From 905c174bfbf9dd0e9d5c37729603b944de819b51 Mon Sep 17 00:00:00 2001 From: Aisuko Date: Wed, 15 Apr 2020 17:44:39 +0800 Subject: [PATCH] Add the G304 rule example Signed-off-by: Aisuko --- .../g304_file-path_provided_as_taint_input.md | 60 +++++++++++++++++++ website/sidebars.json | 3 +- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 docs/rules/g304_file-path_provided_as_taint_input.md diff --git a/docs/rules/g304_file-path_provided_as_taint_input.md b/docs/rules/g304_file-path_provided_as_taint_input.md new file mode 100644 index 0000000..3271ee4 --- /dev/null +++ b/docs/rules/g304_file-path_provided_as_taint_input.md @@ -0,0 +1,60 @@ +--- +id: g304 +title: G304: File path provided as taint input +--- + +Trying to open a file provided as an input in a variable. The content of this variable might be controlled by an attacker who could change it to hold unauthorised file paths form the system. In this way, it is possible to exfiltrate confidential information or such. + +## Example problematic code: + +``` +package main + +import ( + "fmt" + "io/ioutil" + "strings" +) + +func main() { + repoFile := "path_of_file" + byContext, err := ioutil.ReadFile(repoFile) + if err != nil { + panic(err) + } + fmt.Printf("%s", string(byContext)) +} +``` + +## Gosec command line output + +``` +[examples/main.go:11] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) + > ioutil.ReadFile(repoFile) +``` + +## The right way + +``` +package main + +import ( + "fmt" + "io/ioutil" + "path/filepath" + "strings" +) + +func main() { + repoFile := "path_of_file" + byContext, err := ioutil.ReadFile(filepath.Clean(repoFile)) + if err != nil { + panic(err) + } + fmt.Printf("%s", string(byContext)) +} +``` + +## See also + +* https://pkg.go.dev/path/filepath?tab=doc#Clean \ No newline at end of file diff --git a/website/sidebars.json b/website/sidebars.json index 33ab95d..9f01709 100644 --- a/website/sidebars.json +++ b/website/sidebars.json @@ -7,7 +7,8 @@ "rules/g103", "rules/g104", "rules/g107", - "rules/g201-g202" + "rules/g201-g202", + "rules/g304" ] } }