Add os.Create to the readfile rule (#761)

securego · Jan 12, 2022 · 7be6d4e · 7be6d4e
1 parent 75cc7dc
commit 7be6d4e
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 3 deletions.
diff --git a/cmd/gosec/main.go b/cmd/gosec/main.go
@@ -246,7 +246,7 @@ func printReport(format string, color bool, rootPaths []string, reportInfo *gose
 }
 
 func saveReport(filename, format string, rootPaths []string, reportInfo *gosec.ReportInfo) error {
-	outfile, err := os.Create(filename)
+	outfile, err := os.Create(filename) //#nosec G304
 	if err != nil {
 		return err
 	}

diff --git a/rules/readfile.go b/rules/readfile.go
@@ -125,5 +125,6 @@ func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
 	rule.Add("os", "ReadFile")
 	rule.Add("os", "Open")
 	rule.Add("os", "OpenFile")
+	rule.Add("os", "Create")
 	return rule, []ast.Node{(*ast.CallExpr)(nil)}
 }
diff --git a/testutils/source.go b/testutils/source.go
@@ -1891,7 +1891,8 @@ func main() {
 }`}, 9, gosec.NewConfig()}}
 
 	// SampleCodeG304 - potential file inclusion vulnerability
-	SampleCodeG304 = []CodeSample{{[]string{`
+	SampleCodeG304 = []CodeSample{
+		{[]string{`
 package main
 
 import (
@@ -2086,7 +2087,38 @@ func main() {
     }
 }
 
-`}, 0, gosec.NewConfig()}}
+`}, 0, gosec.NewConfig()}, {[]string{`
+package main
+
+import (
+	"io"
+	"os"
+)
+
+func createFile(file string) *os.File {
+	f, err := os.Create(file)
+	if err != nil {
+		panic(err)
+	}
+	return f
+}
+
+func main() {
+	s, err := os.Open("src")
+	if err != nil {
+		panic(err)
+	}
+	defer s.Close()
+
+	d := createFile("dst")
+	defer d.Close()
+
+	_, err = io.Copy(d, s)
+	if  err != nil {
+		panic(err)
+	}
+}`}, 1, gosec.NewConfig()},
+	}
 
 	// SampleCodeG305 - File path traversal when extracting zip/tar archives
 	SampleCodeG305 = []CodeSample{{[]string{`