Find G303 with filepath.Join'd temp dirs (#754)

securego · Jan 4, 2022 · 4c1afaa · 4c1afaa
1 parent 19bda8d
commit 4c1afaa
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/rules/tempfiles.go b/rules/tempfiles.go
@@ -71,6 +71,7 @@ func NewBadTempFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
 	argCalls.Add("os", "TempDir")
 	nestedCalls := gosec.NewCallList()
 	nestedCalls.Add("path", "Join")
+	nestedCalls.Add("path/filepath", "Join")
 	return &badTempFile{
 		calls:       calls,
 		args:        regexp.MustCompile(`^(/(usr|var))?/tmp(/.*)?$`),

diff --git a/testutils/source.go b/testutils/source.go
@@ -1759,6 +1759,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path"
+	"path/filepath"
 )
 
 func main() {
@@ -1796,7 +1797,11 @@ func main() {
 	if err != nil {
 		fmt.Println("Error while writing!")
 	}
-}`}, 8, gosec.NewConfig()}}
+	err = os.WriteFile(filepath.Join(os.TempDir(), "demo2"), []byte("This is some data"), 0644)
+	if err != nil {
+		fmt.Println("Error while writing!")
+	}
+}`}, 9, gosec.NewConfig()}}
 
 	// SampleCodeG304 - potential file inclusion vulnerability
 	SampleCodeG304 = []CodeSample{{[]string{`