I'm getting for a main.go file when run through gometalinter: <div class="snippet-

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

File perms error for 0644 file perms about gosec HOT 6 CLOSED

willfaught commented on August 26, 2024

File perms error for 0644 file perms

from gosec.

Comments (6)

gcmurphy commented on August 26, 2024 1

Well it really depends on the use case. For example 0644 would not be acceptable if the file contained any sort of credentials. So we have opted for a strict but secure default. FWIW - This is configurable (but not currently documented feature).

github.com/GoAstScanner/gas  master ✗                                                                                                                                                       28d ◒  ⍉
▶ ./gas -include=G302  ~/samples/fileperms1_sample.go
Results:

[/Users/gm/samples/fileperms1_sample.go:6] - Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
  > os.Chmod("/tmp/somefile", 0777)


[/Users/gm/samples/fileperms1_sample.go:7] - Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
  > os.Chmod("/tmp/someotherfile", 0644)


Summary:
   Files: 1
   Lines: 8
   Nosec: 0
  Issues: 2


github.com/GoAstScanner/gas  master ✗                                                                                                                                                       28d ◒  ⍉
▶ cat config.json                                                
{
  "G302": "0644"
}

github.com/GoAstScanner/gas  master ✗                                                                                                                                                        28d ◒  
▶ ./gas -conf=config.json -include=G302  ~/samples/fileperms1_sample.go 
Results:

[/Users/gm/samples/fileperms1_sample.go:6] - Expect file permissions to be 0644 or less (Confidence: HIGH, Severity: MEDIUM)
  > os.Chmod("/tmp/somefile", 0777)


Summary:
   Files: 1
   Lines: 8
   Nosec: 0
  Issues: 1

from gosec.

gcmurphy commented on August 26, 2024 1

The aim of gosec is to find potential security problems and you could make a similar argument against most of the rules in gosec really as usually there isn't enough context to make a definitive decision. From a security researchers perspective knowing places like this in a code base you may be unfamiliar with is really useful.

For this specific scenario if you are working closely with the tool you have a multitude of options:

Disable the rule completely
Alter the permission level you warn about
Add an annotations to any false positives to avoid future warnings.

from gosec.

willfaught commented on August 26, 2024

You're not supposed to put credentials in code, right? Requiring stricter perms than the OS default seems like overkill. Won't practically every Go file out there fail this check? This is used by gometalinter now. Is this intended to be a general-purpose linter? Maybe that's my disconnect. Thanks for replying.

…

On Tue, Jan 10, 2017 at 5:11 PM Grant Murphy ***@***.***> wrote: Well it really depends on the use case. For example 0644 would not be acceptable if the file contained any sort of credentials. So we have opted for a strict but secure default. FWIW - This is configurable (but not currently documented feature). github.com/GoAstScanner/gas master ✗ 28d ◒ ⍉ ▶ ./gas -include=G302 ~/samples/fileperms1_sample.go Results: [/Users/gm/samples/fileperms1_sample.go:6] - Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.Chmod("/tmp/somefile", 0777) [/Users/gm/samples/fileperms1_sample.go:7] - Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.Chmod("/tmp/someotherfile", 0644) Summary: Files: 1 Lines: 8 Nosec: 0 Issues: 2 github.com/GoAstScanner/gas master ✗ 28d ◒ ⍉ ▶ cat config.json { "G302": "0644" } github.com/GoAstScanner/gas master ✗ 28d ◒ ▶ ./gas -conf=config.json -include=G302 ~/samples/fileperms1_sample.go Results: [/Users/gm/samples/fileperms1_sample.go:6] - Expect file permissions to be 0644 or less (Confidence: HIGH, Severity: MEDIUM) > os.Chmod("/tmp/somefile", 0777) Summary: Files: 1 Lines: 8 Nosec: 0 Issues: 1 — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#107 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAD5VrBGEr_iGYaD3E6e8QbnKsrmlERUks5rRCwogaJpZM4LgDB-> .

from gosec.

gcmurphy commented on August 26, 2024

Sorry. Just to be clear this rule will trigger wherever Go source code is creating a file not on the actual permissions of Go source files within a project.

From a security review / code auditing point of view I want to know where files are being created on the filesystems that aren't following principle of least privilege type practices.

from gosec.

willfaught commented on August 26, 2024

Oh, I misunderstood. Strange, the file it complained about doesn't write any files directly.

...And of course now it won't repro. Closing. Thanks. :)

from gosec.

camilamacedo86 commented on August 26, 2024

Hi @gcmurphy,

The principle of least privilege type practices does not justify the error in the lint. The lint cannot know if I am giving or not the least privilege for my use case.

Example:

I am tooling a process where it would create a file that should/can be edit for anyone.

The linter is raising issues when should not and trying to do a check that goes beyond its responsibility since it is unable to analyse the scenario and the business rules to know if the 644 is or nor the least privilege that should be applied, indeed.

from gosec.

File perms error for 0644 file perms about gosec HOT 6 CLOSED

Comments (6)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent