Files

 master

/

fileperms.go

Copy path

Blame

Blame

Latest commit

 

History

History

176 lines (159 loc) · 5.05 KB

 master

/

fileperms.go

Top

File metadata and controls

• Code
• Blame

176 lines (159 loc) · 5.05 KB

Raw

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP

//

// Licensed under the Apache License, Version 2.0 (the "License");

// you may not use this file except in compliance with the License.

// You may obtain a copy of the License at

//

// http://www.apache.org/licenses/LICENSE-2.0

//

// Unless required by applicable law or agreed to in writing, software

// distributed under the License is distributed on an "AS IS" BASIS,

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

// See the License for the specific language governing permissions and

// limitations under the License.

package rules

import (

"fmt"

"go/ast"

"strconv"

"github.com/securego/gosec/v2"

"github.com/securego/gosec/v2/issue"

)

type filePermissions struct {

issue.MetaData

mode int64

pkgs []string

calls []string

}

// ID returns the ID of the rule.

func (r *filePermissions) ID() string {

return r.MetaData.ID

}

func getConfiguredMode(conf map[string]interface{}, configKey string, defaultMode int64) int64 {

mode := defaultMode

if value, ok := conf[configKey]; ok {

switch value := value.(type) {

case int64:

mode = value

case string:

if m, e := strconv.ParseInt(value, 0, 64); e != nil {

mode = defaultMode

} else {

mode = m

}

}

}

return mode

}

func modeIsSubset(subset int64, superset int64) bool {

return (subset | superset) == superset

}

// Match checks if the rule is matched.

func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) {

for _, pkg := range r.pkgs {

if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {

modeArg := callexpr.Args[len(callexpr.Args)-1]

if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) || isOsPerm(modeArg) {

return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil

}

}

}

return nil, nil

}

// isOsPerm check if the provide ast node contains a os.PermMode symbol

func isOsPerm(n ast.Node) bool {

if node, ok := n.(*ast.SelectorExpr); ok {

if identX, ok := node.X.(*ast.Ident); ok {

if identX.Name == "os" && node.Sel != nil && node.Sel.Name == "ModePerm" {

return true

}

}

}

return false

}

// NewWritePerms creates a rule to detect file Writes with bad permissions.

func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {

mode := getConfiguredMode(conf, id, 0o600)

return &filePermissions{

mode: mode,

pkgs: []string{"io/ioutil", "os"},

calls: []string{"WriteFile"},

MetaData: issue.MetaData{

ID: id,

Severity: issue.Medium,

Confidence: issue.High,

What: fmt.Sprintf("Expect WriteFile permissions to be %#o or less", mode),

},

}, []ast.Node{(*ast.CallExpr)(nil)}

}

// NewFilePerms creates a rule to detect file creation with a more permissive than configured

// permission mask.

func NewFilePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {

mode := getConfiguredMode(conf, id, 0o600)

return &filePermissions{

mode: mode,

pkgs: []string{"os"},

calls: []string{"OpenFile", "Chmod"},

MetaData: issue.MetaData{

ID: id,

Severity: issue.Medium,

Confidence: issue.High,

What: fmt.Sprintf("Expect file permissions to be %#o or less", mode),

},

}, []ast.Node{(*ast.CallExpr)(nil)}

}

// NewMkdirPerms creates a rule to detect directory creation with more permissive than

// configured permission mask.

func NewMkdirPerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {

mode := getConfiguredMode(conf, id, 0o750)

return &filePermissions{

mode: mode,

pkgs: []string{"os"},

calls: []string{"Mkdir", "MkdirAll"},

MetaData: issue.MetaData{

ID: id,

Severity: issue.Medium,

Confidence: issue.High,

What: fmt.Sprintf("Expect directory permissions to be %#o or less", mode),

},

}, []ast.Node{(*ast.CallExpr)(nil)}

}

type osCreatePermissions struct {

issue.MetaData

mode int64

pkgs []string

calls []string

}

const defaultOsCreateMode = 0o666

// ID returns the ID of the rule.

func (r *osCreatePermissions) ID() string {

return r.MetaData.ID

}

// Match checks if the rule is matched.

func (r *osCreatePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) {

for _, pkg := range r.pkgs {

if _, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {

if !modeIsSubset(defaultOsCreateMode, r.mode) {

return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil

}

}

}

return nil, nil

}

// NewOsCreatePerms creates a rule to detect file creation with a more permissive than configured

// permission mask.

func NewOsCreatePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {

mode := getConfiguredMode(conf, id, 0o666)

return &osCreatePermissions{

mode: mode,

pkgs: []string{"os"},

calls: []string{"Create"},

MetaData: issue.MetaData{

ID: id,

Severity: issue.Medium,

Confidence: issue.High,

What: fmt.Sprintf("Expect file permissions to be %#o or less but os.Create used with default permissions %#o",

mode, defaultOsCreateMode),

},

}, []ast.Node{(*ast.CallExpr)(nil)}

}