Update Go version in CI script (#913)

ccojocar · web-flow · commit c5d217da7a43 · 2023-01-09T16:49:02.000+01:00
* Update Go version in CI script

* Introduce back an additional check for filepath clean to fix the unit tests
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,8 +11,8 @@ jobs:
     strategy:
       matrix:
         go_version:
-          - '1.18.8' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
-          - '1.19.3' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
+          - '1.18.9' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
+          - '1.19.4' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
     runs-on: ubuntu-latest
     env:
       GO111MODULE: on
@@ -44,7 +44,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.19.2' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
+          go-version: '1.19.4' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
       - name: Checkout Source 
         uses: actions/checkout@v3
       - uses: actions/cache@v3
diff --git a/rules/readfile.go b/rules/readfile.go
@@ -59,10 +59,20 @@ func (r *readfile) isJoinFunc(n ast.Node, c *gosec.Context) bool {
 }
 
 // isFilepathClean checks if there is a filepath.Clean for given variable
-func (r *readfile) isFilepathClean(n *ast.Ident) bool {
+func (r *readfile) isFilepathClean(n *ast.Ident, c *gosec.Context) bool {
 	if _, ok := r.cleanedVar[n.Obj.Decl]; ok {
 		return true
 	}
+	if n.Obj.Kind != ast.Var {
+		return false
+	}
+	if node, ok := n.Obj.Decl.(*ast.AssignStmt); ok {
+		if call, ok := node.Rhs[0].(*ast.CallExpr); ok {
+			if clean := r.clean.ContainsPkgCallExpr(call, c, false); clean != nil {
+				return true
+			}
+		}
+	}
 	return false
 }
 
@@ -101,7 +111,7 @@ func (r *readfile) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
 				obj := c.Info.ObjectOf(ident)
 				if _, ok := obj.(*types.Var); ok &&
 					!gosec.TryResolve(ident, c) &&
-					!r.isFilepathClean(ident) {
+					!r.isFilepathClean(ident, c) {
 					return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
 				}
 			}

Original file line number	Diff line number	Diff line change
`@@ -59,10 +59,20 @@ func (r readfile) isJoinFunc(n ast.Node, c gosec.Context) bool {`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`// isFilepathClean checks if there is a filepath.Clean for given variable`
`62`		`-func (r readfile) isFilepathClean(n ast.Ident) bool {`
	`62`	`+func (r readfile) isFilepathClean(n ast.Ident, c *gosec.Context) bool {`
`63`	`63`	`if _, ok := r.cleanedVar[n.Obj.Decl]; ok {`
`64`	`64`	`return true`
`65`	`65`	`}`
	`66`	`+ if n.Obj.Kind != ast.Var {`
	`67`	`+ return false`
	`68`	`+ }`
	`69`	`+ if node, ok := n.Obj.Decl.(*ast.AssignStmt); ok {`
	`70`	`+ if call, ok := node.Rhs[0].(*ast.CallExpr); ok {`
	`71`	`+ if clean := r.clean.ContainsPkgCallExpr(call, c, false); clean != nil {`
	`72`	`+ return true`
	`73`	`+ }`
	`74`	`+ }`
	`75`	`+ }`
`66`	`76`	`return false`
`67`	`77`	`}`
`68`	`78`
`@@ -101,7 +111,7 @@ func (r readfile) Match(n ast.Node, c gosec.Context) (*gosec.Issue, error) {`
`101`	`111`	`obj := c.Info.ObjectOf(ident)`
`102`	`112`	`if _, ok := obj.(*types.Var); ok &&`
`103`	`113`	`!gosec.TryResolve(ident, c) &&`
`104`		`- !r.isFilepathClean(ident) {`
	`114`	`+ !r.isFilepathClean(ident, c) {`
`105`	`115`	`return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil`
`106`	`116`	`}`
`107`	`117`	`}`