go/gosec
go/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2025-03-19 21:08:30 +02:00
Code Issues Releases Activity
gosec/testutils/g304_samples.go
Adam Kaplan 0e2a61899a chore: Refactor Sample Code to Separate Files 
Split the code in `source.go` to individual sample files, one per rule.
This will help contributors submit samples for new rules, or
improvements to existing rules. The cgo sample was all that was left
after refactoring, which resulted in its own sample file.

Sample code was also formatted to have some level of consistency.
Each sample go "file" attempts to keep the formatting of `gofmt`, and
each code sample is in its own section in the sample file.

Signed-off-by: Adam Kaplan <adam@adambkaplan.com>
2023-12-08 14:46:36 +01:00

308 lines
4.8 KiB
Go
Raw Blame History

package testutils
import "github.com/securego/gosec/v2"
var (
// SampleCodeG304 - potential file inclusion vulnerability
SampleCodeG304 = []CodeSample{
{[]string{`
package main
import (
"os"
"io/ioutil"
"log"
)
func main() {
f := os.Getenv("tainted_file")
body, err := ioutil.ReadFile(f)
if err != nil {
log.Printf("Error: %v\n", err)
}
log.Print(body)
}
`}, 1, gosec.NewConfig()},
{[]string{`
package main
import (
"os"
"log"
)
func main() {
f := os.Getenv("tainted_file")
body, err := os.ReadFile(f)
if err != nil {
log.Printf("Error: %v\n", err)
}
log.Print(body)
}
`}, 1, gosec.NewConfig()},
{[]string{`
package main
import (
"fmt"
"log"
"net/http"
"os"
)
func main() {
http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) {
title := r.URL.Query().Get("title")
f, err := os.Open(title)
if err != nil {
fmt.Printf("Error: %v\n", err)
}
body := make([]byte, 5)
if _, err = f.Read(body); err != nil {
fmt.Printf("Error: %v\n", err)
}
fmt.Fprintf(w, "%s", body)
})
log.Fatal(http.ListenAndServe(":3000", nil))
}
`}, 1, gosec.NewConfig()},
{[]string{`
package main
import (
"fmt"
"log"
"net/http"
"os"
)
func main() {
http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) {
title := r.URL.Query().Get("title")
f, err := os.OpenFile(title, os.O_RDWR|os.O_CREATE, 0755)
if err != nil {
fmt.Printf("Error: %v\n", err)
}
body := make([]byte, 5)
if _, err = f.Read(body); err != nil {
fmt.Printf("Error: %v\n", err)
}
fmt.Fprintf(w, "%s", body)
})
log.Fatal(http.ListenAndServe(":3000", nil))
}
`}, 1, gosec.NewConfig()},
{[]string{`
package main
import (
"log"
"os"
"io/ioutil"
)
func main() {
f2 := os.Getenv("tainted_file2")
body, err := ioutil.ReadFile("/tmp/" + f2)
if err != nil {
log.Printf("Error: %v\n", err)
}
log.Print(body)
}
`}, 1, gosec.NewConfig()},
{[]string{`
package main
import (
"bufio"
"fmt"
"os"
"path/filepath"
)
func main() {
reader := bufio.NewReader(os.Stdin)
fmt.Print("Please enter file to read: ")
file, _ := reader.ReadString('\n')
file = file[:len(file)-1]
f, err := os.Open(filepath.Join("/tmp/service/", file))
if err != nil {
fmt.Printf("Error: %v\n", err)
}
contents := make([]byte, 15)
if _, err = f.Read(contents); err != nil {
fmt.Printf("Error: %v\n", err)
}
fmt.Println(string(contents))
}
`}, 1, gosec.NewConfig()},
{[]string{`
package main
import (
"log"
"os"
"io/ioutil"
"path/filepath"
)
func main() {
dir := os.Getenv("server_root")
f3 := os.Getenv("tainted_file3")
// edge case where both a binary expression and file Join are used.
body, err := ioutil.ReadFile(filepath.Join("/var/"+dir, f3))
if err != nil {
log.Printf("Error: %v\n", err)
}
log.Print(body)
}
`}, 1, gosec.NewConfig()},
{[]string{`
package main
import (
"os"
"path/filepath"
)
func main() {
repoFile := "path_of_file"
cleanRepoFile := filepath.Clean(repoFile)
_, err := os.OpenFile(cleanRepoFile, os.O_RDONLY, 0600)
if err != nil {
panic(err)
}
}
`}, 0, gosec.NewConfig()},
{[]string{`
package main
import (
"os"
"path/filepath"
)
func openFile(filePath string) {
_, err := os.OpenFile(filepath.Clean(filePath), os.O_RDONLY, 0600)
if err != nil {
panic(err)
}
}
func main() {
repoFile := "path_of_file"
openFile(repoFile)
}
`}, 0, gosec.NewConfig()},
{[]string{`
package main
import (
"os"
"path/filepath"
)
func openFile(dir string, filePath string) {
fp := filepath.Join(dir, filePath)
fp = filepath.Clean(fp)
_, err := os.OpenFile(fp, os.O_RDONLY, 0600)
if err != nil {
panic(err)
}
}
func main() {
repoFile := "path_of_file"
dir := "path_of_dir"
openFile(dir, repoFile)
}
`}, 0, gosec.NewConfig()},
{[]string{`
package main
import (
"os"
"path/filepath"
)
func main() {
repoFile := "path_of_file"
relFile, err := filepath.Rel("./", repoFile)
if err != nil {
panic(err)
}
_, err = os.OpenFile(relFile, os.O_RDONLY, 0600)
if err != nil {
panic(err)
}
}
`}, 0, gosec.NewConfig()},
{[]string{`
package main
import (
"io"
"os"
)
func createFile(file string) *os.File {
f, err := os.Create(file)
if err != nil {
panic(err)
}
return f
}
func main() {
s, err := os.Open("src")
if err != nil {
panic(err)
}
defer s.Close()
d := createFile("dst")
defer d.Close()
_, err = io.Copy(d, s)
if err != nil {
panic(err)
}
}
`}, 1, gosec.NewConfig()},
{[]string{`
package main
import (
"fmt"
"path/filepath"
)
type foo struct {
}
func (f *foo) doSomething(silly string) error {
whoCares, err := filepath.Rel(THEWD, silly)
if err != nil {
return err
}
fmt.Printf("%s", whoCares)
return nil
}
func main() {
f := &foo{}
if err := f.doSomething("irrelevant"); err != nil {
panic(err)
}
}
`, `
package main
var THEWD string
`}, 0, gosec.NewConfig()},
}
)
Reference in New Issue View Git Blame Copy Permalink