diff --git a/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml b/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml new file mode 100644 index 00000000..e182d352 --- /dev/null +++ b/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml @@ -0,0 +1,95 @@ +id: gorilla-cookie-store-hardcoded-session-key-go +language: go +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. It is + recommended to rotate the secret and retrieve them from a secure secret + vault or Hardware Security Module (HSM), alternatively environment + variables can be used if allowed by your company policy. +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + +ast-grep-essentials: true + +utils: + MATCH_PATTERN_ONE: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: selector_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^sessions$ + - has: + stopBy: neighbor + kind: field_identifier + regex: ^NewCookieStore$ + - has: + stopBy: neighbor + kind: argument_list + any: + - all: + - has: + stopBy: neighbor + kind: type_conversion_expression + all: + - has: + stopBy: neighbor + kind: slice_type + has: + stopBy: neighbor + kind: type_identifier + regex: ^byte$ + - not: + has: + stopBy: neighbor + kind: call_expression + - has: + stopBy: neighbor + kind: interpreted_string_literal + - has: + nthChild: + position: 1 + ofRule: + not: + kind: comment + kind: interpreted_string_literal + - any: + - follows: + stopBy: end + kind: import_declaration + has: + stopBy: end + kind: import_spec + has: + stopBy: neighbor + regex: ^"github.com/gorilla/sessions"$ + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + stopBy: end + kind: import_spec + has: + stopBy: neighbor + regex: ^"github.com/gorilla/sessions"$ +rule: + kind: call_expression + matches: MATCH_PATTERN_ONE + not: + all: + - has: + stopBy: end + kind: ERROR + - inside: + stopBy: end + kind: ERROR diff --git a/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml b/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml new file mode 100644 index 00000000..692aa796 --- /dev/null +++ b/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml @@ -0,0 +1,84 @@ +id: gorilla-csrf-hardcoded-auth-key-go +language: go +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. It is + recommended to rotate the secret and retrieve them from a secure secret + vault or Hardware Security Module (HSM), alternatively environment + variables can be used if allowed by your company policy. +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + +ast-grep-essentials: true + +utils: + MATCH_PATTERN_ONE: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: selector_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^csrf$ + - has: + stopBy: neighbor + kind: field_identifier + regex: ^Protect + - has: + stopBy: neighbor + kind: argument_list + any: + - has: + stopBy: neighbor + nthChild: + position: 1 + ofRule: + not: + kind: comment + kind: type_conversion_expression + all: + - has: + stopBy: neighbor + kind: slice_type + has: + stopBy: neighbor + kind: type_identifier + regex: ^byte$ + - has: + stopBy: neighbor + kind: interpreted_string_literal + - has: + stopBy: neighbor + kind: interpreted_string_literal + nthChild: + position: 1 + ofRule: + not: + kind: comment + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + has: + stopBy: end + kind: import_spec + regex: ^"github.com/gorilla/csrf"$ +rule: + kind: call_expression + matches: MATCH_PATTERN_ONE + not: + all: + - has: + stopBy: end + kind: ERROR + - inside: + stopBy: end + kind: ERROR diff --git a/rules/go/security/grpc-client-insecure-connection-go.yml b/rules/go/security/grpc-client-insecure-connection-go.yml new file mode 100644 index 00000000..36cc447e --- /dev/null +++ b/rules/go/security/grpc-client-insecure-connection-go.yml @@ -0,0 +1,66 @@ +id: grpc-client-insecure-connection-go +language: go +severity: warning +message: >- + Found an insecure gRPC connection using 'grpc.WithInsecure()'. This + creates a connection without encryption to a gRPC server. A malicious + attacker could tamper with the gRPC message, which could compromise the + machine. Instead, establish a secure connection with an SSL certificate + using the 'grpc.WithTransportCredentials()' function. You can create a + create credentials using a 'tls.Config{}' struct with + 'credentials.NewTLS()'. The final fix looks like this: + 'grpc.WithTransportCredentials(credentials.NewTLS())'. +note: >- + [CWE-300] Channel Accessible by Non-Endpoint. + [REFERENCES] + - https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption + +ast-grep-essentials: true + +rule: + kind: call_expression + all: + - has: + kind: selector_expression + all: + - has: + kind: identifier + pattern: $GRPC + nthChild: 1 + - has: + kind: field_identifier + nthChild: 2 + regex: ^Dial$ + - has: + kind: argument_list + all: + - has: + nthChild: + position: 1 + ofRule: + not: + kind: comment + - has: + kind: call_expression + all: + - has: + kind: selector_expression + all: + - has: + kind: identifier + pattern: $GRPC + nthChild: 1 + - has: + kind: field_identifier + nthChild: 2 + regex: ^WithInsecure$ + - has: + kind: argument_list + - not: + all: + - has: + stopBy: end + kind: ERROR + - has: + stopBy: end + kind: ERROR \ No newline at end of file diff --git a/rules/go/security/use-of-weak-rsa-key-go.yml b/rules/go/security/use-of-weak-rsa-key-go.yml new file mode 100644 index 00000000..88a003f5 --- /dev/null +++ b/rules/go/security/use-of-weak-rsa-key-go.yml @@ -0,0 +1,270 @@ +id: use-of-weak-rsa-key-go +language: go +severity: warning +message: >- + RSA keys should be at least 2048 bits. +note: >- + [CWE-326] Inadequate Encryption Strength. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms + +ast-grep-essentials: true + +utils: + statement_match_pattern_int_literal: + kind: int_literal + pattern: $BITS + inside: + stopBy: neighbor + kind: argument_list + inside: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: selector_expression + regex: ^rsa.GenerateKey$|^rsa.GenerateMultiPrimeKey$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + pattern: $BITS + not: + precedes: + stopBy: end + pattern: $SET + all: + - not: + has: + stopBy: end + kind: ERROR + - not: + precedes: + stopBy: end + pattern: $BITS + - not: + inside: + stopBy: neighbor + kind: argument_list + follows: + stopBy: neighbor + kind: selector_expression + regex: ^.rsa.GenerateKey$ + inside: + stopBy: end + kind: call_expression + inside: + stopBy: end + kind: call_expression + has: + stopBy: neighbor + kind: selector_expression + regex: .*rsa.GenerateKey + precedes: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + pattern: $BITS + - not: + inside: + stopBy: end + kind: binary_expression + - not: + inside: + stopBy: end + kind: unary_expression + # - not: + # inside: + # stopBy: end + # kind: call_expression + # has: + # stopBy: neighbor + # kind: selector_expression + # inside: + # stopBy: end + # kind: argument_list + # has: + # stopBy: end + # pattern: $BITS + statement_match_pattern_unary_expression: + kind: unary_expression + pattern: $BITS + inside: + stopBy: neighbor + kind: argument_list + inside: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: selector_expression + regex: ^rsa.GenerateKey$|^rsa.GenerateMultiPrimeKey$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + pattern: $BITS + not: + precedes: + stopBy: end + pattern: $SET + all: + - not: + has: + stopBy: end + kind: ERROR + - not: + precedes: + stopBy: end + pattern: $BITS + - not: + inside: + stopBy: neighbor + kind: argument_list + follows: + stopBy: neighbor + kind: selector_expression + regex: .rsa.GenerateKey + inside: + stopBy: end + kind: call_expression + inside: + stopBy: end + kind: call_expression + has: + stopBy: end + kind: selector_expression + regex: .