
+func main() {
+	a := "something from another place"
+	t := template.Must(template.New("ex").Parse(tmpl))
+	v := map[string]interface{}{
+		"Title":    "Test <b>World</b>",
+		"Body":     template.HTML(a),
+	}
+	t.Execute(os.Stdout, v)
+}`, 1}, {
+			`
+package main
+import (
+	"html/template"
+	"os"
+)
+const tmpl = ""
+func main() {
+	a := "something from another place"
+	t := template.Must(template.New("ex").Parse(tmpl))
+	v := map[string]interface{}{
+		"Title":    "Test <b>World</b>",
+		"Body":     template.JS(a),
+	}
+	t.Execute(os.Stdout, v)
+}`, 1}, {
+			`
+package main
+import (
+	"html/template"
+	"os"
+)
+const tmpl = ""
+func main() {
+	a := "something from another place"
+	t := template.Must(template.New("ex").Parse(tmpl))
+	v := map[string]interface{}{
+		"Title":    "Test <b>World</b>",
+		"Body":     template.URL(a),
+	}
+	t.Execute(os.Stdout, v)
+}`, 1}}
+
+	// SampleCodeG204 - Subprocess auditing
+	SampleCodeG204 = []CodeSample{{`
+package main
+import "syscall"
+func main() {
+	syscall.Exec("/bin/cat", []string{ "/etc/passwd" }, nil)
+}`, 1}, {`
+package main
+import (
+	"log"
+	"os/exec"
+)
+func main() {
+	cmd := exec.Command("sleep", "5")
+	err := cmd.Start()
+ 	if err != nil {
+		log.Fatal(err)
+	}
+	log.Printf("Waiting for command to finish...")
+  	err = cmd.Wait()
+  	log.Printf("Command finished with error: %v", err)
+}`, 1}, {`
+package main
+import (
+	"log"
+	"os"
+	"os/exec"
+)
+func main() {
+	run := "sleep" + os.Getenv("SOMETHING")
+	cmd := exec.Command(run, "5")
+	err := cmd.Start()
+	if err != nil {
+		log.Fatal(err)
+	}
+	log.Printf("Waiting for command to finish...")
+	err = cmd.Wait()
+	log.Printf("Command finished with error: %v", err)
+}`, 1}}
+
+	// SampleCodeG301 - mkdir permission check
+	SampleCodeG301 = []CodeSample{{`
+package main
+import "os"
+func main() {
+	os.Mkdir("/tmp/mydir", 0777)
+	os.Mkdir("/tmp/mydir", 0600)
+	os.MkdirAll("/tmp/mydir/mysubidr", 0775)
+}`, 2}}
+
+	// SampleCodeG302 - file create / chmod permissions check
+	SampleCodeG302 = []CodeSample{{`
+package main
+import "os"
+func main() {
+	os.Chmod("/tmp/somefile", 0777)
+	os.Chmod("/tmp/someotherfile", 0600)
+	os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666)
+	os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600)
+}`, 2}}
+
+	// SampleCodeG303 - bad tempfile permissions & hardcoded shared path
+	SampleCodeG303 = []CodeSample{{`
+package samples
+import (
+	"io/ioutil"
+	"os"
+)
+func main() {
+	file1, _ := os.Create("/tmp/demo1")
+	defer file1.Close()
+	ioutil.WriteFile("/tmp/demo2", []byte("This is some data"), 0644)
+}`, 2}}
+
 	// SampleCodeG401 - Use of weak crypto MD5
 	SampleCodeG401 = []CodeSample{
 		{`
@ -190,4 +453,200 @@ func main() {
 	}
 	fmt.Printf("%x", h.Sum(nil))
 }`, 1}}
+
+	// SampleCodeG402 - TLS settings
+	SampleCodeG402 = []CodeSample{{`
+// InsecureSkipVerify
+package main
+import (
+	"crypto/tls"
+	"fmt"
+	"net/http"
+)
+func main() {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+
+	client := &http.Client{Transport: tr}
+	_, err := client.Get("https://golang.org/")
+	if err != nil {
+		fmt.Println(err)
+	}
+}`, 1}, {
+		`
+// Insecure minimum version
+package main
+import (
+	"crypto/tls"
+	"fmt"
+	"net/http"
+)
+func main() {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{MinVersion: 0},
