Merge pull request #109 from GoASTScanner/bugfix

gcmurphy · web-flow · commit 0545d13d8aac · 2017-01-11T10:03:53.000-08:00
Ensure hardcoded credentials check only considers constant strings
diff --git a/rules/hardcoded_credentials.go b/rules/hardcoded_credentials.go
@@ -41,7 +41,7 @@ func (r *Credentials) matchAssign(assign *ast.AssignStmt, ctx *gas.Context) (*ga
 		if ident, ok := i.(*ast.Ident); ok {
 			if r.pattern.MatchString(ident.Name) {
 				for _, e := range assign.Rhs {
-					if _, ok := e.(*ast.BasicLit); ok {
+					if rhs, ok := e.(*ast.BasicLit); ok && rhs.Kind == token.STRING {
 						return gas.NewIssue(ctx, assign, r.What, r.Severity, r.Confidence), nil
 					}
 				}
@@ -63,7 +63,7 @@ func (r *Credentials) matchGenDecl(decl *ast.GenDecl, ctx *gas.Context) (*gas.Is
 					if len(valueSpec.Values) <= index {
 						index = len(valueSpec.Values) - 1
 					}
-					if _, ok := valueSpec.Values[index].(*ast.BasicLit); ok {
+					if rhs, ok := valueSpec.Values[index].(*ast.BasicLit); ok && rhs.Kind == token.STRING {
 						return gas.NewIssue(ctx, decl, r.What, r.Severity, r.Confidence), nil
 					}
 				}
diff --git a/rules/hardcoded_credentials_test.go b/rules/hardcoded_credentials_test.go
@@ -111,3 +111,36 @@ func TestHardecodedVarsNotAssigned(t *testing.T) {
 		}`, analyzer)
 	checkTestResults(t, issues, 1, "Potential hardcoded credentials")
 }
+
+func TestHardcodedConstInteger(t *testing.T) {
+	config := map[string]interface{}{"ignoreNosec": false}
+	analyzer := gas.NewAnalyzer(config, nil)
+	analyzer.AddRule(NewHardcodedCredentials(config))
+	issues := gasTestRunner(`
+		package main
+
+		const (
+			ATNStateSomethingElse = 1
+			ATNStateTokenStart = 42
+		)
+		func main() {
+			println(ATNStateTokenStart)
+		}`, analyzer)
+	checkTestResults(t, issues, 0, "Potential hardcoded credentials")
+}
+
+func TestHardcodedConstString(t *testing.T) {
+	config := map[string]interface{}{"ignoreNosec": false}
+	analyzer := gas.NewAnalyzer(config, nil)
+	analyzer.AddRule(NewHardcodedCredentials(config))
+	issues := gasTestRunner(`
+		package main
+
+		const (
+			ATNStateTokenStart = "foo bar"
+		)
+		func main() {
+			println(ATNStateTokenStart)
+		}`, analyzer)
+	checkTestResults(t, issues, 1, "Potential hardcoded credentials")
+}

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ func (r Credentials) matchAssign(assign ast.AssignStmt, ctx gas.Context) (ga`
`41`	`41`	`if ident, ok := i.(*ast.Ident); ok {`
`42`	`42`	`if r.pattern.MatchString(ident.Name) {`
`43`	`43`	`for _, e := range assign.Rhs {`
`44`		`- if _, ok := e.(*ast.BasicLit); ok {`
	`44`	`+ if rhs, ok := e.(*ast.BasicLit); ok && rhs.Kind == token.STRING {`
`45`	`45`	`return gas.NewIssue(ctx, assign, r.What, r.Severity, r.Confidence), nil`
`46`	`46`	`}`
`47`	`47`	`}`
`@@ -63,7 +63,7 @@ func (r Credentials) matchGenDecl(decl ast.GenDecl, ctx gas.Context) (gas.Is`
`63`	`63`	`if len(valueSpec.Values) <= index {`
`64`	`64`	`index = len(valueSpec.Values) - 1`
`65`	`65`	`}`
`66`		`- if _, ok := valueSpec.Values[index].(*ast.BasicLit); ok {`
	`66`	`+ if rhs, ok := valueSpec.Values[index].(*ast.BasicLit); ok && rhs.Kind == token.STRING {`
`67`	`67`	`return gas.NewIssue(ctx, decl, r.What, r.Severity, r.Confidence), nil`
`68`	`68`	`}`
`69`	`69`	`}`