From c40493af8f481d0e6d98e6f2ddf9c67d2d37b940 Mon Sep 17 00:00:00 2001 From: William Bergeron-Drouin Date: Fri, 30 Aug 2024 09:32:07 -0400 Subject: [PATCH 1/4] Recursive fix --- analyzers/slice_bounds.go | 51 +++--- testutils/g602_samples.go | 326 ++++++++++++++++++++------------------ 2 files changed, 203 insertions(+), 174 deletions(-) diff --git a/analyzers/slice_bounds.go b/analyzers/slice_bounds.go index 08a55eb429..0f0699d45b 100644 --- a/analyzers/slice_bounds.go +++ b/analyzers/slice_bounds.go @@ -118,32 +118,41 @@ func runSliceBounds(pass *analysis.Pass) (interface{}, error) { if i == 1 { bound = invBound(bound) } - for _, instr := range block.Instrs { - if _, ok := issues[instr]; ok { - switch bound { - case lowerUnbounded: - break - case upperUnbounded, unbounded: - delete(issues, instr) - case upperBounded: - switch tinstr := instr.(type) { - case *ssa.Slice: - lower, upper := extractSliceBounds(tinstr) - if isSliceInsideBounds(0, value, lower, upper) { - delete(issues, instr) - } - case *ssa.IndexAddr: - indexValue, err := extractIntValue(tinstr.Index.String()) - if err != nil { - break - } - if isSliceIndexInsideBounds(0, value, indexValue) { - delete(issues, instr) + var processBlock func(block *ssa.BasicBlock) + processBlock = func(block *ssa.BasicBlock) { + for _, instr := range block.Instrs { + if _, ok := issues[instr]; ok { + switch bound { + case lowerUnbounded: + break + case upperUnbounded, unbounded: + delete(issues, instr) + case upperBounded: + switch tinstr := instr.(type) { + case *ssa.Slice: + lower, upper := extractSliceBounds(tinstr) + if isSliceInsideBounds(0, value, lower, upper) { + delete(issues, instr) + } + case *ssa.IndexAddr: + indexValue, err := extractIntValue(tinstr.Index.String()) + if err != nil { + break + } + if isSliceIndexInsideBounds(0, value, indexValue) { + delete(issues, instr) + } } } + } else if nestedIfInstr, ok := instr.(*ssa.If); ok { + for _, nestedBlock := range nestedIfInstr.Block().Succs { + processBlock(nestedBlock) + } } } } + + processBlock(block) } } diff --git a/testutils/g602_samples.go b/testutils/g602_samples.go index a963add6c8..4980267495 100644 --- a/testutils/g602_samples.go +++ b/testutils/g602_samples.go @@ -5,205 +5,217 @@ import "github.com/securego/gosec/v2" // SampleCodeG602 - Slice access out of bounds var SampleCodeG602 = []CodeSample{ {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { + func main() { - s := make([]byte, 0) + s := make([]byte, 0) - fmt.Println(s[:3]) + fmt.Println(s[:3]) -} -`}, 1, gosec.NewConfig()}, + } + `}, 1, gosec.NewConfig()}, {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { + func main() { - s := make([]byte, 0) + s := make([]byte, 0) - fmt.Println(s[3:]) + fmt.Println(s[3:]) -} -`}, 1, gosec.NewConfig()}, + } + `}, 1, gosec.NewConfig()}, {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { + func main() { - s := make([]byte, 16) + s := make([]byte, 16) - fmt.Println(s[:17]) + fmt.Println(s[:17]) -} -`}, 1, gosec.NewConfig()}, + } + `}, 1, gosec.NewConfig()}, {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { + func main() { - s := make([]byte, 16) + s := make([]byte, 16) - fmt.Println(s[:16]) + fmt.Println(s[:16]) -} -`}, 0, gosec.NewConfig()}, + } + `}, 0, gosec.NewConfig()}, {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { + func main() { - s := make([]byte, 16) + s := make([]byte, 16) - fmt.Println(s[5:17]) + fmt.Println(s[5:17]) -} -`}, 1, gosec.NewConfig()}, + } + `}, 1, gosec.NewConfig()}, {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { + func main() { - s := make([]byte, 4) + s := make([]byte, 4) - fmt.Println(s[3]) + fmt.Println(s[3]) -} -`}, 0, gosec.NewConfig()}, + } + `}, 0, gosec.NewConfig()}, {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { + func main() { - s := make([]byte, 4) + s := make([]byte, 4) - fmt.Println(s[5]) + fmt.Println(s[5]) -} -`}, 1, gosec.NewConfig()}, + } + `}, 1, gosec.NewConfig()}, {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { + func main() { - s := make([]byte, 0) - s = make([]byte, 3) + s := make([]byte, 0) + s = make([]byte, 3) - fmt.Println(s[:3]) + fmt.Println(s[:3]) -} -`}, 0, gosec.NewConfig()}, + } + `}, 0, gosec.NewConfig()}, {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { + func main() { - s := make([]byte, 0, 4) + s := make([]byte, 0, 4) - fmt.Println(s[:3]) - fmt.Println(s[3]) + fmt.Println(s[:3]) + fmt.Println(s[3]) -} -`}, 0, gosec.NewConfig()}, + } + `}, 0, gosec.NewConfig()}, {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { + func main() { - s := make([]byte, 0, 4) + s := make([]byte, 0, 4) - fmt.Println(s[:5]) - fmt.Println(s[7]) + fmt.Println(s[:5]) + fmt.Println(s[7]) -} -`}, 2, gosec.NewConfig()}, + } + `}, 2, gosec.NewConfig()}, {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { + func main() { - s := make([]byte, 0, 4) - x := s[:2] - y := x[:10] - fmt.Println(y) -} -`}, 1, gosec.NewConfig()}, + s := make([]byte, 0, 4) + x := s[:2] + y := x[:10] + fmt.Println(y) + } + `}, 1, gosec.NewConfig()}, {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { + func main() { - s := make([]int, 0, 4) - doStuff(s) -} + s := make([]int, 0, 4) + doStuff(s) + } -func doStuff(x []int) { - newSlice := x[:10] - fmt.Println(newSlice) -} -`}, 1, gosec.NewConfig()}, + func doStuff(x []int) { + newSlice := x[:10] + fmt.Println(newSlice) + } + `}, 1, gosec.NewConfig()}, {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { + func main() { - s := make([]int, 0, 30) - doStuff(s) - x := make([]int, 20) - y := x[10:] - doStuff(y) - z := y[5:] - doStuff(z) -} + s := make([]int, 0, 30) + doStuff(s) + x := make([]int, 20) + y := x[10:] + doStuff(y) + z := y[5:] + doStuff(z) + } -func doStuff(x []int) { - newSlice := x[:10] - fmt.Println(newSlice) - newSlice2 := x[:6] - fmt.Println(newSlice2) -} -`}, 2, gosec.NewConfig()}, + func doStuff(x []int) { + newSlice := x[:10] + fmt.Println(newSlice) + newSlice2 := x[:6] + fmt.Println(newSlice2) + } + `}, 2, gosec.NewConfig()}, {[]string{` -package main + package main + + import "fmt" + + func main() { + testMap := make(map[string]any, 0) + testMap["test1"] = map[string]interface{}{ + "test2": map[string]interface{}{ + "value": 0, + }, + } + fmt.Println(testMap) + } + `}, 0, gosec.NewConfig()}, + {[]string{` + package main -import "fmt" + import "fmt" -func main() { - testMap := make(map[string]any, 0) - testMap["test1"] = map[string]interface{}{ - "test2": map[string]interface{}{ - "value": 0, - }, - } - fmt.Println(testMap) -} -`}, 0, gosec.NewConfig()}, + func main() { + s := make([]byte, 0) + if len(s) > 0 { + fmt.Println(s[0]) + } + } + `}, 0, gosec.NewConfig()}, {[]string{` package main @@ -212,42 +224,50 @@ import "fmt" func main() { s := make([]byte, 0) if len(s) > 0 { - fmt.Println(s[0]) + switch s[0] { + case 0: + fmt.Println("zero") + return + default: + fmt.Println(s[0]) + return + } } } `}, 0, gosec.NewConfig()}, {[]string{` -package main + package main -import "fmt" + import "fmt" -func main() { - s := make([]byte, 0) - if len(s) > 0 { - fmt.Println("fake test") + func main() { + s := make([]byte, 0) + if len(s) > 0 { + fmt.Println("fake test") + } + fmt.Println(s[0]) } - fmt.Println(s[0]) -} -`}, 1, gosec.NewConfig()}, + `}, 1, gosec.NewConfig()}, {[]string{` -package main - -import "fmt" - -func main() { - s := make([]int, 16) - for i := 0; i < 17; i++ { - s = append(s, i) - } - if len(s) < 16 { - fmt.Println(s[10:16]) - } else { - fmt.Println(s[3:18]) - } - fmt.Println(s[0]) - for i := range s { - fmt.Println(s[i]) - } -} -`}, 0, gosec.NewConfig()}, + package main + + import "fmt" + + func main() { + s := make([]int, 16) + for i := 0; i < 17; i++ { + s = append(s, i) + } + if len(s) < 16 { + fmt.Println(s[10:16]) + } else { + fmt.Println(s[3:18]) + } + fmt.Println(s[0]) + for i := range s { + fmt.Println(s[i]) + } + } + + `}, 0, gosec.NewConfig()}, } From d780f2d62bfe738fc0846e3b75823df0e74ec9aa Mon Sep 17 00:00:00 2001 From: William Bergeron-Drouin Date: Fri, 30 Aug 2024 10:32:09 -0400 Subject: [PATCH 2/4] Add some more test cases --- testutils/g602_samples.go | 362 ++++++++++++++++++++++---------------- 1 file changed, 215 insertions(+), 147 deletions(-) diff --git a/testutils/g602_samples.go b/testutils/g602_samples.go index 4980267495..ba5873b8e1 100644 --- a/testutils/g602_samples.go +++ b/testutils/g602_samples.go @@ -5,203 +5,257 @@ import "github.com/securego/gosec/v2" // SampleCodeG602 - Slice access out of bounds var SampleCodeG602 = []CodeSample{ {[]string{` - package main + package main - import "fmt" + import "fmt" - func main() { + func main() { - s := make([]byte, 0) + s := make([]byte, 0) - fmt.Println(s[:3]) + fmt.Println(s[:3]) - } - `}, 1, gosec.NewConfig()}, + } + `}, 1, gosec.NewConfig()}, {[]string{` - package main + package main - import "fmt" + import "fmt" - func main() { + func main() { - s := make([]byte, 0) + s := make([]byte, 0) - fmt.Println(s[3:]) + fmt.Println(s[3:]) - } - `}, 1, gosec.NewConfig()}, + } + `}, 1, gosec.NewConfig()}, {[]string{` - package main + package main - import "fmt" + import "fmt" - func main() { + func main() { - s := make([]byte, 16) + s := make([]byte, 16) - fmt.Println(s[:17]) + fmt.Println(s[:17]) - } - `}, 1, gosec.NewConfig()}, + } + `}, 1, gosec.NewConfig()}, {[]string{` - package main + package main - import "fmt" + import "fmt" - func main() { + func main() { - s := make([]byte, 16) + s := make([]byte, 16) - fmt.Println(s[:16]) + fmt.Println(s[:16]) - } - `}, 0, gosec.NewConfig()}, + } + `}, 0, gosec.NewConfig()}, {[]string{` - package main + package main - import "fmt" + import "fmt" - func main() { + func main() { - s := make([]byte, 16) + s := make([]byte, 16) - fmt.Println(s[5:17]) + fmt.Println(s[5:17]) - } - `}, 1, gosec.NewConfig()}, + } + `}, 1, gosec.NewConfig()}, {[]string{` - package main + package main - import "fmt" + import "fmt" - func main() { + func main() { - s := make([]byte, 4) + s := make([]byte, 4) - fmt.Println(s[3]) + fmt.Println(s[3]) - } - `}, 0, gosec.NewConfig()}, + } + `}, 0, gosec.NewConfig()}, {[]string{` - package main + package main - import "fmt" + import "fmt" - func main() { + func main() { - s := make([]byte, 4) + s := make([]byte, 4) - fmt.Println(s[5]) + fmt.Println(s[5]) - } - `}, 1, gosec.NewConfig()}, + } + `}, 1, gosec.NewConfig()}, {[]string{` - package main + package main - import "fmt" + import "fmt" - func main() { + func main() { - s := make([]byte, 0) - s = make([]byte, 3) + s := make([]byte, 0) + s = make([]byte, 3) - fmt.Println(s[:3]) + fmt.Println(s[:3]) - } - `}, 0, gosec.NewConfig()}, + } + `}, 0, gosec.NewConfig()}, {[]string{` - package main + package main - import "fmt" + import "fmt" - func main() { + func main() { - s := make([]byte, 0, 4) + s := make([]byte, 0, 4) - fmt.Println(s[:3]) - fmt.Println(s[3]) + fmt.Println(s[:3]) + fmt.Println(s[3]) - } - `}, 0, gosec.NewConfig()}, + } + `}, 0, gosec.NewConfig()}, {[]string{` - package main + package main - import "fmt" + import "fmt" - func main() { + func main() { - s := make([]byte, 0, 4) + s := make([]byte, 0, 4) - fmt.Println(s[:5]) - fmt.Println(s[7]) + fmt.Println(s[:5]) + fmt.Println(s[7]) - } - `}, 2, gosec.NewConfig()}, + } + `}, 2, gosec.NewConfig()}, {[]string{` - package main + package main - import "fmt" + import "fmt" - func main() { + func main() { - s := make([]byte, 0, 4) - x := s[:2] - y := x[:10] - fmt.Println(y) - } - `}, 1, gosec.NewConfig()}, + s := make([]byte, 0, 4) + x := s[:2] + y := x[:10] + fmt.Println(y) + } + `}, 1, gosec.NewConfig()}, {[]string{` - package main + package main - import "fmt" + import "fmt" - func main() { + func main() { - s := make([]int, 0, 4) - doStuff(s) - } + s := make([]int, 0, 4) + doStuff(s) + } - func doStuff(x []int) { - newSlice := x[:10] - fmt.Println(newSlice) - } - `}, 1, gosec.NewConfig()}, + func doStuff(x []int) { + newSlice := x[:10] + fmt.Println(newSlice) + } + `}, 1, gosec.NewConfig()}, + {[]string{` + package main + + import "fmt" + + func main() { + + s := make([]int, 0, 30) + doStuff(s) + x := make([]int, 20) + y := x[10:] + doStuff(y) + z := y[5:] + doStuff(z) + } + + func doStuff(x []int) { + newSlice := x[:10] + fmt.Println(newSlice) + newSlice2 := x[:6] + fmt.Println(newSlice2) + } + `}, 2, gosec.NewConfig()}, + {[]string{` + package main + + import "fmt" + + func main() { + testMap := make(map[string]any, 0) + testMap["test1"] = map[string]interface{}{ + "test2": map[string]interface{}{ + "value": 0, + }, + } + fmt.Println(testMap) + } + `}, 0, gosec.NewConfig()}, + {[]string{` + package main + + import "fmt" + + func main() { + s := make([]byte, 0) + if len(s) > 0 { + fmt.Println(s[0]) + } + } + `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { - - s := make([]int, 0, 30) - doStuff(s) - x := make([]int, 20) - y := x[10:] - doStuff(y) - z := y[5:] - doStuff(z) - } - - func doStuff(x []int) { - newSlice := x[:10] - fmt.Println(newSlice) - newSlice2 := x[:6] - fmt.Println(newSlice2) + s := make([]byte, 0) + if len(s) > 0 { + switch s[0] { + case 0: + fmt.Println("zero") + return + default: + fmt.Println(s[0]) + return + } + } } - `}, 2, gosec.NewConfig()}, + `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { - testMap := make(map[string]any, 0) - testMap["test1"] = map[string]interface{}{ - "test2": map[string]interface{}{ - "value": 0, - }, + s := make([]byte, 0) + if len(s) > 0 { + switch s[0] { + case 0: + b := true + if b == true { + // Should work for many-levels of nesting when the condition is not on the target slice + fmt.Println(s[0]) + } + return + default: + fmt.Println(s[0]) + return + } } - fmt.Println(testMap) } `}, 0, gosec.NewConfig()}, {[]string{` @@ -212,7 +266,10 @@ var SampleCodeG602 = []CodeSample{ func main() { s := make([]byte, 0) if len(s) > 0 { - fmt.Println(s[0]) + if len(s) > 1 { + fmt.Println(s[1]) + } + fmt.Println(s[0]) } } `}, 0, gosec.NewConfig()}, @@ -222,52 +279,63 @@ package main import "fmt" func main() { - s := make([]byte, 0) - if len(s) > 0 { - switch s[0] { - case 0: - fmt.Println("zero") - return - default: - fmt.Println(s[0]) - return - } - } + s := make([]byte, 2) + fmt.Println(s[1]) + s = make([]byte, 0) + fmt.Println(s[1]) } -`}, 0, gosec.NewConfig()}, +`}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { - s := make([]byte, 0) - if len(s) > 0 { - fmt.Println("fake test") - } - fmt.Println(s[0]) + s := make([]byte, 0) + if len(s) > 0 { + if len(s) > 4 { + fmt.Println(s[3]) + } else { + // Should error + fmt.Println(s[2]) + } + fmt.Println(s[0]) + } } `}, 1, gosec.NewConfig()}, {[]string{` - package main + package main - import "fmt" + import "fmt" func main() { - s := make([]int, 16) - for i := 0; i < 17; i++ { - s = append(s, i) - } - if len(s) < 16 { - fmt.Println(s[10:16]) - } else { - fmt.Println(s[3:18]) + s := make([]byte, 0) + if len(s) > 0 { + fmt.Println("fake test") } fmt.Println(s[0]) - for i := range s { - fmt.Println(s[i]) - } } - + `}, 1, gosec.NewConfig()}, + {[]string{` + package main + + import "fmt" + + func main() { + s := make([]int, 16) + for i := 0; i < 17; i++ { + s = append(s, i) + } + if len(s) < 16 { + fmt.Println(s[10:16]) + } else { + fmt.Println(s[3:18]) + } + fmt.Println(s[0]) + for i := range s { + fmt.Println(s[i]) + } + } + `}, 0, gosec.NewConfig()}, } From b0e51bd9fad4813c48f17a5111e749bbf1223d80 Mon Sep 17 00:00:00 2001 From: William Bergeron-Drouin Date: Fri, 30 Aug 2024 10:58:15 -0400 Subject: [PATCH 3/4] Fix formatting --- testutils/g602_samples.go | 462 +++++++++++++++++++------------------- 1 file changed, 231 insertions(+), 231 deletions(-) diff --git a/testutils/g602_samples.go b/testutils/g602_samples.go index ba5873b8e1..c0fee62949 100644 --- a/testutils/g602_samples.go +++ b/testutils/g602_samples.go @@ -5,337 +5,337 @@ import "github.com/securego/gosec/v2" // SampleCodeG602 - Slice access out of bounds var SampleCodeG602 = []CodeSample{ {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { +func main() { - s := make([]byte, 0) + s := make([]byte, 0) - fmt.Println(s[:3]) + fmt.Println(s[:3]) - } - `}, 1, gosec.NewConfig()}, +} +`}, 1, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { +func main() { - s := make([]byte, 0) + s := make([]byte, 0) - fmt.Println(s[3:]) + fmt.Println(s[3:]) - } - `}, 1, gosec.NewConfig()}, +} +`}, 1, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { +func main() { - s := make([]byte, 16) + s := make([]byte, 16) - fmt.Println(s[:17]) + fmt.Println(s[:17]) - } - `}, 1, gosec.NewConfig()}, +} +`}, 1, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { +func main() { - s := make([]byte, 16) + s := make([]byte, 16) - fmt.Println(s[:16]) + fmt.Println(s[:16]) - } - `}, 0, gosec.NewConfig()}, +} +`}, 0, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { +func main() { - s := make([]byte, 16) + s := make([]byte, 16) - fmt.Println(s[5:17]) + fmt.Println(s[5:17]) - } - `}, 1, gosec.NewConfig()}, +} +`}, 1, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { +func main() { - s := make([]byte, 4) + s := make([]byte, 4) - fmt.Println(s[3]) + fmt.Println(s[3]) - } - `}, 0, gosec.NewConfig()}, +} +`}, 0, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { +func main() { - s := make([]byte, 4) + s := make([]byte, 4) - fmt.Println(s[5]) + fmt.Println(s[5]) - } - `}, 1, gosec.NewConfig()}, +} +`}, 1, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { +func main() { - s := make([]byte, 0) - s = make([]byte, 3) + s := make([]byte, 0) + s = make([]byte, 3) - fmt.Println(s[:3]) + fmt.Println(s[:3]) - } - `}, 0, gosec.NewConfig()}, +} +`}, 0, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { +func main() { - s := make([]byte, 0, 4) + s := make([]byte, 0, 4) - fmt.Println(s[:3]) - fmt.Println(s[3]) + fmt.Println(s[:3]) + fmt.Println(s[3]) - } - `}, 0, gosec.NewConfig()}, +} +`}, 0, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { +func main() { - s := make([]byte, 0, 4) + s := make([]byte, 0, 4) - fmt.Println(s[:5]) - fmt.Println(s[7]) + fmt.Println(s[:5]) + fmt.Println(s[7]) - } - `}, 2, gosec.NewConfig()}, +} +`}, 2, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { +func main() { - s := make([]byte, 0, 4) - x := s[:2] - y := x[:10] - fmt.Println(y) - } - `}, 1, gosec.NewConfig()}, + s := make([]byte, 0, 4) + x := s[:2] + y := x[:10] + fmt.Println(y) +} +`}, 1, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { +func main() { - s := make([]int, 0, 4) - doStuff(s) - } + s := make([]int, 0, 4) + doStuff(s) +} - func doStuff(x []int) { - newSlice := x[:10] - fmt.Println(newSlice) - } - `}, 1, gosec.NewConfig()}, +func doStuff(x []int) { + newSlice := x[:10] + fmt.Println(newSlice) +} +`}, 1, gosec.NewConfig()}, {[]string{` - package main +package main + +import "fmt" - import "fmt" +func main() { - func main() { + s := make([]int, 0, 30) + doStuff(s) + x := make([]int, 20) + y := x[10:] + doStuff(y) + z := y[5:] + doStuff(z) +} - s := make([]int, 0, 30) - doStuff(s) - x := make([]int, 20) - y := x[10:] - doStuff(y) - z := y[5:] - doStuff(z) - } +func doStuff(x []int) { + newSlice := x[:10] + fmt.Println(newSlice) + newSlice2 := x[:6] + fmt.Println(newSlice2) +} +`}, 2, gosec.NewConfig()}, + {[]string{` +package main - func doStuff(x []int) { - newSlice := x[:10] - fmt.Println(newSlice) - newSlice2 := x[:6] - fmt.Println(newSlice2) - } - `}, 2, gosec.NewConfig()}, +import "fmt" + +func main() { + testMap := make(map[string]any, 0) + testMap["test1"] = map[string]interface{}{ + "test2": map[string]interface{}{ + "value": 0, + }, + } + fmt.Println(testMap) +} +`}, 0, gosec.NewConfig()}, {[]string{` - package main - - import "fmt" - - func main() { - testMap := make(map[string]any, 0) - testMap["test1"] = map[string]interface{}{ - "test2": map[string]interface{}{ - "value": 0, - }, - } - fmt.Println(testMap) - } - `}, 0, gosec.NewConfig()}, +package main + +import "fmt" + +func main() { + s := make([]byte, 0) + if len(s) > 0 { + fmt.Println(s[0]) + } +} +`}, 0, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { - s := make([]byte, 0) - if len(s) > 0 { - fmt.Println(s[0]) - } +func main() { + s := make([]byte, 0) + if len(s) > 0 { + switch s[0] { + case 0: + fmt.Println("zero") + return + default: + fmt.Println(s[0]) + return } - `}, 0, gosec.NewConfig()}, - {[]string{` - package main - - import "fmt" - - func main() { - s := make([]byte, 0) - if len(s) > 0 { - switch s[0] { - case 0: - fmt.Println("zero") - return - default: - fmt.Println(s[0]) - return - } - } } - `}, 0, gosec.NewConfig()}, +} +`}, 0, gosec.NewConfig()}, {[]string{` - package main - - import "fmt" - - func main() { - s := make([]byte, 0) - if len(s) > 0 { - switch s[0] { - case 0: - b := true - if b == true { - // Should work for many-levels of nesting when the condition is not on the target slice - fmt.Println(s[0]) - } - return - default: +package main + +import "fmt" + +func main() { + s := make([]byte, 0) + if len(s) > 0 { + switch