search

praetorian-inc / gokart

A static analysis tool for securing Go code
Apache License 2.0
2.18k stars 110 forks source link

GoKart panics in the `TaintAnalyzer` #83

Open smoyer64 opened 1 year ago

smoyer64 commented 1 year ago

When scanning a project, GoKart panics with the following trace when running the TaintAnalyzer:

gokart scan
Using config found at /home/smoyer1/.gokart/analyzers.yml

Revving engines VRMMM VRMMM
3...2...1...Go!
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x9ebf55]

goroutine 1 [running]:
github.com/praetorian-inc/gokart/util.(*TaintAnalyzer).ContainsTaintRecurse(0xc00235f3f8, 0xc0063c4140, 0xc00235c210, 0x3?, 0xa, {0xc00235f2d8?, 0x0, 0x0})
        /home/smoyer1/git/gokart/util/taint.go:175 +0x3f5
github.com/praetorian-inc/gokart/util.(*TaintAnalyzer).ContainsTaintRecurse(0xc00235f3f8, 0xc0063c4140, 0xc00646a2e0, 0x0?, 0x9, {0xc00235f2d8?, 0x0, 0x0})
        /home/smoyer1/git/gokart/util/taint.go:200 +0x267b
github.com/praetorian-inc/gokart/util.(*TaintAnalyzer).ContainsTaintRecurse(0xc00235f3f8, 0xc0063c4140, 0xc00235cc10, 0x0?, 0x8, {0xc00235f2d8?, 0x0, 0x0})
        /home/smoyer1/git/gokart/util/taint.go:171 +0x1105
github.com/praetorian-inc/gokart/util.(*TaintAnalyzer).ContainsTaintRecurse(0xc00235f3f8, 0xc0063c4140, 0xc003cd81d0, 0xb70b90?, 0x7, {0xc00235f2d8?, 0x0, 0x0})
        /home/smoyer1/git/gokart/util/taint.go:163 +0x1816
github.com/praetorian-inc/gokart/util.(*TaintAnalyzer).ContainsTaintRecurse(0xc00235f3f8, 0xc0063c4140, 0xc006396d10, 0x0?, 0x6, {0xc00235f2d8?, 0x0, 0x0})
        /home/smoyer1/git/gokart/util/taint.go:141 +0x1fb2
github.com/praetorian-inc/gokart/util.(*TaintAnalyzer).ContainsTaintRecurse(0xc00235f3f8, 0xc0063c4140, 0xc0063b0e58, 0x0?, 0x5, {0xc00235f2d8?, 0x0, 0x0})
        /home/smoyer1/git/gokart/util/taint.go:232 +0x8b3
github.com/praetorian-inc/gokart/util.(*TaintAnalyzer).ContainsTaintRecurse(0xc00235f3f8, 0xc0063c4140, 0xc00235e030, 0x0?, 0x4, {0xc00235f2d8?, 0x0, 0x0})
        /home/smoyer1/git/gokart/util/taint.go:270 +0x1de9
github.com/praetorian-inc/gokart/util.(*TaintAnalyzer).ContainsTaintRecurse(0xc00235f3f8, 0xc0063c4140, 0xc00235e580, 0x3?, 0x3, {0xc00235f2d8?, 0x0, 0x0})
        /home/smoyer1/git/gokart/util/taint.go:212 +0x4ec
github.com/praetorian-inc/gokart/util.(*TaintAnalyzer).ContainsTaintRecurse(0xc00235f3f8, 0xc0063c4140, 0xc00235ea90, 0x4?, 0x2, {0xc00235f2d8?, 0x0, 0x0})
        /home/smoyer1/git/gokart/util/taint.go:200 +0x267b
github.com/praetorian-inc/gokart/util.(*TaintAnalyzer).ContainsTaintRecurse(0xc00235f3f8, 0xc0063c4140, 0xc0063c0460, 0x0?, 0x1, {0xc00235f2d8?, 0x0, 0x0})
        /home/smoyer1/git/gokart/util/taint.go:200 +0x267b
github.com/praetorian-inc/gokart/util.(*TaintAnalyzer).ContainsTaintRecurse(0xc00235f3f8, 0xc0063c4140, 0xc0063c60b0, 0x15?, 0x0, {0xc00235f2d8?, 0x0, 0x0})
        /home/smoyer1/git/gokart/util/taint.go:171 +0x1105
github.com/praetorian-inc/gokart/util.(*TaintAnalyzer).ContainsTaint(...)
        /home/smoyer1/git/gokart/util/taint.go:62
github.com/praetorian-inc/gokart/analyzers.ssrfRun(0xc0066043c0)
        /home/smoyer1/git/gokart/analyzers/ssrf.go:157 +0x6d5
github.com/praetorian-inc/gokart/run.RunAnalyzers({0x1088f00, 0x5, 0xb70eab?}, 0xc000b95c80)
        /home/smoyer1/git/gokart/run/run.go:173 +0x502
github.com/praetorian-inc/gokart/run.Run({0x1088f00, 0x5, 0x5}, {0xc00019b9c0?, 0x0?, 0x0?})
        /home/smoyer1/git/gokart/run/run.go:42 +0x11e
github.com/praetorian-inc/gokart/analyzers.Scan({0xc00019b9c0?, 0x1, 0x1})
        /home/smoyer1/git/gokart/analyzers/scan.go:163 +0x5d8
github.com/praetorian-inc/gokart/cmd.glob..func1(0x1090500?, {0x10c87a8, 0x0, 0x0})
        /home/smoyer1/git/gokart/cmd/scan.go:91 +0x42d
github.com/spf13/cobra.(*Command).execute(0x1090500, {0x10c87a8, 0x0, 0x0})
        /home/smoyer1/go/pkg/mod/github.com/spf13/cobra@v1.2.1/command.go:860 +0x663
github.com/spf13/cobra.(*Command).ExecuteC(0x1090280)
        /home/smoyer1/go/pkg/mod/github.com/spf13/cobra@v1.2.1/command.go:974 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
        /home/smoyer1/go/pkg/mod/github.com/spf13/cobra@v1.2.1/command.go:902
github.com/praetorian-inc/gokart/cmd.Execute(...)
        /home/smoyer1/git/gokart/cmd/root.go:61
main.main()
        /home/smoyer1/git/gokart/main.go:38 +0x25

This occurs because the Pkg field of a function might be nil according to the code's comments, but no nil check is included:

https://github.com/golang/tools/blob/b01e7a4e75d3f07db097384f829839c6628a46c8/go/ssa/ssa.go#L306-L317

As an aside, the project producing this panic includes generics which might be related or at least sympathetic. If so, it's related to #72. Feel free to assign this to me as I've got both this issue and #72 fixed and running as expected against a project that contains generics.