feat: Support for adding taint analysis engine#1486
feat: Support for adding taint analysis engine#1486ravisastryk wants to merge 7 commits intosecurego:masterfrom
Conversation
ravisastryk
force-pushed
the
feature/taint-analysis-engine
branch
from
242671d to
105052f
Compare
ravisastryk
changed the title
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #1486 +/- ##
==========================================
+ Coverage 68.49% 68.66% +0.16%
==========================================
Files 75 94 +19
Lines 4384 7200 +2816
==========================================
+ Hits 3003 4944 +1941
- Misses 1233 2026 +793
- Partials 148 230 +82 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@ccojocar Please review when you get a chance. TIA |
ravisastryk
force-pushed
the
feature/taint-analysis-engine
branch
4 times, most recently
from
a653518 to
a5dd1eb
Compare
Implements SSA-based taint analysis to detect security vulnerabilities: - G701: SQL injection via string concatenation - G702: Command injection via user input - G703: Path traversal via user input - G704: SSRF via user-controlled URLs - G705: XSS via unescaped user input - G706: Log injection via user input Uses golang.org/x/tools for SSA/call graph analysis with CHA. Zero external dependencies beyond existing gosec imports.
ravisastryk
force-pushed
the
feature/taint-analysis-engine
branch
from
a5dd1eb to
bf684e2
Compare
|
Thanks for submitting this. I will need some time to review it. Which AI code generator are you using? |
Thank you for asking @ccojocar. Claude helped with initial scaffolding, and I handled the refinements and final implementation to improve further. Please take your time reviewing. I am interested to see this reach a wider audience and encourage broader gosec adoption. Thank you for your time again. |
|
|
||
| // Source defines where tainted data originates. | ||
| // Format: "package/path.TypeOrFunc" or "*package/path.Type" for pointer types. | ||
| type Source struct { |
There was a problem hiding this comment.
Can you add a go doc comment on each field?
analyzers/taint/taint.go
Outdated
| // Format: "package/path.TypeOrFunc" or "*package/path.Type" for pointer types. | ||
| type Source struct { | ||
| Package string // e.g., "net/http" | ||
| Name string // e.g., "Request" or "Get" |
There was a problem hiding this comment.
Is this function/method name? Can you make the name more clear?
There was a problem hiding this comment.
Name is the type or function name that produces tainted data (e.g., "Request" for type, "Get" for function). I have updated the documentation
|
|
||
| // Sink defines a dangerous function that should not receive tainted data. | ||
| // Format: "(*package/path.Type).Method" or "package/path.Func" | ||
| type Sink struct { |
There was a problem hiding this comment.
Please add go doc on each field.
| } | ||
|
|
||
| // Result represents a detected taint flow from source to sink. | ||
| type Result struct { |
There was a problem hiding this comment.
Please add a go doc on each field.
analyzers/taint/taint.go
Outdated
|
|
||
| // Analyzer performs taint analysis on SSA programs. | ||
| type Analyzer struct { | ||
| config Config |
There was a problem hiding this comment.
I would use a pointer for config.
| {Package: "net/http", Method: "Get"}, | ||
| {Package: "net/http", Method: "Post"}, | ||
| {Package: "net/http", Method: "Head"}, | ||
| {Package: "net/http", Method: "PostForm"}, |
There was a problem hiding this comment.
net.Dial, net.DialTImeout, net.LookupHost
There was a problem hiding this comment.
net/http/httputil.ReverseProxy:
There was a problem hiding this comment.
net/http/httputil NewSingleHostReverseProxy
| // XSS returns a configuration for detecting Cross-Site Scripting vulnerabilities. | ||
| func XSS() Config { | ||
| return Config{ | ||
| Sources: []Source{ |
There was a problem hiding this comment.
see sources above for a more complete list
| {Package: "net/http", Name: "Request", Pointer: true}, | ||
| {Package: "net/url", Name: "Values"}, | ||
| }, | ||
| Sinks: []Sink{ |
There was a problem hiding this comment.
template.HTML, template.HTMLAttr, template.JS, template.CSS missing
| func LogInjection() Config { | ||
| return Config{ | ||
| Sources: []Source{ | ||
| {Package: "net/http", Name: "Request", Pointer: true}, |
There was a problem hiding this comment.
see above for a more complete list of sources
| {Package: "log", Method: "Println"}, | ||
| {Package: "log", Method: "Fatal"}, | ||
| {Package: "log", Method: "Fatalf"}, | ||
| {Package: "log", Method: "Fatalln"}, |
There was a problem hiding this comment.
log.Panic, log/slog.Info, Error, Warn
|
Thank you @ccojocar for your thorough review! I believe I have addressed most of your suggestions. Can you please re-review when you get a chance? Any other suggestions are welcome! |
|
@ccojocar Friendly reminder! Can you please re-review when you get a chance? |
3 participants
Taint Analysis Engine for gosec
Implements a minimal, zero-dependency taint analysis engine for gosec that tracks data flow from sources (user input) to sinks (dangerous functions) to detect security vulnerabilities.
Issue: #1160 - Request for taint analysis support in gosec
New Security Rules
Changes
golang.org/x/toolspackages that gosec already depends onExample Detection
SQL Injection (G701):
Command Injection (G702):