go/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2025-11-23 22:15:04 +02:00
Code Issues Releases Activity
1,201 Commits 11 Branches 52 Tags
34db3de0ee2c7ee2db87ce232132db29775ca50c
Commit Graph

26 Commits

Author SHA1 Message Date
Eshani Parulekar
506407e7df feat(G304): add os.Root remediation hint (Autofix) when Go >= 1.24 2025-09-16 14:37:06 +00:00
Eshani Parulekar
e81fba3c3a refactor(G304): remove unused trackJoin helper; no functional change 2025-09-12 13:52:23 +00:00
Eshani Parulekar
ab078db7b0 style: gofmt rules/readfile.go 2025-09-12 13:52:23 +00:00
Eshani Parulekar
79f835d9c7 rules(G304): analyze only path arg; ignore flag/perm vars; track Clean and safe Join; fix nil-context panic\n\n- Limit G304 checks to first arg (path) for os.Open/OpenFile/ReadFile, avoiding false positives when flag/perm are variables\n- Track filepath.Clean so cleaned identifiers are treated as safe\n- Consider safe joins: filepath.Join(const|resolvedBase, Clean(var)|cleanedIdent)\n- Record Join(...) assigned to identifiers and allow if later cleaned\n- Fix panic by passing non-nil context in trackJoinAssignStmt\n- All rules tests: 42 passed 2025-09-12 13:52:23 +00:00
Cosmin Cojocar
417a44c73b Add filepath.EvalSymlinks to clean functions in rule G304 
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
 2024-05-13 17:19:29 +02:00
Cosmin Cojocar
6a73248135 Fix some linting warnings 2023-03-20 10:25:45 +01:00
Rick Moran
f823a7e92b Check nil pointer when variable is declared in a different file 2023-03-08 14:42:45 +01:00
Cosmin Cojocar
de2c6a36fa Extract the issue in its own package 2023-02-16 09:45:28 +01:00
Cosmin Cojocar
c5d217da7a Update Go version in CI script (#913) 
* Update Go version in CI script

* Introduce back an additional check for filepath clean to fix the unit tests
 2023-01-09 16:49:02 +01:00
Cosmin Cojocar
5874e63c9e Track back when a file path was sanitized with filepath.Clean (#912) 
* Track back when a file path was sanitized with filepath.Clean

* Remove unused argument to fix lint warnings
 2023-01-09 16:26:20 +01:00
Cosmin Cojocar
7be6d4efb5 Add os.Create to the readfile rule (#761) 2022-01-12 19:33:17 +01:00
Eng Zer Jun
7fd4aef9dc feat: add os.ReadFile to G304 (#706) 
In Go 1.16 or higher, the `io/ioutil` has been deprecated and the
`ioutil.ReadFile` function now calls `os.ReadFile`.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 2021-10-14 09:53:26 +02:00
Cosmin Cojocar
f13b8bc639 Add also filepath.Rel as a sanitization method for input argument in the G304 rule 
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
 2020-08-19 09:40:07 +02:00
Cosmin Cojocar
047729a84f Fix the rule G304 to handle the case when the input is cleaned as a variable assignment 
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
 2020-08-19 09:40:07 +02:00
Cosmin Cojocar
1d2c951f2c Extend the rule G304 with os.OpenFile and add a test to cover it 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-06-17 13:14:08 +02:00
Cosmin Cojocar
c6e10af40f Handle properly the gosec module version v2 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-04-06 09:06:23 -07:00
Cosmin Cojocar
3e069e7756 Fix the errors rule whitelist to work on types methods 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-01-29 09:41:46 +01:00
Oleksandr Redko
3116b07de4 Fix typos in comments and rulelist (#256) 2018-10-11 14:45:31 +02:00
Dale Hui
762ff3a709 Allow quoted strings to be used to format SQL queries (#240) 
* Support stripping vendor paths when matching calls

* Factor out matching of formatter string

* Quoted strings are safe to use with SQL str formatted strings

* Add test for allowing quoted strings with string formatters

* Install the pq package for tests to pass
 2018-09-25 10:40:05 +03:00
cschoenduve-splunk
7fd94463ed update to G304 which adds binary expressions and file joining (#233) 
* Added features to G304

* Linted

* Added path selectors

* Used better solution

* removed debugging lines

* fixed comments

* Added test code

* fixed a spacing change
 2018-08-28 14:34:07 +10:00
Cosmin Cojocar
893b87b343 Replace gas with gosec everywhere in the project 2018-07-19 18:42:25 +02:00
Grant Murphy
da26f64208 Rename github org (#214) 2018-07-19 17:40:28 +10:00
jonmcclintock
2115402409 Add the rule ID to issues (#188) 2018-03-12 18:18:44 +10:00
Grant Murphy
66aea5cd99 fix gofmt errors 2018-03-09 12:49:01 +10:00
Grant Murphy
90fe5cb5ab Port readfile rule to include ID and metadata 2018-03-09 11:27:41 +10:00
coredefend
e76b258456 New Rule Tainted file (#183) 
* Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178)

* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration

* Update README

* Remove trailing space in README

* Update dependencies

* Fix the commends of the generated functions

* Add nil pointer check to rule. (#181)

TypeOf returns the type of expression e, or nil if not found. We are
calling .String() on a value that may be nil in this clause.

Relates to #174

* Add support for YAML output format (#177)

* Add YAML output format

* Update README

* added rule to check for tainted file path

* added #nosec to main/issue.go

* updated test case import
 2018-03-09 09:23:27 +10:00