mirror of
https://github.com/securego/gosec.git
synced 2026-01-15 01:33:41 +08:00
feature: add rule for trojan source (#1431)
* feature: add rule for trojan source * use bufio.Scanner for memory efficiency * Fix lint warnings Change-Id: Ic1df6704ba5ab8b1834d7765abd49494a98835f8 Signed-off-by: Cosmin Cojocar <ccojocar@google.com> --------- Signed-off-by: Cosmin Cojocar <ccojocar@google.com> Co-authored-by: Cosmin Cojocar <ccojocar@google.com>
This commit is contained in:
kfess
@@ -67,6 +67,7 @@ var ruleToCWE = map[string]string{
|
||||
"G112": "400",
|
||||
"G114": "676",
|
||||
"G115": "190",
|
||||
"G116": "838",
|
||||
"G201": "89",
|
||||
"G202": "89",
|
||||
"G203": "79",
|
||||
|
||||
@@ -76,6 +76,7 @@ func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList {
|
||||
{"G111", "Detect http.Dir('/') as a potential risk", NewDirectoryTraversal},
|
||||
{"G112", "Detect ReadHeaderTimeout not configured as a potential risk", NewSlowloris},
|
||||
{"G114", "Use of net/http serve function that has no support for setting timeouts", NewHTTPServeWithoutTimeouts},
|
||||
{"G116", "Detect Trojan Source attacks using bidirectional Unicode characters", NewTrojanSource},
|
||||
|
||||
// injection
|
||||
{"G201", "SQL query construction using format string", NewSQLStrFormat},
|
||||
|
||||
@@ -107,6 +107,10 @@ var _ = Describe("gosec rules", func() {
|
||||
runner("G114", testutils.SampleCodeG114)
|
||||
})
|
||||
|
||||
It("should detect Trojan Source attacks using bidirectional Unicode characters", func() {
|
||||
runner("G116", testutils.SampleCodeG116)
|
||||
})
|
||||
|
||||
It("should detect sql injection via format strings", func() {
|
||||
runner("G201", testutils.SampleCodeG201)
|
||||
})
|
||||
|
||||
96
rules/trojansource.go
Normal file
96
rules/trojansource.go
Normal file
@@ -0,0 +1,96 @@
|
||||
package rules
|
||||
|
||||
import (
|
||||
"go/ast"
|
||||
"os"
|
||||
|
||||
"github.com/securego/gosec/v2"
|
||||
"github.com/securego/gosec/v2/issue"
|
||||
)
|
||||
|
||||
type trojanSource struct {
|
||||
issue.MetaData
|
||||
bidiChars map[rune]struct{}
|
||||
}
|
||||
|
||||
func (r *trojanSource) ID() string {
|
||||
return r.MetaData.ID
|
||||
}
|
||||
|
||||
func (r *trojanSource) Match(node ast.Node, c *gosec.Context) (*issue.Issue, error) {
|
||||
if file, ok := node.(*ast.File); ok {
|
||||
fobj := c.FileSet.File(file.Pos())
|
||||
if fobj == nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
content, err := os.ReadFile(fobj.Name())
|
||||
if err != nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
for _, ch := range string(content) {
|
||||
if _, exists := r.bidiChars[ch]; exists {
|
||||
return c.NewIssue(node, r.ID(), r.What, r.Severity, r.Confidence), nil
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// func (r *trojanSource) Match(node ast.Node, c *gosec.Context) (*issue.Issue, error) {
|
||||
// if file, ok := node.(*ast.File); ok {
|
||||
// fobj := c.FileSet.File(file.Pos())
|
||||
// if fobj == nil {
|
||||
// return nil, nil
|
||||
// }
|
||||
|
||||
// file, err := os.Open(fobj.Name())
|
||||
// if err != nil {
|
||||
// log.Fatal(err)
|
||||
// }
|
||||
|
||||
// defer file.Close()
|
||||
|
||||
// scanner := bufio.NewScanner(file)
|
||||
// for scanner.Scan() {
|
||||
// line := scanner.Text()
|
||||
// for _, ch := range line {
|
||||
// if _, exists := r.bidiChars[ch]; exists {
|
||||
// return c.NewIssue(node, r.ID(), r.What, r.Severity, r.Confidence), nil
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
|
||||
// if err := scanner.Err(); err != nil {
|
||||
// log.Fatal(err)
|
||||
// }
|
||||
// }
|
||||
|
||||
// return nil, nil
|
||||
// }
|
||||
|
||||
func NewTrojanSource(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
|
||||
return &trojanSource{
|
||||
MetaData: issue.MetaData{
|
||||
ID: id,
|
||||
Severity: issue.High,
|
||||
Confidence: issue.Medium,
|
||||
What: "Potential Trojan Source vulnerability via use of bidirectional text control characters",
|
||||
},
|
||||
bidiChars: map[rune]struct{}{
|
||||
'\u202a': {},
|
||||
'\u202b': {},
|
||||
'\u202c': {},
|
||||
'\u202d': {},
|
||||
'\u202e': {},
|
||||
'\u2066': {},
|
||||
'\u2067': {},
|
||||
'\u2068': {},
|
||||
'\u2069': {},
|
||||
'\u200e': {},
|
||||
'\u200f': {},
|
||||
},
|
||||
}, []ast.Node{(*ast.File)(nil)}
|
||||
}
|
||||
83
testutils/g116_samples.go
Normal file
83
testutils/g116_samples.go
Normal file
@@ -0,0 +1,83 @@
|
||||
package testutils
|
||||
|
||||
import "github.com/securego/gosec/v2"
|
||||
|
||||
// #nosec - This file intentionally contains bidirectional Unicode characters
|
||||
// for testing trojan source detection. The G116 rule scans the entire file content (not just AST nodes)
|
||||
// because trojan source attacks work by manipulating visual representation of code through bidirectional
|
||||
// text control characters, which can appear in comments, strings or anywhere in the source file.
|
||||
// Without this #nosec exclusion, gosec would detect these test samples as actual vulnerabilities.
|
||||
var (
|
||||
// SampleCodeG116 - TrojanSource code snippets
|
||||
SampleCodeG116 = []CodeSample{
|
||||
{[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// This comment contains bidirectional unicode: access\u202e\u2066 granted\u2069\u202d\n\tisAdmin := false\n\tfmt.Println(\"Access status:\", isAdmin)\n}\n"}, 1, gosec.NewConfig()},
|
||||
{[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Trojan source with RLO character\n\taccessLevel := \"user\"\n\t// Actually assigns \"nimda\" due to bidi chars: accessLevel = \"\u202enimda\"\n\tif accessLevel == \"admin\" {\n\t\tfmt.Println(\"Access granted\")\n\t}\n}\n"}, 1, gosec.NewConfig()},
|
||||
{[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// String with bidirectional override\n\tusername := \"admin\u202e \u2066Check if admin\u2069 \u2066\"\n\tpassword := \"secret\"\n\tfmt.Println(username, password)\n}\n"}, 1, gosec.NewConfig()},
|
||||
{[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains LRI (Left-to-Right Isolate) U+2066\n\tcomment := \"Safe comment \u2066with hidden text\u2069\"\n\tfmt.Println(comment)\n}\n"}, 1, gosec.NewConfig()},
|
||||
{[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains RLI (Right-to-Left Isolate) U+2067\n\tmessage := \"Normal text \u2067hidden\u2069\"\n\tfmt.Println(message)\n}\n"}, 1, gosec.NewConfig()},
|
||||
{[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains FSI (First Strong Isolate) U+2068\n\ttext := \"Text with \u2068hidden content\u2069\"\n\tfmt.Println(text)\n}\n"}, 1, gosec.NewConfig()},
|
||||
{[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains LRE (Left-to-Right Embedding) U+202A\n\tembedded := \"Text with \u202aembedded\u202c content\"\n\tfmt.Println(embedded)\n}\n"}, 1, gosec.NewConfig()},
|
||||
{[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains RLE (Right-to-Left Embedding) U+202B\n\trtlEmbedded := \"Text with \u202bembedded\u202c content\"\n\tfmt.Println(rtlEmbedded)\n}\n"}, 1, gosec.NewConfig()},
|
||||
{[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains PDF (Pop Directional Formatting) U+202C\n\tformatted := \"Text with \u202cformatting\"\n\tfmt.Println(formatted)\n}\n"}, 1, gosec.NewConfig()},
|
||||
{[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains LRO (Left-to-Right Override) U+202D\n\toverride := \"Text \u202doverride\"\n\tfmt.Println(override)\n}\n"}, 1, gosec.NewConfig()},
|
||||
{[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains RLO (Right-to-Left Override) U+202E\n\trloText := \"Text \u202eoverride\"\n\tfmt.Println(rloText)\n}\n"}, 1, gosec.NewConfig()},
|
||||
{[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains RLM (Right-to-Left Mark) U+200F\n\tmarked := \"Text \u200fmarked\"\n\tfmt.Println(marked)\n}\n"}, 1, gosec.NewConfig()},
|
||||
{[]string{"\npackage main\n\nimport \"fmt\"\n\nfunc main() {\n\t// Contains LRM (Left-to-Right Mark) U+200E\n\tlrmText := \"Text \u200emarked\"\n\tfmt.Println(lrmText)\n}\n"}, 1, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
package main
|
||||
|
||||
import "fmt"
|
||||
|
||||
// Safe code without bidirectional characters
|
||||
func main() {
|
||||
username := "admin"
|
||||
password := "secret"
|
||||
fmt.Println("Username:", username)
|
||||
fmt.Println("Password:", password)
|
||||
}
|
||||
`}, 0, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
package main
|
||||
|
||||
import "fmt"
|
||||
|
||||
// Normal comment with regular text
|
||||
func main() {
|
||||
// This is a safe comment
|
||||
isAdmin := true
|
||||
if isAdmin {
|
||||
fmt.Println("Access granted")
|
||||
}
|
||||
}
|
||||
`}, 0, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
package main
|
||||
|
||||
import "fmt"
|
||||
|
||||
func main() {
|
||||
// Regular ASCII characters only
|
||||
message := "Hello, World!"
|
||||
fmt.Println(message)
|
||||
}
|
||||
`}, 0, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
package main
|
||||
|
||||
import "fmt"
|
||||
|
||||
func authenticateUser(username, password string) bool {
|
||||
// Normal authentication logic
|
||||
if username == "admin" && password == "secret" {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func main() {
|
||||
result := authenticateUser("user", "pass")
|
||||
fmt.Println("Authenticated:", result)
|
||||
}
|
||||
`}, 0, gosec.NewConfig()},
|
||||
}
|
||||
)
|
||||
Reference in New Issue
Block a user