Example #1
0
func (t *BadTempFile) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
	if node := gas.MatchCall(n, t.call); node != nil {
		if arg, _ := gas.GetString(node.Args[0]); t.args.MatchString(arg) {
			return gas.NewIssue(c, n, t.What, t.Severity, t.Confidence), nil
		}
	}
	return nil, nil
}
Example #2
0
func (r *FilePermissions) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
	if node := gas.MatchCall(n, r.pattern); node != nil {
		if val, err := gas.GetInt(node.Args[1]); err == nil && val > r.mode {
			return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
		}
	}
	return nil, nil
}
Example #3
0
File: rsa.go Project: vmware/vic 
func (w *WeakKeyStrength) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
	if node := gas.MatchCall(n, w.pattern); node != nil {
		if bits, err := gas.GetInt(node.Args[1]); err == nil && bits < (int64)(w.bits) {
			return gas.NewIssue(c, n, w.What, w.Severity, w.Confidence), nil
		}
	}
	return nil, nil
}
Example #4
0
File: sql.go Project: vmware/vic 
// Looks for "fmt.Sprintf("SELECT * FROM foo where '%s', userInput)"
func (s *SqlStrFormat) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
	if node := gas.MatchCall(n, s.call); node != nil {
		if arg, _ := gas.GetString(node.Args[0]); s.pattern.MatchString(arg) {
			return gas.NewIssue(c, n, s.What, s.Severity, s.Confidence), nil
		}
	}
	return nil, nil
}
Example #5
0
func (r *BlacklistImport) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
	if node, ok := n.(*ast.ImportSpec); ok {
		if r.Path == node.Path.Value {
			return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
		}
	}
	return nil, nil
}
Example #6
0
File: bind.go Project: vmware/vic 
func (r *BindsToAllNetworkInterfaces) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
	if node := gas.MatchCall(n, r.call); node != nil {
		if arg, err := gas.GetString(node.Args[1]); err == nil {
			if r.pattern.MatchString(arg) {
				return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
			}
		}
	}
	return
}
Example #7
0
File: rand.go Project: vmware/vic 
func (w *WeakRand) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
	if call := gas.MatchCall(n, w.pattern); call != nil {
		for _, pkg := range c.Pkg.Imports() {
			if pkg.Name() == w.packageName && pkg.Path() == w.packagePath {
				return gas.NewIssue(c, n, w.What, w.Severity, w.Confidence), nil
			}
		}
	}
	return nil, nil
}
Example #8
0
func (t *TemplateCheck) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
	if node := gas.MatchCall(n, t.call); node != nil {
		for _, arg := range node.Args {
			if _, ok := arg.(*ast.BasicLit); !ok { // basic lits are safe
				return gas.NewIssue(c, n, t.What, t.Severity, t.Confidence), nil
			}
		}
	}
	return nil, nil
}
Example #9
0
func (r *Subprocess) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
	if node := gas.MatchCall(n, r.pattern); node != nil {
		for _, arg := range node.Args {
			if !gas.TryResolve(arg, c) {
				what := "Subprocess launching with variable."
				return gas.NewIssue(c, n, what, gas.High, gas.High), nil
			}
		}

		// call with partially qualified command
		if str, err := gas.GetString(node.Args[0]); err == nil {
			if !strings.HasPrefix(str, "/") {
				what := "Subprocess launching with partial path."
				return gas.NewIssue(c, n, what, gas.Medium, gas.High), nil
			}
		}