*rsa.GenerateKey + precedes: + stopBy: end + kind: argument_list + has: + stopBy: end + pattern: $BITS + - not: + inside: + stopBy: end + kind: binary_expression + statement_match_pattern_float_literal: + kind: float_literal + pattern: $BITS + inside: + stopBy: neighbor + kind: argument_list + inside: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: selector_expression + regex: ^rsa.GenerateKey$|^rsa.GenerateMultiPrimeKey$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + pattern: $BITS + not: + precedes: + stopBy: end + pattern: $SET + all: + - not: + has: + stopBy: end + kind: ERROR + - not: + precedes: + stopBy: end + pattern: $BITS + - not: + inside: + stopBy: end + kind: call_expression + inside: + stopBy: end + kind: call_expression + has: + stopBy: end + kind: selector_expression + regex: ^rsa.GenerateKey|rsa.GenerateMultiPrimeKey$ + not: + inside: + stopBy: end + any: + - kind: binary_expression + - kind: unary_expression + statement_match_pattern_binary_expression: + kind: binary_expression + pattern: $BITS + inside: + stopBy: neighbor + kind: argument_list + inside: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: selector_expression + regex: ^rsa.GenerateKey$|^rsa.GenerateMultiPrimeKey$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + pattern: $BITS + not: + precedes: + stopBy: end + pattern: $SET + all: + - not: + has: + stopBy: end + kind: ERROR + - not: + precedes: + stopBy: end + pattern: $BITS + - not: + inside: + stopBy: end + kind: call_expression + inside: + stopBy: end + kind: call_expression + has: + stopBy: end + kind: selector_expression + regex: ^rsa.GenerateKey|rsa.GenerateMultiPrimeKey$ + not: + inside: + stopBy: end + kind: unary_expression +rule: + any: + - kind: int_literal + matches: statement_match_pattern_int_literal + - kind: float_literal + matches: statement_match_pattern_float_literal + - kind: unary_expression + matches: statement_match_pattern_unary_expression + - kind: binary_expression + matches: statement_match_pattern_binary_expression + not: + has: + stopBy: end + kind: ERROR +constraints: + BITS: + any: + - regex: ^([+-]?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|([+-]?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?\/[1-9][0-9]*)|[+-]?(\.[0-9]+)|([+-]?\.[0-9]+\/[1-9][0-9]*))$ + - regex: ^-\d+(\.\d+)?(/(\d+(\.\d+)?))?$ + diff --git a/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml b/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml new file mode 100644 index 00000000..19e8085e --- /dev/null +++ b/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml @@ -0,0 +1,223 @@ +id: gorilla-cookie-store-hardcoded-session-key-go +snapshots: + ? | + import ( + "crypto/rand" + "fmt" + "github.com/gorilla/sessions" + ) + var storeHardcoded = sessions.NewCookieStore([]byte("hardcoded-session-key")) + : labels: + - source: sessions.NewCookieStore([]byte("hardcoded-session-key")) + style: primary + start: 85 + end: 141 + - source: sessions + style: secondary + start: 85 + end: 93 + - source: NewCookieStore + style: secondary + start: 94 + end: 108 + - source: sessions.NewCookieStore + style: secondary + start: 85 + end: 108 + - source: byte + style: secondary + start: 111 + end: 115 + - source: '[]byte' + style: secondary + start: 109 + end: 115 + - source: '"hardcoded-session-key"' + style: secondary + start: 116 + end: 139 + - source: '[]byte("hardcoded-session-key")' + style: secondary + start: 109 + end: 140 + - source: ([]byte("hardcoded-session-key")) + style: secondary + start: 108 + end: 141 + - source: '"github.com/gorilla/sessions"' + style: secondary + start: 32 + end: 61 + - source: '"github.com/gorilla/sessions"' + style: secondary + start: 32 + end: 61 + - source: |- + import ( + "crypto/rand" + "fmt" + "github.com/gorilla/sessions" + ) + style: secondary + start: 