+	}
+	client := &http.Client{Transport: tr}
+	_, err := client.Get("https://golang.org/")
+	if err != nil {
+		fmt.Println(err)
+	}
+}`, 1}, {`
+// Insecure max version
+package main
+import (
+	"crypto/tls"
+	"fmt"
+	"net/http"
+)
+func main() {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{MaxVersion: 0},
+	}
+	client := &http.Client{Transport: tr}
+	_, err := client.Get("https://golang.org/")
+	if err != nil {
+		fmt.Println(err)
+	}
+}
+`, 1}, {
+		`
+// Insecure ciphersuite selection
+package main
+import (
+	"crypto/tls"
+	"fmt"
+	"net/http"
+)
+func main() {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{CipherSuites: []uint16{
+						tls.TLS_RSA_WITH_RC4_128_SHA,
+						tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+						},},
+	}
+	client := &http.Client{Transport: tr}
+	_, err := client.Get("https://golang.org/")
+	if err != nil {
+		fmt.Println(err)
+	}
+}`, 1}}
+
+	// SampleCodeG403 - weak key strength
+	SampleCodeG403 = []CodeSample{
+		{`
+package main
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"fmt"
+)
+func main() {
+	//Generate Private Key
+	pvk, err := rsa.GenerateKey(rand.Reader, 1024)
+	if err != nil {
+		fmt.Println(err)
+	}
+	fmt.Println(pvk)
+}`, 1}}
+
+	// SampleCodeG404 - weak random number
+	SampleCodeG404 = []CodeSample{
+		{`
+package main
+import "crypto/rand"
+func main() {
+	good, _ := rand.Read(nil)
+	println(good)
+}`, 0}, {`
+package main
+import "math/rand"
+func main() {
+	bad := rand.Int()
+	println(bad)
+}`, 1}, {`
+package main
+import (
+	"crypto/rand"
+	mrand "math/rand"
+)
+func main() {
+	good, _ := rand.Read(nil)
+	println(good)
+	i := mrand.Int31()
+	println(i)
+}`, 0}}
+
+	// SampleCode501 - Blacklisted import MD5
+	SampleCodeG501 = []CodeSample{
+		{`
+package main
+import (
+	"crypto/md5"
+	"fmt"
+	"os"
+)
+func main() {
+	for _, arg := range os.Args {
+		fmt.Printf("%x - %s\n", md5.Sum([]byte(arg)), arg)
+	}
+}`, 1}}
+
+	// SampleCode502 - Blacklisted import DES
+	SampleCodeG502 = []CodeSample{
+		{`
+package main
+import (
+	"crypto/cipher"
+	"crypto/des"
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"io"
+)
+func main() {
+	block, err := des.NewCipher([]byte("sekritz"))
+	if err != nil {
+		panic(err)
+	}
+	plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
+	ciphertext := make([]byte, des.BlockSize+len(plaintext))
+	iv := ciphertext[:des.BlockSize]
+	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
+		panic(err)
+	}
+	stream := cipher.NewCFBEncrypter(block, iv)
+	stream.XORKeyStream(ciphertext[des.BlockSize:], plaintext)
+	fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
+}`, 1}}
+
+	// SampleCodeG503 - Blacklisted import RC4
+	SampleCodeG503 = []CodeSample{{`
+package main
+import (
+	"crypto/rc4"
+	"encoding/hex"
+	"fmt"
+)
+func main() {
+	cipher, err := rc4.NewCipher([]byte("sekritz"))
+	if err != nil {
+		panic(err)
+	}
+	plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
+	ciphertext := make([]byte, len(plaintext))
+	cipher.XORKeyStream(ciphertext, plaintext)
+	fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
+}`, 1}}
+
+	// SampleCodeG504 - Blacklisted import CGI
+	SampleCodeG504 = []CodeSample{{`
+package main
+import (
+	"net/http/cgi"
+	"net/http"
+ )
+func main() {
+	cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
+}`, 1}}
 )