dryrunsecurity[bot]
commented
3 months ago DryRun Security Summary
This pull request introduces various improvements and enhancements to the Wally tool, including improved limiter mode validation, enhanced documentation, potential security concerns, callgraph analysis enhancements, and the addition of utility functions, all of which aim to enhance the functionality and security of the tool.
Expand for full summary
**Summary:** The code changes in this pull request cover various improvements and enhancements to the Wally tool, a static analysis tool for mapping function paths in Go code. The key changes include: 1. **Improved Limiter Mode Validation**: The changes in the `cmd/search.go` and `cmd/map.go` files update the validation of the `limiterMode` parameter, ensuring that it is not set to a value higher than 4. This is a reasonable restriction to prevent potential issues with the callgraph algorithm. 2. **Enhanced Documentation**: The changes in the `README.md` file provide more detailed information and guidance around the various configuration options and usage modes of Wally, including details on route detection, call path analysis, limiter modes, and visualization capabilities. 3. **Potential Security Concerns**: In the `sampleapp/main.go` file, the introduction of the `printer.PrintOrPanic()` function and the handling of string character access raise potential security concerns. It's important to ensure that these functions handle errors gracefully and don't allow for potential denial-of-service (DoS) attacks or other security issues. 4. **Callgraph Analysis Enhancements**: The changes in the `wallylib/callmapper/callmapper.go` file introduce a new `VeryStrict` limiter mode, which can help improve the precision of the call graph analysis by ensuring that the call sites match the function names more closely. This can be particularly useful for identifying potential security vulnerabilities. 5. **Utility Function Additions**: The changes in the `wallylib/core.go` file introduce two new functions, `GetCalleNameFromSite` and `GetFunctionFromSite`, which seem to be utility helpers for tasks like call graph analysis and function identification. While these changes do not directly introduce security vulnerabilities, it's important to monitor their usage and ensure they are not being leveraged in a way that could lead to security issues. **Files Changed:** 1. `cmd/search.go`: The changes update the validation of the `limiterMode` parameter, ensuring that it is not set to a value higher than 4. 2. `README.md`: The changes provide more detailed information and guidance around the various configuration options and usage modes of Wally. 3. `cmd/map.go`: The changes update the validation of the `limiterMode` parameter, ensuring that it is not set to a value higher than 4. 4. `sampleapp/main.go`: The changes introduce a new `RunAll()` function and raise potential security concerns regarding the `printer.PrintOrPanic()` function and the handling of string character access. 5. `wallylib/callmapper/callmapper.go`: The changes introduce a new `VeryStrict` limiter mode, which can help improve the precision of the call graph analysis. 6. `wallylib/core.go`: The changes introduce two new utility functions, `GetCalleNameFromSite` and `GetFunctionFromSite`, which seem to be related to the analysis of call instructions and functions.
Code Analysis
We ran 9 analyzers against 6 files and 1 analyzer had findings. 8 analyzers had no findings.
| Analyzer | Findings |
|---|---|
| Authn/Authz Analyzer | 1 finding |
Riskiness
:green_circle: Risk threshold not exceeded.
Introducing a new "very-strict" limiter mode to provide more granular control over the call graph analysis. In this mode, wally matches site call names to the node names. For instance, say in the below example that we are looking for call paths to
Foo(). Wally knows that to reachFoo()a function would need to callMyFunc(). Invery-strictmode, Wally makes sure that MyFunc() can only be calledMyFuncand nothing else. This allows Wally to skip invalid callers that are generated by the "golang.org/x/tools/go/callgraph" algorithms.