0 + end: 63 + - source: |- + import ( + "crypto/rand" + "fmt" + "github.com/gorilla/sessions" + ) + style: secondary + start: 0 + end: 63 + ? |- + import ( + "crypto/rand" + "fmt" + "github.com/gorilla/sessions" + ) + var storeMultipleHardcoded = sessions.NewCookieStore( + []byte("old-authentication-key"), + []byte("old-encryption-key"), + ) + : labels: + - source: |- + sessions.NewCookieStore( + []byte("old-authentication-key"), + []byte("old-encryption-key"), + ) + style: primary + start: 93 + end: 185 + - source: sessions + style: secondary + start: 93 + end: 101 + - source: NewCookieStore + style: secondary + start: 102 + end: 116 + - source: sessions.NewCookieStore + style: secondary + start: 93 + end: 116 + - source: byte + style: secondary + start: 121 + end: 125 + - source: '[]byte' + style: secondary + start: 119 + end: 125 + - source: '"old-authentication-key"' + style: secondary + start: 126 + end: 150 + - source: '[]byte("old-authentication-key")' + style: secondary + start: 119 + end: 151 + - source: |- + ( + []byte("old-authentication-key"), + []byte("old-encryption-key"), + ) + style: secondary + start: 116 + end: 185 + - source: '"github.com/gorilla/sessions"' + style: secondary + start: 32 + end: 61 + - source: '"github.com/gorilla/sessions"' + style: secondary + start: 32 + end: 61 + - source: |- + import ( + "crypto/rand" + "fmt" + "github.com/gorilla/sessions" + ) + style: secondary + start: 0 + end: 63 + - source: |- + import ( + "crypto/rand" + "fmt" + "github.com/gorilla/sessions" + ) + style: secondary + start: 0 + end: 63 + ? | + import ( + "github.com/gorilla/sessions" + ) + var store = sessions.NewCookieStore([]byte("hardcoded-session-key-here")) + var store = sessions.NewCookieStore( + []byte("new-authentication-key"), + []byte("new-encryption-key"), + []byte("old-authentication-key"), + []byte("old-encryption-key"), + ) + : labels: + - source: sessions.NewCookieStore([]byte("hardcoded-session-key-here")) + style: primary + start: 53 + end: 114 + - source: sessions + style: secondary + start: 53 + end: 61 + - source: NewCookieStore + style: secondary + start: 62 + end: 76 + - source: sessions.NewCookieStore + style: secondary + start: 53 + end: 76 + - source: byte + style: secondary + start: 79 + end: 83 + - source: '[]byte' + style: secondary + start: 77 + end: 83 + - source: '"hardcoded-session-key-here"' + style: secondary + start: 84 + end: 112 + - source: '[]byte("hardcoded-session-key-here")' + style: secondary + start: 77 + end: 113 + - source: ([]byte("hardcoded-session-key-here")) + style: secondary + start: 76 + end: 114 + - source: '"github.com/gorilla/sessions"' + style: secondary + start: 9 + end: 38 + - source: '"github.com/gorilla/sessions"' + style: secondary + start: 9 + end: 38 + - source: |- + import ( + "github.com/gorilla/sessions" + ) + style: secondary + start: 0 + end: 40 + - source: |- + import ( + "github.com/gorilla/sessions" + ) + style: secondary + start: 0 + end: 40 diff --git a/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml b/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml new file mode 100644 index 00000000..2e20a442 --- /dev/null +++ b/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml @@ -0,0 +1,128 @@ +id: gorilla-csrf-hardcoded-auth-key-go +snapshots: + ? |- + import ( + "github.com/gorilla/csrf" + ) + func main() { + http.ListenAndServe(":8000", + csrf.Protect([]byte("32-byte-long-auth-key"))(r)) + } + : labels: + - source: csrf.Protect([]byte("32-byte-long-auth-key")) + style: primary + start: 84 + end: 129 + - source: csrf + style: secondary + start: 84 + end: 88 + - source: Protect + style: secondary + start: 89 + end: 96 + - source: csrf.Protect + style: secondary + start: 84 + end: 96 + - source: byte + style: secondary + start: 99 + end: 103 + - source: '[]byte' + style: secondary + start: 97 + end: 