Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Panic when validating TLS #727

Closed
milosgajdos opened this issue Nov 16, 2021 · 1 comment
Closed

Panic when validating TLS #727

milosgajdos opened this issue Nov 16, 2021 · 1 comment

Comments

@milosgajdos
Copy link

Summary

latest gosec release version panics when validating TLS

panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/securego/gosec/v2/rules.(*insecureConfigTLS).processTLSConfVal(0xc000144400, 0xc0001ba660, 0xc0001a0070)
	/home/runner/work/gosec/gosec/rules/tls.go:92 +0x877
github.com/securego/gosec/v2/rules.(*insecureConfigTLS).Match(0xc000144400, {0x13db8b0, 0xc0019de440}, 0xc0001a0070)
	/home/runner/work/gosec/gosec/rules/tls.go:183 +0x147
github.com/securego/gosec/v2.(*Analyzer).Visit(0xc0001f0ea0, {0x13db8b0, 0xc0019de440})
	/home/runner/work/gosec/gosec/analyzer.go:375 +0x44f
go/ast.Walk({0x13d5900, 0xc0001f0ea0}, {0x13db8b0, 0xc0019de440})
	/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:50 +0x5f
go/ast.Walk({0x13d5900, 0xc0001f0ea0}, {0x13dbea0, 0xc0007c2400})
	/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:143 +0xbfd
go/ast.walkExprList({0x13d5900, 0xc0001f0ea0}, {0xc000a92ea0, 0x1, 0x0})
	/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:24 +0x87
go/ast.Walk({0x13d5900, 0xc0001f0ea0}, {0x13db680, 0xc0019de540})
	/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:208 +0x12b2
go/ast.walkStmtList({0x13d5900, 0xc0001f0ea0}, {0xc0007b0300, 0x7, 0x13db7c0})
	/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:30 +0x87
go/ast.Walk({0x13d5900, 0xc0001f0ea0}, {0x13db770, 0xc001595560})
	/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:225 +0xedf
go/ast.Walk({0x13d5900, 0xc0001f0ea0}, {0x13dbb30, 0xc0019df580})
	/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:232 +0x1005
go/ast.walkStmtList({0x13d5900, 0xc0001f0ea0}, {0xc00135d300, 0x9, 0x0})
	/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:30 +0x87
go/ast.Walk({0x13d5900, 0xc0001f0ea0}, {0x13db770, 0xc001d7a690})
	/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:225 +0xedf
go/ast.Walk({0x13d5900, 0xc0001f0ea0}, {0x13dba40, 0xc000ad6780})
	/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:346 +0x7dc
go/ast.walkDeclList({0x13d5900, 0xc0001f0ea0}, {0xc000d80000, 0x15, 0x100c914})
	/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:36 +0x87
go/ast.Walk({0x13d5900, 0xc0001f0ea0}, {0x13db9f0, 0xc0007b0680})
	/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:355 +0x15c5
github.com/securego/gosec/v2.(*Analyzer).Check(0xc0001f0ea0, 0xc00117b400)
	/home/runner/work/gosec/gosec/analyzer.go:231 +0x545
github.com/securego/gosec/v2.(*Analyzer).Process(0xc0001f0ea0, {0x0, 0xc00052e6b0, 0xc0002a3c00}, {0xc00078e000, 0x3e, 0x3d})
	/home/runner/work/gosec/gosec/analyzer.go:154 +0x1b7
main.main()
	/home/runner/work/gosec/gosec/cmd/gosec/main.go:375 +0x8c5

Steps to reproduce the behavior

git clone && gosec ./...

gosec version

gosec --version
Version: 2.9.1
Git tag: v2.9.1
Build date: 2021-10-15T09:00:44Z

Go version (output of 'go version')

Is this relevant? I'm using the officially released binary of gosec

$ go version
go version go1.17.2 darwin/amd64

Operating system / Environment

macOS Big Sur 11.6 (20G165)

Expected behavior

No panic happens and I get a list of results.

Actual behavior

gosec panics
@ccojocar
Copy link
Member

duplicate of #721

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ccojocar @milosgajdos