Enhance the hardcoded credentials rule to check the equality and non-equality of strings

Signed-off-by: Cosmin Cojocar <[email protected]>

Author: ccojocar

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d
 	github.com/onsi/ginkgo v1.12.0
 	github.com/onsi/gomega v1.9.0
+	github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f
 	github.com/stretchr/testify v1.4.0 // indirect
 	golang.org/x/text v0.3.2 // indirect
 	golang.org/x/tools v0.0.0-20200331202046-9d5940d49312

go.sum

@@ -31,6 +31,8 @@ github.com/onsi/gomega v1.9.0 h1:R1uwffexN6Pr340GtYRIdZmAiN4J+iw6WG4wog1DUXg=
 github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f h1:tygelZueB1EtXkPI6mQ4o9DQ0+FKW41hTbunoXZCTqk=
+github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f/go.mod h1:AuYgA5Kyo4c7HfUmvRGs/6rGlMMV/6B1bVnB9JxJEEg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=

rules/hardcoded_credentials.go

@@ -16,6 +16,7 @@ package rules
 
 import (
 	"go/ast"
+	"go/token"
 	"regexp"
 	"strconv"
 
@@ -58,6 +59,8 @@ func (r *credentials) Match(n ast.Node, ctx *gosec.Context) (*gosec.Issue, error
 		return r.matchAssign(node, ctx)
 	case *ast.ValueSpec:
 		return r.matchValueSpec(node, ctx)
+	case *ast.BinaryExpr:
+		return r.matchEqualityCheck(node, ctx)
 	}
 	return nil, nil
 }
@@ -96,6 +99,21 @@ func (r *credentials) matchValueSpec(valueSpec *ast.ValueSpec, ctx *gosec.Contex
 	return nil, nil
 }
 
+func (r *credentials) matchEqualityCheck(binaryExpr *ast.BinaryExpr, ctx *gosec.Context) (*gosec.Issue, error) {
+	if binaryExpr.Op == token.EQL || binaryExpr.Op == token.NEQ {
+		if ident, ok := binaryExpr.X.(*ast.Ident); ok {
+			if r.pattern.MatchString(ident.Name) {
+				if val, err := gosec.GetString(binaryExpr.Y); err == nil {
+					if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) {
+						return gosec.NewIssue(ctx, binaryExpr, r.ID(), r.What, r.Severity, r.Confidence), nil
+					}
+				}
+			}
+		}
+	}
+	return nil, nil
+}
+
 // NewHardcodedCredentials attempts to find high entropy string constants being
 // assigned to variables that appear to be related to credentials.
 func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
@@ -151,5 +169,5 @@ func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.No
 			Confidence: gosec.Low,
 			Severity:   gosec.High,
 		},
-	}, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ValueSpec)(nil)}
+	}, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ValueSpec)(nil), (*ast.BinaryExpr)(nil)}
 }

testutils/source.go

@@ -69,7 +69,34 @@ const (
 )
 func main() {
 	println(ATNStateTokenStart)
-}`}, 1, gosec.NewConfig()}}
+}`}, 1, gosec.NewConfig()},
+		{[]string{`
+package main
+import "fmt"
+func main() {
+	var password string
+	if password == "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
+		fmt.Println("password equality") 
+	}
+}`}, 1, gosec.NewConfig()},
+		{[]string{`
+package main
+import "fmt"
+func main() {
+	var password string
+	if password != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
+		fmt.Println("password equality") 
+	}
+}`}, 1, gosec.NewConfig()},
+		{[]string{`
+package main
+import "fmt"
+func main() {
+	var p string
+	if p != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
+		fmt.Println("password equality") 
+	}
+}`}, 0, gosec.NewConfig()}}
 
 	// SampleCodeG102 code snippets for network binding
 	SampleCodeG102 = []CodeSample{