Open BinaryFissionGames opened 1 month ago
When using exec.Command with user defined input, I expect G204 (Subprocess launched with variable) to trigger. However, if that user defined input is used directly from a function parameter, it does not trigger G204.
See this go program:
package main import ( "os" "os/exec" ) func main() { execCommand(os.Args[0]) } func execCommand(command string) { cmd := exec.Command("bash", "-c", command) err := cmd.Run() if err != nil { panic(err) } }
I'd expect this to trigger G204, however gosec reports no issues.
If I make a small change and assign the command string to a new variable, however, gosec properly detects the issue:
package main import ( "os" "os/exec" ) func main() { execCommand(os.Args[0]) } func execCommand(command string) { cmdStr := command cmd := exec.Command("bash", "-c", cmdStr) err := cmd.Run() if err != nil { panic(err) } }
This DOES trigger G204, as expected.
v2.20.0
go version go1.21.9 darwin/arm64
macOS sonoma 14.5
Expected G204 to trigger
G204 does not trigger
Summary
When using exec.Command with user defined input, I expect G204 (Subprocess launched with variable) to trigger. However, if that user defined input is used directly from a function parameter, it does not trigger G204.
Steps to reproduce the behavior
See this go program:
I'd expect this to trigger G204, however gosec reports no issues.
If I make a small change and assign the command string to a new variable, however, gosec properly detects the issue:
This DOES trigger G204, as expected.
gosec version
v2.20.0
Go version (output of 'go version')
go version go1.21.9 darwin/arm64
Operating system / Environment
macOS sonoma 14.5
Expected behavior
Expected G204 to trigger
Actual behavior
G204 does not trigger