Semgrep Registry - go.lang.correctness.permissions.file_permission.incorrect-default-permission

Detected file permissions that are set to more than 0600 (user/owner can read and write). Setting file permissions to higher than 0600 is most likely unnecessary and violates the principle of least privilege. Instead, set permissions to be 0600 or less for os.Chmod, os.Mkdir, os.OpenFile, os.MkdirAll, and ioutil.WriteFile

Defintion

Open in Playground

rules:
  - id: incorrect-default-permission
    message: Detected file permissions that are set to more than `0600` (user/owner
      can read and write). Setting file permissions to higher than `0600` is
      most likely unnecessary and violates the principle of least privilege.
      Instead, set permissions to be `0600` or less for os.Chmod, os.Mkdir,
      os.OpenFile, os.MkdirAll, and ioutil.WriteFile
    metadata:
      cwe: "CWE-276: Incorrect Default Permissions"
      source_rule_url: https://github.com/securego/gosec
      category: correctness
      technology:
        - go
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: WARNING
    languages:
      - go
    patterns:
      - pattern-either:
          - pattern: os.Chmod($NAME, $PERM)
          - pattern: os.Mkdir($NAME, $PERM)
          - pattern: os.OpenFile($NAME, $FLAG, $PERM)
          - pattern: os.MkdirAll($NAME, $PERM)
          - pattern: ioutil.WriteFile($NAME, $DATA, $PERM)
      - metavariable-comparison:
          metavariable: $PERM
          comparison: $PERM > 0o600
          base: 8

package main import ( "fmt" "io/ioutil" "os" ) func main() { } func test_chmod() { // ruleid: incorrect-default-permission err := os.Chmod("/tmp/somefile", 0777) if err != nil { fmt.Println("Error when changing file permissions!") return } // ok: incorrect-default-permission err := os.Chmod("/tmp/somefile", 0400) if err != nil { fmt.Println("Error when changing file permissions!") return } } func test_mkdir() { // ruleid: incorrect-default-permission err := os.Mkdir("/tmp/mydir", 0777) if err != nil { fmt.Println("Error when creating a directory!") return } // ruleid: incorrect-default-permission err := os.MkdirAll("/tmp/mydir", 0777) if err != nil { fmt.Println("Error when creating a directory!") return } // ok: incorrect-default-permission err := os.MkdirAll("/tmp/mydir", 0600) if err != nil { fmt.Println("Error when creating a directory!") return } } func test_openfile() { // ruleid: incorrect-default-permission _, err := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666) if err != nil { fmt.Println("Error opening a file!") return } // ok: incorrect-default-permission _, err := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600) if err != nil { fmt.Println("Error opening a file!") return } } func test_writefile() { // ruleid: incorrect-default-permission err := ioutil.WriteFile("/tmp/demo2", []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } }

go.lang.correctness.permissions.file_permission.incorrect-default-permission

Run Locally

Run in CI

Defintion

Examples

file_permission.go