New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
G306 triggered on executable bit set #1094
Comments
Creating a file with execute permission can lead to a RCE if the attack is able to control the input. This is not the case in the example above since everything seems to be hardcoded. This rule is meant to be taken as a warning when creating a file with excessive permissions. It is recommended to either create a file with wither owner read-only or read-write file permissions. In this sense less means 0400. I agree, in this case the rule message sounds confusing since 0500 permissions are less than 0600. I think a better wording might be helpful. |
👍 make sense, I was confusing this rule with a strict mapping to CWE-276 (i.e. enforcing only file modification permissions), though the summary "Poor file permissions used when writing to a new file" makes clear its intent (and that it should cover the case of the executable bit too)
Do you have any suggestions for an improvement? The first two ideas that came to my mind:
or:
|
I think it is a bit difficult to have a more expressive wording since the file mode can be configured Line 83 in 8fa46c1
The former message sounds a bit more accurate to me. |
Summary
Steps to reproduce the behavior
Given the following in
main.go
in the current directory:Run:
gosec version
I built from source at 8fa46c1
Go version (output of 'go version')
Operating system / Environment
GNU/Linux 6.1.67-1-lts
Expected behavior
When creating a file with the executable bit this rule is not triggered, since this rule maps to CWE-276 which refers to "During installation, installed file permissions are set to allow anyone to modify those files" , however setting this executable bit on a file does not allow for any such modifications.
Though if I've misunderstood the meaning for this rule it might still be worth updating the error message to be more accurate: since
0o500
is less than0o600
I find the error message confusing. From a quick search I see this was changed in cf63541 from a plain less-than check to a bit comparison.Actual behavior
The rule is triggered, see output above
The text was updated successfully, but these errors were encountered: