stackoom
  简体   繁体   中英

How to handle gosec linter warning: Potential file inclusion via variable

 原文  2018-09-13 19:41:00       go

Question

How do I solve the following warning from gosec linter:

::warning: Potential file inclusion via variable,MEDIUM,HIGH (gosec)

The linter is warning me on the first line of this function: 

func File2lines(filePath string) ([]string, error) {
    f, err := os.Open(filePath) //Warning here
    if err != nil {
        return nil, err
    }
    defer f.Close()
    return linesFromReader(f)
}

I have tried reading up on local file inclusion, but cannot see how that would be applicable here.

3 answers

solution1
 24 ACCPTED  2018-09-13 21:19:07

Where does the path come from? If you're not absolutely sure it can never have user input, best to clean it before use and use a known prefix, eg:

filePath = filepath.Join(basePath,filepath.Clean(filePath))
f, err := os.Open(filePath)

That should fix the complaint. This is a reasonable precaution anyway even if you think it is safe now, in case later someone uses your function with user data.

solution2
 8  2018-09-13 20:34:12

No one said the linter was smart . Looking at the function in isolation, it's impossible to say if there's a security issue. If the function is called with a filePath that's user-supplied and insufficiently validated, and it runs in a context where it can read files that the user would not be able to otherwise (eg in a program with elevated privileges, or on a remote server), then there is a probably issue. Otherwise, the only thing to do about the warning is to suppress or ignore it.

solution3
 5  2020-06-22 14:15:33

If you specify the file path with a variable, there is a risk that an unintended file path will be specified. Therefore, you should use filepath.Clean() to clean up possible bad paths.

an easy solution:

f,err := os.Open(filepath.Clean(fname))

solution4
 -3  2020-05-13 19:25:37

How do I solve the following warning from gosec linter:

::warning: Potential file inclusion via variable,MEDIUM,HIGH (gosec)

The linter is warning me on the first line of this function: 

func File2lines(filePath string) ([]string, error) {
    f, err := os.Open(filePath) //Warning here
    if err != nil {
        return nil, err
    }
    defer f.Close()
    return linesFromReader(f)
}

I have tried reading up on local file inclusion, but cannot see how that would be applicable here.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question gosec linter: G101: Potential hardcoded credentials G110: Potential DoS vulnerability via decompression bomb (gosec) GoLang untaint URL variable to fix gosec warning G107 How to fix linter warning `Error return value is not checked`? How to disable go linter in vscode? How to handle missing variable panic properly? How to handle chunked file upload Conflict in gosec results in golangci-lint tool vscode go linter linting go code, how to disable How can I configure the 'staticcheck' linter in Visual Studio Code?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM