Skip to content

Commit

Permalink
Catch os.ModePerm permissions in os.WriteFile
Browse files Browse the repository at this point in the history
Signed-off-by: Cosmin Cojocar <[email protected]>
  • Loading branch information
ccojocar committed May 14, 2024
1 parent dc5e5a9 commit 6fbd381
Showing 1 changed file with 13 additions and 1 deletion.
14 changes: 13 additions & 1 deletion rules/fileperms.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,14 +61,26 @@ func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, err
for _, pkg := range r.pkgs {
if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {
modeArg := callexpr.Args[len(callexpr.Args)-1]
if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) {
if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) || isOsPerm(modeArg) {
return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil
}
}
}
return nil, nil
}

// isOsPerm check if the provide ast node contains a os.PermMode symbol
func isOsPerm(n ast.Node) bool {
if node, ok := n.(*ast.SelectorExpr); ok {
if identX, ok := node.X.(*ast.Ident); ok {
if identX.Name == "os" && node.Sel != nil && node.Sel.Name == "ModePerm" {
return true
}
}
}
return false
}

// NewWritePerms creates a rule to detect file Writes with bad permissions.
func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
mode := getConfiguredMode(conf, id, 0o600)
Expand Down

0 comments on commit 6fbd381

Please sign in to comment.