Initial SSRF Rule

securego · ccojocar · Sep 4, 2018 · Aug 30, 2018 · Aug 31, 2018 · Aug 31, 2018
commit 8bad224bfe905ce1ca0b54afe110b5746b938022
diff --git a/README.md b/README.md
@@ -41,12 +41,13 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
   - G104: Audit errors not checked
   - G105: Audit the use of math/big.Int.Exp
   - G106: Audit the use of ssh.InsecureIgnoreHostKey
+  - G107: Url provided to HTTP request as taint input
   - G201: SQL query construction using format string
   - G202: SQL query construction using string concatenation
   - G203: Use of unescaped data in HTML templates
   - G204: Audit use of command execution
   - G301: Poor file permissions used when creating a directory
-  - G302: Poor file permisions used with chmod
+  - G302: Poor file permissions used with chmod
   - G303: Creating tempfile using a predictable path
   - G304: File path provided as taint input
   - G305: File traversal when extracting zip archive
@@ -79,7 +80,7 @@ that are not considered build artifacts by the compiler (so test files).
 As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment.
 
 The annotation causes gosec to stop processing any further nodes within the
-AST so can apply to a whole block or more granularly to a single expression. 
+AST so can apply to a whole block or more granularly to a single expression.
 
 ```go
 
@@ -178,7 +179,7 @@ You can build the docker image as follows:
 make image
 ```
 
-You can run the `gosec` tool in a container against your local Go project. You just have to mount the project in the 
+You can run the `gosec` tool in a container against your local Go project. You just have to mount the project in the
 `GOPATH` of the container:
 
 ```

diff --git a/rules/rulelist.go b/rules/rulelist.go
@@ -65,6 +65,7 @@ func Generate(filters ...RuleFilter) RuleList {
 		{"G104", "Audit errors not checked", NewNoErrorCheck},
 		{"G105", "Audit the use of big.Exp function", NewUsingBigExp},
 		{"G106", "Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey},
+		{"G107", "Url provided to HTTP request as taint input", NewSSRFCheck},
 
 		// injection
 		{"G201", "SQL query construction using format string", NewSQLStrFormat},

diff --git a/rules/rules_test.go b/rules/rules_test.go
@@ -71,6 +71,10 @@ var _ = Describe("gosec rules", func() {
 			runner("G106", testutils.SampleCodeG106)
 		})
 
+		It("should detect ssrf via http requests with variable url", func() {
+			runner("G107", testutils.SampleCodeG107)
+		})
+
 		It("should detect sql injection via format strings", func() {
 			runner("G201", testutils.SampleCodeG201)
 		})

diff --git a/rules/ssrf.go b/rules/ssrf.go
@@ -0,0 +1,47 @@
+package rules
+
+import (
+	"github.com/GoASTScanner/gas"
+	"go/ast"
+	"go/types"
+)
+
+type ssrf struct {
+	gas.MetaData
+	gas.CallList
+}
+
+// ID returns the identifier for this rule
+func (r *ssrf) ID() string {
+	return r.MetaData.ID
+}
+
+// Match inspects AST nodes to determine if certain net/http methods are called with variable input
+func (r *ssrf) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
+	if node := r.ContainsCallExpr(n, c); node != nil {
+		for _, arg := range node.Args {
+			if ident, ok := arg.(*ast.Ident); ok {
+				obj := c.Info.ObjectOf(ident)
+				if _, ok := obj.(*types.Var); ok && !gas.TryResolve(ident, c) {
+					return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
+				}
+			}
+		}
+	}
+	return nil, nil
+}
+
+// NewSSRFCheck detects cases where HTTP requests are sent
+func NewSSRFCheck(id string, conf gas.Config) (gas.Rule, []ast.Node) {
+	rule := &ssrf{
+		CallList: gas.NewCallList(),
+		MetaData: gas.MetaData{
+			ID:         id,
+			What:       "Potential HTTP request made with variable url",
+			Severity:   gas.Medium,
+			Confidence: gas.Medium,
+		},
+	}
+	rule.Add("net/http", "Do", "Get", "Head", "Post", "PostForm", "RoundTrip")
+	return rule, []ast.Node{(*ast.CallExpr)(nil)}
+}
diff --git a/testutils/source.go b/testutils/source.go
@@ -191,6 +191,28 @@ import (
 )
 func main() {
         _ =  ssh.InsecureIgnoreHostKey()
+}`, 1}}
+
+	// SampleCodeG107 - SSRF via http requests with variable url
+	SampleCodeG107 = []CodeSample{{`
+package main
+import (
+"net/http"
+"io/ioutil"
+"fmt"
+)
+func main() {
+url := os.Getenv("tainted_url")
+resp, err := http.Get(url)
+if err != nil {
+	panic(err)
+}
+defer resp.Body.Close()
+body, err := ioutil.ReadAll(resp.Body)
+if err != nil {
+	panic(err)
+}
+fmt.Printf("%s", body)
 }`, 1}}
 	// SampleCodeG201 - SQL injection via format string
 	SampleCodeG201 = []CodeSample{