Upgrade to Pro — share decks privately, control downloads, hide ads and more …

gosecを試してみた話 / try gosec

k2wanko
March 01, 2019

gosecを試してみた話 / try gosec

k2wanko

March 01, 2019
Tweet

More Decks by k2wanko

Other Decks in Technology

Transcript

  1. G103: Use of unsafe block unsafeパッケージの"Alignof", "Offsetof", "Sizeof", "Pointer"の利用を検知します。 人類にメモリ管理は早すぎるのでunsafeパッケージを使うのは極力避けよう

    package main import ( “unsafe” ) func main() { addressHolder := uintptr(unsafe.Pointer(intPtr)) + unsafe.Sizeof(intArray[0]) intPtr = (*int)(unsafe.Pointer(addressHolder)) }
  2. G201: SQL query construction using format string SQLを文字列の結合で組み立てているのを検知してくれます。 import (

    “database/sql” ... ) func main() { db, err := sql.Open("sqlite3", ":memory:") ... q := fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1]) rows, err := db.Query(q)
  3. G201: SQL query construction using format string 文字列の結合ではなく database/sqlパッケージを利用してSQLを組み立てましょう。 import

    ( “database/sql” ... ) func main() { db, err := sql.Open("sqlite3", ":memory:") ... rows, err := db.Query("SELECT * FROM foo where name = ?", name)
  4. gosecで検知できる項目 misc G101 Look for hardcoded credentials G102 Bind to

    all interfaces G103 Audit the use of unsafe block G104 Audit errors not checked G105 Audit the use of big.Exp function5 G106 Audit the use of ssh.InsecureIgnoreHostKey function G107 Url provided to HTTP request as taint input injection G201 SQL query construction using format string G202 SQL query construction using string concatenation G203 Use of unescaped data in HTML templates G204 Audit use of command execution
  5. gosecで検知できる項目 filesystem G301 Poor file permissions used when creating a

    directory G302 Poor file permissions used when creation file or using chmod G303 Creating tempfile using a predictable path G304 File path provided as taint input G305 File path traversal when extracting zip archive crypto G401 Detect the usage of DES, RC4, MD5 or SHA1 G402 Look for bad TLS connection settings G403 Ensure minimum RSA key length of 2048 bits G404 Insecure random number source (rand) blacklist G501 Import blacklist: crypto/md5 G502 Import blacklist: crypto/des G503 Import blacklist: crypto/rc4 G504 Import blacklist: net/http/cgi G505 Import blacklist: crypto/sha1