Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls config MinVersion rule causes panic #721

Closed
erraggy opened this issue Nov 6, 2021 · 0 comments · Fixed by #724
Closed

tls config MinVersion rule causes panic #721

erraggy opened this issue Nov 6, 2021 · 0 comments · Fixed by #724
Labels
bug

Comments

@erraggy
Copy link

erraggy commented Nov 6, 2021

Summary

Since version v2.9.1, the gosec rule for tls config's MinVersion will now panic at:
https://github.com/securego/gosec/blob/v2.9.1/rules/tls.go#L92

Steps to reproduce the behavior

You can use the following example go source:

package example

import (
	"crypto/tls"
	"fmt"
)

func causeGosecPanic(foo bool) {
	var minVer uint16

	if foo {
		minVer = tls.VersionTLS12
	} else {
		minVer = 1
	}

	cfg := tls.Config{
		MinVersion: minVer,
	}
	fmt.Println("tls min version", cfg.MinVersion)
}

gosec version

v2.9.1

Go version (output of 'go version')

go1.16.9 darwin/amd64

Operating system / Environment

macOS Version 10.15.7

Expected behavior

no panic

Actual behavior

% gosec example/...
[gosec] 2021/11/05 17:08:04 Including rules: default
[gosec] 2021/11/05 17:08:04 Excluding rules: default
[gosec] 2021/11/05 17:08:04 Import directory: /Users/rcoleman/code/gosec_issue/example
[gosec] 2021/11/05 17:08:05 Checking package: example
[gosec] 2021/11/05 17:08:05 Checking file: /Users/rcoleman/code/gosec_issue/example/tls_min_version_panic.go
panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/securego/gosec/v2/rules.(*insecureConfigTLS).processTLSConfVal(0xc00048c600, 0xc0002edc20, 0xc0001a6070, 0x143ac01)
	/Users/rcoleman/sdk/modcache/github.com/securego/gosec/v2@v2.9.1/rules/tls.go:92 +0xaf4
github.com/securego/gosec/v2/rules.(*insecureConfigTLS).Match(0xc00048c600, 0x143a530, 0xc0004f0e00, 0xc0001a6070, 0x168b800, 0x0, 0x1)
	/Users/rcoleman/sdk/modcache/github.com/securego/gosec/v2@v2.9.1/rules/tls.go:183 +0x158
github.com/securego/gosec/v2.(*Analyzer).Visit(0xc0000720c0, 0x143a530, 0xc0004f0e00, 0x1438a20, 0xc0000720c0)
	/Users/rcoleman/sdk/modcache/github.com/securego/gosec/v2@v2.9.1/analyzer.go:375 +0x40d
go/ast.Walk(0x1438a20, 0xc0000720c0, 0x143a530, 0xc0004f0e00)
	/Users/rcoleman/sdk/go1.16.9/src/go/ast/walk.go:52 +0x63
go/ast.walkExprList(0x1438a20, 0xc0000720c0, 0xc00059e5d0, 0x1, 0x1)
	/Users/rcoleman/sdk/go1.16.9/src/go/ast/walk.go:26 +0x9e
go/ast.Walk(0x1438a20, 0xc0000720c0, 0x143a300, 0xc0004f0e40)
	/Users/rcoleman/sdk/go1.16.9/src/go/ast/walk.go:207 +0x1f97
go/ast.walkStmtList(0x1438a20, 0xc0000720c0, 0xc0004f0e80, 0x4, 0x4)
	/Users/rcoleman/sdk/go1.16.9/src/go/ast/walk.go:32 +0x9e
go/ast.Walk(0x1438a20, 0xc0000720c0, 0x143a3f0, 0xc0002edc50)
	/Users/rcoleman/sdk/go1.16.9/src/go/ast/walk.go:224 +0x1968
go/ast.Walk(0x1438a20, 0xc0000720c0, 0x143a6c0, 0xc0002edc80)
	/Users/rcoleman/sdk/go1.16.9/src/go/ast/walk.go:344 +0xce6
go/ast.walkDeclList(0x1438a20, 0xc0000720c0, 0xc0004ef8e0, 0x2, 0x2)
	/Users/rcoleman/sdk/go1.16.9/src/go/ast/walk.go:38 +0x9e
go/ast.Walk(0x1438a20, 0xc0000720c0, 0x143a670, 0xc000257100)
	/Users/rcoleman/sdk/go1.16.9/src/go/ast/walk.go:353 +0x2446
github.com/securego/gosec/v2.(*Analyzer).Check(0xc0000720c0, 0xc0003f1680)
	/Users/rcoleman/sdk/modcache/github.com/securego/gosec/v2@v2.9.1/analyzer.go:231 +0x518
github.com/securego/gosec/v2.(*Analyzer).Process(0xc0000720c0, 0x0, 0x0, 0x0, 0xc0000a30c0, 0x1, 0x1, 0x1, 0x0)
	/Users/rcoleman/sdk/modcache/github.com/securego/gosec/v2@v2.9.1/analyzer.go:154 +0x149
main.main()
	/Users/rcoleman/sdk/modcache/github.com/securego/gosec/v2@v2.9.1/cmd/gosec/main.go:375 +0x82b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix crash when parsing the TLS min version value securego/gosec
2 participants
@erraggy @ccojocar