s[0] { + case 0: + b := true + if b == true { + // Should work for many-levels of nesting when the condition is not on the target slice fmt.Println(s[0]) - return } - } + return + default: + fmt.Println(s[0]) + return + } } - `}, 0, gosec.NewConfig()}, +} +`}, 0, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { - s := make([]byte, 0) - if len(s) > 0 { - if len(s) > 1 { - fmt.Println(s[1]) - } - fmt.Println(s[0]) - } +func main() { + s := make([]byte, 0) + if len(s) > 0 { + if len(s) > 1 { + fmt.Println(s[1]) + } + fmt.Println(s[0]) } - `}, 0, gosec.NewConfig()}, +} +`}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { - s := make([]byte, 2) - fmt.Println(s[1]) - s = make([]byte, 0) - fmt.Println(s[1]) +s := make([]byte, 2) +fmt.Println(s[1]) +s = make([]byte, 0) +fmt.Println(s[1]) } `}, 1, gosec.NewConfig()}, {[]string{` - package main - - import "fmt" - - func main() { - s := make([]byte, 0) - if len(s) > 0 { - if len(s) > 4 { - fmt.Println(s[3]) - } else { - // Should error - fmt.Println(s[2]) - } - fmt.Println(s[0]) - } +package main + +import "fmt" + +func main() { + s := make([]byte, 0) + if len(s) > 0 { + if len(s) > 4 { + fmt.Println(s[3]) + } else { + // Should error + fmt.Println(s[2]) + } + fmt.Println(s[0]) } - `}, 1, gosec.NewConfig()}, +} +`}, 1, gosec.NewConfig()}, {[]string{` - package main +package main - import "fmt" +import "fmt" - func main() { - s := make([]byte, 0) - if len(s) > 0 { - fmt.Println("fake test") - } - fmt.Println(s[0]) - } - `}, 1, gosec.NewConfig()}, +func main() { + s := make([]byte, 0) + if len(s) > 0 { + fmt.Println("fake test") + } + fmt.Println(s[0]) +} +`}, 1, gosec.NewConfig()}, {[]string{` - package main - - import "fmt" - - func main() { - s := make([]int, 16) - for i := 0; i < 17; i++ { - s = append(s, i) - } - if len(s) < 16 { - fmt.Println(s[10:16]) - } else { - fmt.Println(s[3:18]) - } - fmt.Println(s[0]) - for i := range s { - fmt.Println(s[i]) - } - } +package main + +import "fmt" + +func main() { + s := make([]int, 16) + for i := 0; i < 17; i++ { + s = append(s, i) + } + if len(s) < 16 { + fmt.Println(s[10:16]) + } else { + fmt.Println(s[3:18]) + } + fmt.Println(s[0]) + for i := range s { + fmt.Println(s[i]) + } +} - `}, 0, gosec.NewConfig()}, +`}, 0, gosec.NewConfig()}, } From cd0c651080c805ab1d72c1d853bcf6c83479344e Mon Sep 17 00:00:00 2001 From: William Bergeron-Drouin Date: Tue, 3 Sep 2024 08:48:00 -0400 Subject: [PATCH 4/4] Add depth check --- analyzers/slice_bounds.go | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/analyzers/slice_bounds.go b/analyzers/slice_bounds.go index 0f0699d45b..968102f268 100644 --- a/analyzers/slice_bounds.go +++ b/analyzers/slice_bounds.go @@ -118,8 +118,12 @@ func runSliceBounds(pass *analysis.Pass) (interface{}, error) { if i == 1 { bound = invBound(bound) } - var processBlock func(block *ssa.BasicBlock) - processBlock = func(block *ssa.BasicBlock) { + var processBlock func(block *ssa.BasicBlock, depth int) + processBlock = func(block *ssa.BasicBlock, depth int) { + if depth == maxDepth { + return + } + depth++ for _, instr := range block.Instrs { if _, ok := issues[instr]; ok { switch bound { @@ -146,13 +150,13 @@ func runSliceBounds(pass *analysis.Pass) (interface{}, error) { } } else if nestedIfInstr, ok := instr.(*ssa.If); ok { for _, nestedBlock := range nestedIfInstr.Block().Succs { - processBlock(nestedBlock) + processBlock(nestedBlock, depth) } } } } - processBlock(block) + processBlock(block, 0) } }