gopkg.in/alecthomas/gometalinter.v3@v3.0.0/_linters/src/github.com/securego/gosec/rules/archive.go (about) 1 package rules 2 3 import ( 4 "go/ast" 5 "go/types" 6 7 "github.com/securego/gosec" 8 ) 9 10 type archive struct { 11 gosec.MetaData 12 calls gosec.CallList 13 argType string 14 } 15 16 func (a *archive) ID() string { 17 return a.MetaData.ID 18 } 19 20 // Match inspects AST nodes to determine if the filepath.Joins uses any argument derived from type zip.File 21 func (a *archive) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) { 22 if node := a.calls.ContainsCallExpr(n, c); node != nil { 23 for _, arg := range node.Args { 24 var argType types.Type 25 if selector, ok := arg.(*ast.SelectorExpr); ok { 26 argType = c.Info.TypeOf(selector.X) 27 } else if ident, ok := arg.(*ast.Ident); ok { 28 if ident.Obj != nil && ident.Obj.Kind == ast.Var { 29 decl := ident.Obj.Decl 30 if assign, ok := decl.(*ast.AssignStmt); ok { 31 if selector, ok := assign.Rhs[0].(*ast.SelectorExpr); ok { 32 argType = c.Info.TypeOf(selector.X) 33 } 34 } 35 } 36 } 37 38 if argType != nil && argType.String() == a.argType { 39 return gosec.NewIssue(c, n, a.ID(), a.What, a.Severity, a.Confidence), nil 40 } 41 } 42 } 43 return nil, nil 44 } 45 46 // NewArchive creates a new rule which detects the file traversal when extracting zip archives 47 func NewArchive(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { 48 calls := gosec.NewCallList() 49 calls.Add("path/filepath", "Join") 50 return &archive{ 51 calls: calls, 52 argType: "*archive/zip.File", 53 MetaData: gosec.MetaData{ 54 ID: id, 55 Severity: gosec.Medium, 56 Confidence: gosec.High, 57 What: "File traversal when extracting zip archive", 58 }, 59 }, []ast.Node{(*ast.CallExpr)(nil)} 60 }