go.lang.correctness.permissions.file_permission.incorrect-default-permission
semgrepAuthor
4,989
Download Count*
License
Detected file permissions that are set to more than 0600 (user/owner can read and write). Setting file permissions to higher than 0600 is most likely unnecessary and violates the principle of least privilege. Instead, set permissions to be 0600 or less for os.Chmod, os.Mkdir, os.OpenFile, os.MkdirAll, and ioutil.WriteFile
Run Locally
Run in CI
Defintion
rules:
- id: incorrect-default-permission
message: Detected file permissions that are set to more than `0600` (user/owner
can read and write). Setting file permissions to higher than `0600` is
most likely unnecessary and violates the principle of least privilege.
Instead, set permissions to be `0600` or less for os.Chmod, os.Mkdir,
os.OpenFile, os.MkdirAll, and ioutil.WriteFile
metadata:
cwe: "CWE-276: Incorrect Default Permissions"
source_rule_url: https://github.com/securego/gosec
category: correctness
references:
- https://github.com/securego/gosec/blob/master/rules/fileperms.go
technology:
- go
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
severity: WARNING
languages:
- go
patterns:
- pattern-either:
- pattern: os.Chmod($NAME, $PERM)
- pattern: os.Mkdir($NAME, $PERM)
- pattern: os.OpenFile($NAME, $FLAG, $PERM)
- pattern: os.MkdirAll($NAME, $PERM)
- pattern: ioutil.WriteFile($NAME, $DATA, $PERM)
- metavariable-comparison:
metavariable: $PERM
comparison: $PERM > 0o600
base: 8
- focus-metavariable:
- $PERM
fix: |
0600
Examples
file_permission.go
package main
import (
"fmt"
"io/ioutil"
"os"
)
func main() {
}
func test_chmod() {
// ruleid: incorrect-default-permission
err := os.Chmod("/tmp/somefile", 0777)
if err != nil {
fmt.Println("Error when changing file permissions!")
return
}
// ok: incorrect-default-permission
err := os.Chmod("/tmp/somefile", 0400)
if err != nil {
fmt.Println("Error when changing file permissions!")
return
}
}
func test_mkdir() {
// ruleid: incorrect-default-permission
err := os.Mkdir("/tmp/mydir", 0777)
if err != nil {
fmt.Println("Error when creating a directory!")
return
}
// ruleid: incorrect-default-permission
err = os.MkdirAll("/tmp/mydir", 0777)
if err != nil {
fmt.Println("Error when creating a directory!")
return
}
// ok: incorrect-default-permission
err := os.MkdirAll("/tmp/mydir", 0600)
if err != nil {
fmt.Println("Error when creating a directory!")
return
}
}
func test_openfile() {
// ruleid: incorrect-default-permission
_, err := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666)
if err != nil {
fmt.Println("Error opening a file!")
return
}
// ok: incorrect-default-permission
_, err := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600)
if err != nil {
fmt.Println("Error opening a file!")
return
}
}
func test_writefile() {
// ruleid: incorrect-default-permission
err := ioutil.WriteFile("/tmp/demo2", []byte("This is some data"), 0644)
if err != nil {
fmt.Println("Error while writing!")
}
}
Short Link: https://sg.run/PJdq