Update hardcoded_credentials.go fix: adaper equal expr which const va…

…lue at left (#917) * Update hardcoded_credentials.go adaper equal expr which const value at left. ``` if "Tr0ub4dour_UPL&&LOlo" == pwd ``` * Update hardcoded_credentials.go check ident not equal nil * adapter const == key hardcoded, add testcases
securego · Jan 31, 2023 · a624254 · a624254
1 parent 9432e67
commit a624254
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 6 deletions.
diff --git a/rules/hardcoded_credentials.go b/rules/hardcoded_credentials.go
@@ -101,12 +101,19 @@ func (r *credentials) matchValueSpec(valueSpec *ast.ValueSpec, ctx *gosec.Contex
 
 func (r *credentials) matchEqualityCheck(binaryExpr *ast.BinaryExpr, ctx *gosec.Context) (*gosec.Issue, error) {
 	if binaryExpr.Op == token.EQL || binaryExpr.Op == token.NEQ {
-		if ident, ok := binaryExpr.X.(*ast.Ident); ok {
-			if r.pattern.MatchString(ident.Name) {
-				if val, err := gosec.GetString(binaryExpr.Y); err == nil {
-					if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) {
-						return gosec.NewIssue(ctx, binaryExpr, r.ID(), r.What, r.Severity, r.Confidence), nil
-					}
+		ident, ok := binaryExpr.X.(*ast.Ident)
+		if !ok {
+			ident, _ = binaryExpr.Y.(*ast.Ident)
+		}
+
+		if ident != nil && r.pattern.MatchString(ident.Name) {
+			valueNode := binaryExpr.Y
+			if !ok {
+				valueNode = binaryExpr.X
+			}
+			if val, err := gosec.GetString(valueNode); err == nil {
+				if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) {
+					return gosec.NewIssue(ctx, binaryExpr, r.ID(), r.What, r.Severity, r.Confidence), nil
 				}
 			}
 		}

diff --git a/testutils/source.go b/testutils/source.go
@@ -113,6 +113,17 @@ package main
 
 import "fmt"
 
+func main() {
+	var password string
+	if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" == password {
+		fmt.Println("password equality")
+	}
+}`}, 1, gosec.NewConfig()},
+		{[]string{`
+package main
+
+import "fmt"
+
 func main() {
 	var password string
 	if password != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
@@ -124,6 +135,17 @@ package main
 
 import "fmt"
 
+func main() {
+	var password string
+	if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" != password {
+		fmt.Println("password equality")
+	}
+}`}, 1, gosec.NewConfig()},
+		{[]string{`
+package main
+
+import "fmt"
+
 func main() {
 	var p string
 	if p != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
@@ -135,6 +157,17 @@ package main
 
 import "fmt"
 
+func main() {
+	var p string
+	if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" != p {
+		fmt.Println("password equality")
+	}
+}`}, 0, gosec.NewConfig()},
+		{[]string{`
+package main
+
+import "fmt"
+
 const (
 	pw = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA=="
 )