Enhance Go semgrep rules
Problem
While updating the descriptions for semgrep's Go rules, a number of rules were identified for removal or enhancement.
Enhancement
-
go/file_permissions/rule-fileperm.yml - i disagree with this rule, we should only flag if the permissions are excessive, such as 777 -
go/file_permissions/rule-mkdir.yml - same as above -
go/filesystem/rule-decompression_bomb.yml - should add a sanitizer of io.LimitReader -
go/filesystem/rule-dirtraversal.yml - this is not a relative path traversal, this is exposing the filesystem to potenitally all users, need to update title -
go/filesystem/rule-filereadtaint.yml - this is not using taint analysis mode, it should be updated (also using ioutil functions which are deprecated) -
go/filesystem/rule-poorwritepermissions.yml - should have the same owasp field as fileperm and should be in file_permissions directory??? owasp: "A6:2017-Security Misconfiguration" -
go/filesystem/rule-poorwritepermissions.yml - also needs to be updated to check for os.WriteFile as ioutil.WriteFile is deprecated -
go/filesystem/rule-tempfiles.yml - uses deprecated ioutil package -
go/filesystem/rule-ziparchive.yml - does not include sanitizers, says tar archive but only checks for zip -
go/http/rule-slowloris.yml - should be merged with http_serve -
go/injection/rule-ssrf.yml - incorrect CWE, missing http.NewRequestWithContext sink -
go/leak/rule-pprof_endpoint.yml - possible FP as an http Server needs to be started too -
go/memory/rule-math_big_rat.yml - should be removed as this only affects older Go versions, the description is completely wrong as well -
go/memory/rule-memoryaliasing.yml - should be enhanced to allow taking address of indexed variables res := callFunc(&slice[i])
-
go/network/rule-bind_to_all_interfaces.yml - doesn't check for binding all interfaces by empty addr and just port ":8080" ??? -
go/sql/rule-format_string_sqli.yml - should be merged with concat_sqli.yml
//cc @gitlab-org/secure/vulnerability-research @connorgilbert @theoretick
Edited by Michael Henriksen