Skip to content

Fix false positives for SQL string concatenation with constants from another file #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Sep 28, 2018
Merged

Fix false positives for SQL string concatenation with constants from another file #247

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
35bbb97
Allow for SQL concatenation of nodes that resolve to literals
wongherlung Sep 25, 2018
74bad7b
Fix typo in comment.
wongherlung Sep 25, 2018
3cd750d
Go through all files in package to resolve that identifier
wongherlung Sep 26, 2018
8dc54e5
Refactor code and added comments.
wongherlung Sep 26, 2018
13e2cbf
Changed checking to not var or func.
wongherlung Sep 26, 2018
04e1c2a
Allow for supporting code for test cases.
wongherlung Sep 28, 2018
6970dac
Merge branch 'master' into sql-string-concatenation
wongherlung Sep 28, 2018
bd870b9
Resolve merge conflict changes.
wongherlung Sep 28, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions analyzer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ type Context struct {
Comments ast.CommentMap
Info *types.Info
Pkg *types.Package
PkgFiles []*ast.File
Root *ast.File
Config map[string]interface{}
Imports *ImportTracker
Expand Down Expand Up @@ -139,6 +140,7 @@ func (gosec *Analyzer) Process(buildTags []string, packagePaths ...string) error
gosec.context.Root = file
gosec.context.Info = &pkg.Info
gosec.context.Pkg = pkg.Pkg
gosec.context.PkgFiles = pkg.Files
gosec.context.Imports = NewImportTracker()
gosec.context.Imports.TrackPackages(gosec.context.Pkg.Imports()...)
ast.Walk(gosec, file)
Expand Down
2 changes: 1 addition & 1 deletion resolve.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ func resolveCallExpr(n *ast.CallExpr, c *Context) bool {

// TryResolve will attempt, given a subtree starting at some ATS node, to resolve
// all values contained within to a known constant. It is used to check for any
// unkown values in compound expressions.
// unknown values in compound expressions.
func TryResolve(n ast.Node, c *Context) bool {
switch node := n.(type) {
case *ast.BasicLit:
Expand Down
11 changes: 9 additions & 2 deletions rules/sql.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,17 @@ func (s *sqlStrConcat) ID() string {
}

// see if we can figure out what it is
func (s *sqlStrConcat) checkObject(n *ast.Ident) bool {
func (s *sqlStrConcat) checkObject(n *ast.Ident, c *gosec.Context) bool {
if n.Obj != nil {
return n.Obj.Kind != ast.Var && n.Obj.Kind != ast.Fun
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to have a test for this use case.

Copy link
Contributor Author

@wongherlung wongherlung Sep 27, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 I was thinking so too. But this test case spans across two files and I'm not sure how to do it. Let me try to figure it out.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can extend the sample.Code to support multiple files. The test package is built here:

gosec/rules/rules_test.go

Line 35 in 5f98926

pkg.AddFile(fmt.Sprintf("sample_%d.go", n), sample.Code)

In this file are the code samples defined:
https://github.com/securego/gosec/blob/master/testutils/source.go

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a new value to the CodeSample struct.

type CodeSample struct {
	Code           string
	Errors         int
	SupportingCode bool
}

Snippets that have it set to true will not be processed against the rules, but added to the same pkg as the other snippets to be processed together.

Not sure if this is this most elegant way to allow for testing with multiple files. Feedback will be welcomed!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine. You could have also use a Code []string. To keep multiple files. I will refactoring afterwards.

Thanks for providing the tests.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ahh yes. It's much better to use Code []string. If you are okay, can I help with the refactoring? for https://hacktoberfest.digitalocean.com/ 😂

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I refactored it in the PR #248

// Try to resolve unresolved identifiers using other files in same package
for _, file := range c.PkgFiles {
if node, ok := file.Scope.Objects[n.String()]; ok {
return node.Kind != ast.Var && node.Kind != ast.Fun
}
}
return false
}

Expand All @@ -69,7 +76,7 @@ func (s *sqlStrConcat) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error)
if _, ok := node.Y.(*ast.BasicLit); ok {
return nil, nil // string cat OK
}
if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second) {
if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second, c) {
return nil, nil
}
return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil
Expand Down