		what := "Subprocess launching should be audited."
		return gas.NewIssue(c, n, what, gas.Low, gas.High), nil
	}
	return nil, nil
}
Example #10
0
File: errors.go Project: vmware/vic 
func (r *NoErrorCheck) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
	if node, ok := n.(*ast.AssignStmt); ok {
		sel := reflect.TypeOf(&ast.CallExpr{})
		if call, ok := gas.SimpleSelect(node.Rhs[0], sel).(*ast.CallExpr); ok {
			if t := c.Info.Types[call].Type; t != nil {
				if typeVal, typeErr := t.(*types.Tuple); typeErr {
					for i := 0; i < typeVal.Len(); i++ {
						if typeVal.At(i).Type().String() == "error" { // TODO(tkelsey): is there a better way?
							if id, ok := node.Lhs[i].(*ast.Ident); ok && id.Name == "_" {
								return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
							}
						}
					}
				} else if t.String() == "error" { // TODO(tkelsey): is there a better way?
					if id, ok := node.Lhs[0].(*ast.Ident); ok && id.Name == "_" {
						return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
					}
				}
			}
		}
	}
	return nil, nil
}
Example #11
0
File: tls.go Project: vmware/vic 
func (t *InsecureConfigTLS) processTlsCipherSuites(n ast.Node, c *gas.Context) *gas.Issue {
	a := reflect.TypeOf(&ast.KeyValueExpr{})
	b := reflect.TypeOf(&ast.CompositeLit{})
	if node, ok := gas.SimpleSelect(n, a, b).(*ast.CompositeLit); ok {
		for _, elt := range node.Elts {
			if ident, ok := elt.(*ast.SelectorExpr); ok {
				if !stringInSlice(ident.Sel.Name, t.goodCiphers) {
					str := fmt.Sprintf("TLS Bad Cipher Suite: %s", ident.Sel.Name)
					return gas.NewIssue(c, n, str, gas.High, gas.High)
				}
			}
		}
	}
	return nil
}
Example #12
0
func (r *CredsAssign) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
	if node, ok := n.(*ast.AssignStmt); ok {
		for _, i := range node.Lhs {
			if ident, ok := i.(*ast.Ident); ok {
				if r.pattern.MatchString(ident.Name) {
					for _, e := range node.Rhs {
						if _, ok := e.(*ast.BasicLit); ok {
							return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
						}
					}
				}
			}
		}
	}
	return
}
Example #13
0
File: sql.go Project: vmware/vic 
// Look for "SELECT * FROM table WHERE " + " ' OR 1=1"
func (s *SqlStrConcat) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
	if node, ok := n.(*ast.BinaryExpr); ok {
		if start, ok := node.X.(*ast.BasicLit); ok {
			if str, _ := gas.GetString(start); s.pattern.MatchString(str) {
				if _, ok := node.Y.(*ast.BasicLit); ok {
					return nil, nil // string cat OK
				}
				if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second) {
					return nil, nil
				}
				return gas.NewIssue(c, n, s.What, s.Severity, s.Confidence), nil
			}
		}
	}
	return nil, nil
}
Example #14
0
File: tls.go Project: vmware/vic 
func (t *InsecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Context) *gas.Issue {
	if ident, ok := n.Key.(*ast.Ident); ok {
		switch ident.Name {
		case "InsecureSkipVerify":
			if node, ok := n.Value.(*ast.Ident); ok {
				if node.Name != "false" {
					return gas.NewIssue(c, n, "TLS InsecureSkipVerify set true.", gas.High, gas.High)
				}
			} else {
				// TODO(tk): symbol tab look up to get the actual value
				return gas.NewIssue(c, n, "TLS InsecureSkipVerify may be true.", gas.High, gas.Low)
			}

		case "MinVersion":
			if ival, ierr := gas.GetInt(n.Value); ierr == nil {
				if (int16)(ival) < t.MinVersion {
					return gas.NewIssue(c, n, "TLS MinVersion too low.", gas.High, gas.High)
				}
				// TODO(tk): symbol tab look up to get the actual value
				return gas.NewIssue(c, n, "TLS MinVersion may be too low.", gas.High, gas.Low)
			}

		case "MaxVersion":
			if ival, ierr := gas.GetInt(n.Value); ierr == nil {
				if (int16)(ival) < t.MaxVersion {
					return gas.NewIssue(c, n, "TLS MaxVersion too low.", gas.High, gas.High)
				}
				// TODO(tk): symbol tab look up to get the actual value
				return gas.NewIssue(c, n, "TLS MaxVersion may be too low.", gas.High, gas.Low)
			}

		case "CipherSuites":
			if ret := t.processTlsCipherSuites(n, c); ret != nil {
				return ret
			}
		}
	}
	return nil
}
Example #15
0
File: unsafe.go Project: vmware/vic 
func (r *UsingUnsafe) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
	if node := gas.MatchCall(n, r.pattern); node != nil {
		return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
	}
	return nil, nil
}
Example #16
0
func (r *UsesWeakCryptography) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
	if node := gas.MatchCall(n, r.pattern); node != nil {
		return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
	}
	return nil, nil
}