Skip to content

Go: Recognize unsafe candidate selection in go/insecure-randomness #15294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jan 12, 2024
Merged

Go: Recognize unsafe candidate selection in go/insecure-randomness #15294

merged 3 commits into from
Jan 12, 2024

Conversation

atorralba
Copy link
Contributor

@atorralba atorralba commented Jan 11, 2024
edited
Loading

This PR adds a flow step so that go/insecure-randomness recognizes the pattern of randomly selecting a character/substring from a predefined set with a weak RNG, which is a security risk if the result is used in a sensitive function.

Adds coverage for CVE-2023-46740.

@atorralba
Copy link
Contributor Author

DCA looks uneventful.

@atorralba atorralba marked this pull request as ready for review January 11, 2024 11:41
@atorralba atorralba requested a review from a team as a code owner January 11, 2024 11:41
@owen-mc
Copy link
Contributor

owen-mc commented Jan 11, 2024

Have you considered running MRVA (either for the whole query or just the step you're adding) to check that this doesn't cause too many FPs?

@atorralba
Reduce FPs
12c5b46 
* Restrict allowed types in the flow step

* Discard more non-crypto-related TLS APIs
@atorralba
Copy link
Contributor Author

That's a good idea. After evaluating the top 1k Go projects (using flow states to only see results caused by this flow step), I could identify several FPs caused by either:

  • The type of the slice not being relevant for crypto/sensitive operations
  • The sink being a non-crypto-related API

After adding the appropriate exclusions in 12c5b46, there's only 1 more FP in the top 1k projects, which is caused by the password name heuristic and not by the flow step, so I think it's acceptable.

owen-mc
owen-mc previously approved these changes Jan 11, 2024
View reviewed changes
@owen-mc
Copy link
Contributor

owen-mc commented Jan 11, 2024
edited
Loading

My only slight misgiving is that you've done several small things which aren't mentioned in the change note. Maybe you could add something to say that some changes have been made to reduce false positives? Up to you.

@atorralba
Copy link
Contributor Author

Won't hurt — done here :)

@atorralba atorralba merged commit 448439e into github:main Jan 12, 2024
@atorralba atorralba deleted the atorralba/go/insecure-randomness-index-flowstep branch January 12, 2024 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@owen-mc owen-mc owen-mc approved these changes

Assignees
No one assigned
Labels
documentation Go
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@atorralba @owen-mc