103 + - source: '"32-byte-long-auth-key"' + style: secondary + start: 104 + end: 127 + - source: '[]byte("32-byte-long-auth-key")' + style: secondary + start: 97 + end: 128 + - source: ([]byte("32-byte-long-auth-key")) + style: secondary + start: 96 + end: 129 + - source: '"github.com/gorilla/csrf"' + style: secondary + start: 9 + end: 34 + - source: |- + import ( + "github.com/gorilla/csrf" + ) + style: secondary + start: 0 + end: 36 + - source: |- + import ( + "github.com/gorilla/csrf" + ) + style: secondary + start: 0 + end: 36 + ? |- + import ( + "github.com/gorilla/csrf" + ) + func main() { + http.ListenAndServe(":8000", + csrf.Protect([]byte("32-byte-long-auth-key"))(r)) + } + : labels: + - source: csrf.Protect([]byte("32-byte-long-auth-key")) + style: primary + start: 84 + end: 129 + - source: csrf + style: secondary + start: 84 + end: 88 + - source: Protect + style: secondary + start: 89 + end: 96 + - source: csrf.Protect + style: secondary + start: 84 + end: 96 + - source: byte + style: secondary + start: 99 + end: 103 + - source: '[]byte' + style: secondary + start: 97 + end: 103 + - source: '"32-byte-long-auth-key"' + style: secondary + start: 104 + end: 127 + - source: '[]byte("32-byte-long-auth-key")' + style: secondary + start: 97 + end: 128 + - source: ([]byte("32-byte-long-auth-key")) + style: secondary + start: 96 + end: 129 + - source: '"github.com/gorilla/csrf"' + style: secondary + start: 9 + end: 34 + - source: |- + import ( + "github.com/gorilla/csrf" + ) + style: secondary + start: 0 + end: 36 + - source: |- + import ( + "github.com/gorilla/csrf" + ) + style: secondary + start: 0 + end: 36 diff --git a/tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml b/tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml new file mode 100644 index 00000000..4b883430 --- /dev/null +++ b/tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml @@ -0,0 +1,48 @@ +id: grpc-client-insecure-connection-go +snapshots: + conn, err := grpc.Dial(address, grpc.WithInsecure()): + labels: + - source: grpc.Dial(address, grpc.WithInsecure()) + style: primary + start: 13 + end: 52 + - source: grpc + style: secondary + start: 13 + end: 17 + - source: Dial + style: secondary + start: 18 + end: 22 + - source: grpc.Dial + style: secondary + start: 13 + end: 22 + - source: address + style: secondary + start: 23 + end: 30 + - source: grpc + style: secondary + start: 32 + end: 36 + - source: WithInsecure + style: secondary + start: 37 + end: 49 + - source: grpc.WithInsecure + style: secondary + start: 32 + end: 49 + - source: () + style: secondary + start: 49 + end: 51 + - source: grpc.WithInsecure() + style: secondary + start: 32 + end: 51 + - source: (address, grpc.WithInsecure()) + style: secondary + start: 22 + end: 52 diff --git a/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml new file mode 100644 index 00000000..761098a7 --- /dev/null +++ b/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml @@ -0,0 +1,109 @@ +id: use-of-weak-rsa-key-go +snapshots: + ? | + pvk, err := rsa.GenerateKey(rand.Reader, -1929) + : labels: + - source: '-1929' + style: primary + start: 41 + end: 46 + - source: rsa.GenerateKey + style: secondary + start: 12 + end: 27 + - source: '-1929' + style: secondary + start: 41 + end: 46 + - source: (rand.Reader, -1929) + style: secondary + start: 27 + end: 47 + - source: rsa.GenerateKey(rand.Reader, -1929) + style: secondary + start: 12 + end: 47 + - source: (rand.Reader, -1929) + style: secondary + start: 27 + end: 47 + ? | + pvk, err := rsa.GenerateKey(rand.Reader, 102.5) + : labels: + - source: '102.5' + style: primary + start: 41 + end: 46 + - source: rsa.GenerateKey + style: secondary + start: 12 + end: 27 + - source: '102.5' + style: secondary + start: 41 + end: 46 + - source: (rand.Reader, 102.5) + style: secondary + start: 27 + end: 47 + - source: rsa.GenerateKey(rand.Reader, 102.5) + style: secondary + start: 12 + end: 47 + - source: (rand.Reader, 102.5) + style: secondary + start: 27 + end: 47 + ? | + pvk, err := rsa.GenerateKey(rand.Reader, 1025) + : labels: + - source: '1025' + style: primary + start: 41 + end: 45 + - source: rsa.GenerateKey + style: secondary + start: 12 + end: 27 + - source: '1025' + style: secondary + start: 41 + end: 45 + - source: (rand.Reader, 1025) + style: secondary + start: 27 + end: 46 + - source: rsa.GenerateKey(rand.Reader, 1025) + style: secondary + start: 12 + end: 46 + - source: (rand.Reader, 1025) + style: secondary + start: 27 + end: 46 + pvk, err := rsa.GenerateKey(rand.Reader, 192): + labels: + - source: '192' + style: primary + start: 41 + end: 44 + - source: rsa.GenerateKey + style: secondary + start: 12 + end: 27 + - source: '192' + style: secondary + start: 41 + end: 44 + - source: (rand.Reader, 192) + style: secondary + start: 27 + end: 45 + - source: rsa.GenerateKey(rand.Reader, 192) + style: secondary + start: 12 + end: 45 + - source: (rand.Reader, 192) + style: secondary + start: 27 + end: 45 diff --git a/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml b/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml new file mode 100644 index 00000000..fb44f605 --- /dev/null +++ b/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml @@ -0,0 +1,33 @@ +id: gorilla-cookie-store-hardcoded-session-key-go +valid: + - | + var store = sessions.NewCookieStore([]byte(os.Getenv("SESSION_KEY"))) +invalid: + - | + import ( + "github.com/gorilla/sessions" + ) + var store = sessions.NewCookieStore([]byte("hardcoded-session-key-here")) + var store = sessions.NewCookieStore( + []byte("new-authentication-key"), + []byte("new-encryption-key"), + []byte("old-authentication-key"), + []byte("old-encryption-key"), + ) + - | + import ( + "crypto/rand" + "fmt" + "github.com/gorilla/sessions" + ) + var storeHardcoded = sessions.NewCookieStore([]byte("hardcoded-session-key")) + - | + import ( + "crypto/rand" + "fmt" + "github.com/gorilla/sessions" + ) + var storeMultipleHardcoded = sessions.NewCookieStore( + []byte("old-authentication-key"), + []byte("old-encryption-key"), + ) \ No newline at end of file diff --git a/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml b/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml new file mode 100644 index 00000000..eb070dd1 --- /dev/null +++ b/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml @@ -0,0 +1,19 @@ +id: gorilla-csrf-hardcoded-auth-key-go +valid: + - | + import ( + "github.com/gorilla/csrf" + ) + func main() { + http.ListenAndServe(":8000", + csrf.Protect([]byte(os.Getenv("CSRF_AUTH_KEY")))(r)) + } +invalid: + - | + import ( + "github.com/gorilla/csrf" + ) + func main() { + http.ListenAndServe(":8000", + csrf.Protect([]byte("32-byte-long-auth-key"))(r)) + } \ No newline at end of file diff --git a/tests/go/grpc-client-insecure-connection-go-test.yml b/tests/go/grpc-client-insecure-connection-go-test.yml new file mode 100644 index 00000000..6002ca6e --- /dev/null +++ b/tests/go/grpc-client-insecure-connection-go-test.yml @@ -0,0 +1,7 @@ +id: grpc-client-insecure-connection-go +valid: + - | + conn, err := grpc.Dial(address) +invalid: + - | + conn, err := grpc.Dial(address, grpc.WithInsecure()) \ No newline at end of file diff --git a/tests/go/use-of-weak-rsa-key-go-test.yml b/tests/go/use-of-weak-rsa-key-go-test.yml new file mode 100644 index 00000000..8b65375e --- /dev/null +++ b/tests/go/use-of-weak-rsa-key-go-test.yml @@ -0,0 +1,13 @@ +id: use-of-weak-rsa-key-go +valid: + - | + rsa.GenerateKey(rand.Reader, 2048) +invalid: + - | + pvk, err := rsa.GenerateKey(rand.Reader, 1025) + - | + pvk, err := rsa.GenerateKey(rand.Reader, -1929) + - | + pvk, err := rsa.GenerateKey(rand.Reader, 102.5) + - | + pvk, err := rsa.GenerateKey(rand.Reader, 192) \ No newline at end of file