// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "go/types" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type noErrorCheck struct { issue.MetaData whitelist gosec.CallList } func (r *noErrorCheck) ID() string { return r.MetaData.ID } func returnsError(callExpr *ast.CallExpr, ctx *gosec.Context) int { if tv := ctx.Info.TypeOf(callExpr); tv != nil { switch t := tv.(type) { case *types.Tuple: for pos := 0; pos < t.Len(); pos++ { variable := t.At(pos) if variable != nil && variable.Type().String() == "error" { return pos } } case *types.Named: if t.String() == "error" { return 0 } } } return -1 } func (r *noErrorCheck) Match(n ast.Node, ctx *gosec.Context) (*issue.Issue, error) { switch stmt := n.(type) { case *ast.AssignStmt: cfg := ctx.Config if enabled, err := cfg.IsGlobalEnabled(gosec.Audit); err == nil && enabled { for _, expr := range stmt.Rhs { if callExpr, ok := expr.(*ast.CallExpr); ok && r.whitelist.ContainsCallExpr(expr, ctx) == nil { pos := returnsError(callExpr, ctx) if pos < 0 || pos >= len(stmt.Lhs) { return nil, nil } if id, ok := stmt.Lhs[pos].(*ast.Ident); ok && id.Name == "_" { return ctx.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } } } case *ast.ExprStmt: if callExpr, ok := stmt.X.(*ast.CallExpr); ok && r.whitelist.ContainsCallExpr(stmt.X, ctx) == nil { pos := returnsError(callExpr, ctx) if pos >= 0 { return ctx.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } } return nil, nil } // NewNoErrorCheck detects if the returned error is unchecked func NewNoErrorCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { // TODO(gm) Come up with sensible defaults here. Or flip it to use a // black list instead. whitelist := gosec.NewCallList() whitelist.AddAll("bytes.Buffer", "Write", "WriteByte", "WriteRune", "WriteString") whitelist.AddAll("fmt", "Print", "Printf", "Println", "Fprint", "Fprintf", "Fprintln") whitelist.AddAll("strings.Builder", "Write", "WriteByte", "WriteRune", "WriteString") whitelist.Add("io.PipeWriter", "CloseWithError") whitelist.Add("hash.Hash", "Write") whitelist.Add("os", "Unsetenv") if configured, ok := conf[id]; ok { if whitelisted, ok := configured.(map[string]interface{}); ok { for pkg, funcs := range whitelisted { if funcs, ok := funcs.([]interface{}); ok { whitelist.AddAll(pkg, toStringSlice(funcs)...) } } } } return &noErrorCheck{ MetaData: issue.MetaData{ ID: id, Severity: issue.Low, Confidence: issue.High, What: "Errors unhandled", }, whitelist: whitelist, }, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ExprStmt)(nil)} } func toStringSlice(values []interface{}) []string { result := []string{} for _, value := range values { if value, ok := value.(string); ok { result = append(result, value) } } return result }