Update Go fileread rule to include "os.ReadFile" for CWE-22 (!235) · Merge requests · GitLab.org / security-products / sast-rules

Jamie Reid requested to merge jr-update-go-fileread-rule into main Nov 27, 2023

The current go/filesystem/rule-filereadtaint.yml rule doesn't pick up on os.ReadFile calls as a path traversal risk. This MR introduces similar exclusions as used for os.OpenFile, and a pattern match looking for "os.ReadFile($ARG, ...)" where an arg is not bounded by Clean/Rel or other protections.

Update Go fileread rule to include "os.ReadFile" for CWE-22

Merge request reports