From ea6d49d1b5ae4945cdd856f80e52e3ebba216019 Mon Sep 17 00:00:00 2001
From: Ziqi Zhao <zhaoziqi9146@gmail.com>
Date: Tue, 26 Jul 2022 17:08:43 +0800
Subject: [PATCH] fix G204 bugs (#835)

Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>
---
 rules/subproc.go    |  7 +++++++
 testutils/source.go | 22 ++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/rules/subproc.go b/rules/subproc.go
index 5d7cadda96..2b6cb186cd 100644
--- a/rules/subproc.go
+++ b/rules/subproc.go
@@ -77,6 +77,13 @@ func (r *subprocess) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
 								return gosec.NewIssue(c, n, r.ID(), "Subprocess launched with variable", gosec.Medium, gosec.High), nil
 							}
 						}
+					case *ast.ValueSpec:
+						_, valueSpec := ident.Obj.Decl.(*ast.ValueSpec)
+						if variable && valueSpec {
+							if !gosec.TryResolve(ident, c) {
+								return gosec.NewIssue(c, n, r.ID(), "Subprocess launched with variable", gosec.Medium, gosec.High), nil
+							}
+						}
 					}
 				}
 			} else if !gosec.TryResolve(arg, c) {
diff --git a/testutils/source.go b/testutils/source.go
index 60ff25ed46..2b67b2e4bc 100644
--- a/testutils/source.go
+++ b/testutils/source.go
@@ -2018,6 +2018,28 @@ func main() {
 	log.Printf("Command finished with error: %v", err)
 }
 `}, 1, gosec.NewConfig()},
+		{[]string{`
+// Initializing a local variable using a environmental
+// variable is consider as a dangerous user input
+package main
+
+import (
+	"log"
+	"os"
+	"os/exec"
+)
+
+func main() {
+	var run = "sleep" + os.Getenv("SOMETHING")
+	cmd := exec.Command(run, "5")
+	err := cmd.Start()
+	if err != nil {
+		log.Fatal(err)
+	}
+	log.Printf("Waiting for command to finish...")
+	err = cmd.Wait()
+	log.Printf("Command finished with error: %v", err)
+}`}, 1, gosec.NewConfig()},
 	}
 
 	// SampleCodeG301 - mkdir permission check