Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call

Author: ccojocar

rules/bind.go

@@ -37,9 +37,21 @@ func (r *bindsToAllNetworkInterfaces) Match(n ast.Node, c *gosec.Context) (*gose
 	if callExpr == nil {
 		return nil, nil
 	}
-	if arg, err := gosec.GetString(callExpr.Args[1]); err == nil {
-		if r.pattern.MatchString(arg) {
-			return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
+	if len(callExpr.Args) > 1 {
+		arg := callExpr.Args[1]
+		if bl, ok := arg.(*ast.BasicLit); ok {
+			if arg, err := gosec.GetString(bl); err == nil {
+				if r.pattern.MatchString(arg) {
+					return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
+				}
+			}
+		}
+	} else if len(callExpr.Args) > 0 {
+		values := gosec.GetCallStringArgsValues(callExpr.Args[0], c)
+		for _, value := range values {
+			if r.pattern.MatchString(value) {
+				return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
+			}
 		}
 	}
 	return nil, nil

testutils/source.go

@@ -98,6 +98,42 @@ func main() {
 		log.Fatal(err)
 	}
 	defer l.Close()
+}`}, 1},
+		// Bind to all networks indirectly through a parsing function
+		{[]string{`
+package main
+import (
+	"log"
+   	"net"
+)
+func parseListenAddr(listenAddr string) (network string, addr string) {
+	return "", ""
+}
+func main() {
+	addr := ":2000"
+	l, err := net.Listen(parseListenAddr(addr))
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer l.Close()
+}`}, 1},
+		// Bind to all networks indirectly through a parsing function
+		{[]string{`
+package main
+import (
+	"log"
+   	"net"
+)
+const addr = ":2000"
+func parseListenAddr(listenAddr string) (network string, addr string) {
+	return "", ""
+}
+func main() {
+	l, err := net.Listen(parseListenAddr(addr))
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer l.Close()
 }`}, 1},
 	}
 	// SampleCodeG103 find instances of unsafe blocks for auditing purposes