Panic on subprocess rule #726
Description
Summary
gosec panics when the argument to the subprocess call is initialized in another file
Steps to reproduce the behavior
Create a go module with two files:
- main.go
- p.go
main.go:
package main
import (
"os/exec"
)
func Foo() error {
return exec.Command(Command).Start()
}p.go:
package main
var Command stringRun gosec on the package
Note that when the variable is declared in the same file as Foo (that is main.go) there is no panic
gosec version
Version: 2.9.1
Git tag: v2.9.1
Build date: 2021-10-15T09:00:44Z
Go version (output of 'go version')
go version go1.17.2 darwin/amd64
Operating system / Environment
MacOS Big Sur
Expected behavior
No panic
Actual behavior
[gosec] 2021/11/15 12:21:16 Including rules: default
[gosec] 2021/11/15 12:21:16 Excluding rules: default
[gosec] 2021/11/15 12:21:16 Import directory: /code/testgosec
[gosec] 2021/11/15 12:21:16 Checking package: main
[gosec] 2021/11/15 12:21:16 Checking file: /code/testgosec/main.go
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x12ceef4]
goroutine 1 [running]:
github.com/securego/gosec/v2/rules.(*subprocess).Match(0xc0000b0b00, {0x13db7c0, 0xc00017c080}, 0xc000132070)
/home/runner/work/gosec/gosec/rules/subproc.go:58 +0x1b4
github.com/securego/gosec/v2.(*Analyzer).Visit(0xc000078060, {0x13db7c0, 0xc00017c080})
/home/runner/work/gosec/gosec/analyzer.go:375 +0x44f
go/ast.Walk({0x13d5900, 0xc000078060}, {0x13db7c0, 0xc00017c080})
/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:50 +0x5f
go/ast.Walk({0x13d5900, 0xc000078060}, {0x13dbd38, 0xc00000c048})
/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:110 +0x141a
go/ast.Walk({0x13d5900, 0xc000078060}, {0x13db7c0, 0xc00017c0c0})
/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:136 +0x90b
go/ast.walkExprList({0x13d5900, 0xc000078060}, {0xc000420040, 0x1, 0x0})
/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:24 +0x87
go/ast.Walk({0x13d5900, 0xc000078060}, {0x13dbce8, 0xc0000b6400})
/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:217 +0x124f
go/ast.walkStmtList({0x13d5900, 0xc000078060}, {0xc000420050, 0x1, 0x0})
/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:30 +0x87
go/ast.Walk({0x13d5900, 0xc000078060}, {0x13db770, 0xc0001825a0})
/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:225 +0xedf
go/ast.Walk({0x13d5900, 0xc000078060}, {0x13dba40, 0xc000182810})
/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:346 +0x7dc
go/ast.walkDeclList({0x13d5900, 0xc000078060}, {0xc0000b6440, 0x2, 0x100c914})
/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:36 +0x87
go/ast.Walk({0x13d5900, 0xc000078060}, {0x13db9f0, 0xc000032100})
/opt/hostedtoolcache/go/1.17.2/x64/src/go/ast/walk.go:355 +0x15c5
github.com/securego/gosec/v2.(*Analyzer).Check(0xc000078060, 0xc000666000)
/home/runner/work/gosec/gosec/analyzer.go:231 +0x545
github.com/securego/gosec/v2.(*Analyzer).Process(0xc000078060, {0x0, 0xc00042c6b0, 0xc00042c6c0}, {0xc00042c6d0, 0x1, 0x3d})
/home/runner/work/gosec/gosec/analyzer.go:154 +0x1b7
main.main()
/home/runner/work/gosec/gosec/cmd/gosec/main.go:375 +0x8c5