feat: extend go logger rule (#301)

Co-authored-by: Cédric Fabianski <[email protected]>
Co-authored-by: Cédric Fabianski <[email protected]>

rules/go/lang/log_output_neutralization.yml

@@ -14,10 +14,13 @@ patterns:
       - variable: INPUT
         detection: go_lang_log_output_neutralization_input
   - pattern: |
-      $<ZEROLOG>.$<EVENT>.$<METHOD>($<INPUT>);
+      $<CALLER>.$<EVENT>().$<METHOD>($<INPUT>);
     filters:
-      - variable: ZEROLOG
-        detection: go_lang_log_output_neutralization_zerolog
+      - either:
+          - variable: CALLER
+            detection: go_lang_log_output_neutralization_logger
+          - variable: CALLER
+            detection: go_lang_log_output_neutralization_zerolog
       - variable: EVENT
         regex: \A(Info|Debug|Error|Trace|Fatal|Panic|Warn)\z
       - variable: METHOD
@@ -61,6 +64,12 @@ auxiliary:
     patterns:
       - log.New();
       - log.Default();
+      - log
+      - import $<!>"log"
+      - |
+        import (
+          $<!>"log"
+        )
   - id: go_lang_log_output_neutralization_zerolog
     patterns:
       - import $<!>"github.com/rs/zerolog"

rules/go/lang/logger.yml

@@ -1,19 +1,113 @@
 imports:
   - go_shared_lang_datatype
 patterns:
-  - pattern: log.$<LOGLEVEL>().$<METHOD>($<DATA_TYPE>)
+  - pattern: |
+      $<CALLER>.$<METHOD>($<DATA_TYPE>);
     filters:
-      - variable: LOGLEVEL
-        values:
-          - Error
-          - Debug
+      - either:
+          - variable: CALLER
+            detection: go_lang_logger_log
+          - variable: CALLER
+            detection: go_lang_logger_zerolog
+      - variable: METHOD
+        regex: \A(Fatal|Panic|Print)(f|ln)?\z
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+  - pattern: |
+      $<CALLER>.$<EVENT>().$<METHOD>($<DATA_TYPE>);
+    filters:
+      - either:
+          - variable: CALLER
+            detection: go_lang_logger_log
+          - variable: CALLER
+            detection: go_lang_logger_zerolog
+      - variable: EVENT
+        regex: \A(Info|Debug|Error|Trace|Fatal|Panic|Warn)\z
       - variable: METHOD
         values:
-          - Msgf
           - Msg
+          - Msgf
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+  - pattern: |
+      $<CALLER>.$<METHOD>($<DATA_TYPE>);
+    filters:
+      - either:
+          - variable: CALLER
+            detection: go_lang_logger_logrus
+          - variable: CALLER
+            detection: go_lang_logger_seelog
+      - variable: METHOD
+        regex: \A(WithFields\.)?(Info|Debug|Error|Trace|Fatal|Panic|Warn)\z
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+  - pattern: |
+      $<CALLER>.$<METHOD>($<DATA_TYPE>);
+    filters:
+      - variable: CALLER
+        detection: go_lang_logger_glog
+      - variable: METHOD
+        regex: \A(Info|Warning|Error|Fatal)(Contex)?(Depth)?(f)?\z
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+  - pattern: |
+      $<ZAP>.$<METHOD>($<DATA_TYPE>);
+    filters:
+      - variable: ZAP
+        detection: go_lang_logger_zap
+      - variable: METHOD
+        regex: \A(WithFields\.)?(Info|Log|Error|Fatal|DPanic|Warn)\z
       - variable: DATA_TYPE
         detection: go_shared_lang_datatype
         scope: result
+auxiliary:
+  - id: go_lang_logger_log
+    patterns:
+      - log
+      - log.New();
+      - log.Default();
+      - import $<!>"log"
+      - |
+        import (
+          $<!>"log"
+        )
+  - id: go_lang_logger_zerolog
+    patterns:
+      - import $<!>"github.com/rs/zerolog"
+      - |
+        import (
+          $<!>"github.com/rs/zerolog"
+        )
+  - id: go_lang_logger_logrus
+    patterns:
+      - logrus.New();
+      - import $<!>"github.com/sirupsen/logrus"
+      - |
+        import (
+          $<!>"github.com/sirupsen/logrus"
+        )
+  - id: go_lang_logger_zap
+    patterns:
+      - zap.$<_>().Sugar()
+      - zap.$<_>()
+  - id: go_lang_logger_seelog
+    patterns:
+      - import $<!>"github.com/cihub/seelog"
+      - |
+        import (
+          $<!>"github.com/cihub/seelog"
+        )
+  - id: go_lang_logger_glog
+    patterns:
+      - import $<!>"github.com/golang/glog"
+      - |
+        import (
+          $<!>"github.com/golang/glog"
+        )
 languages:
   - go
 skip_data_types:

rules/go/lang/logger_leak.yml

@@ -0,0 +1,157 @@
+imports:
+  - go_shared_lang_datatype
+patterns:
+  - pattern: |
+      $<CALLER>.$<METHOD>($<...>$<INPUT>$<...>)
+    filters:
+      - either:
+          - variable: CALLER
+            detection: go_lang_logger_leak_logger
+          - variable: CALLER
+            detection: go_lang_logger_leak_zerolog
+      - variable: METHOD
+        regex: \A(Fatal|Panic|Print)(f|ln)?\z
+      - not:
+          variable: INPUT
+          detection: string_literal
+          scope: cursor
+      - not:
+          variable: INPUT
+          detection: go_shared_lang_datatype
+          scope: result
+  - pattern: |
+      $<CALLER>.$<EVENT>().$<METHOD>($<...>$<INPUT>$<...>);
+    filters:
+      - either:
+          - variable: CALLER
+            detection: go_lang_logger_leak_logger
+          - variable: CALLER
+            detection: go_lang_logger_leak_zerolog
+      - variable: EVENT
+        regex: \A(Info|Debug|Error|Trace|Fatal|Panic|Warn)\z
+      - variable: METHOD
+        values:
+          - Msg
+          - Msgf
+      - not:
+          variable: INPUT
+          detection: string_literal
+          scope: cursor
+      - not:
+          variable: INPUT
+          detection: go_shared_lang_datatype
+          scope: result
+  - pattern: |
+      $<CALLER>.$<METHOD>($<...>$<INPUT>$<...>);
+    filters:
+      - either:
+          - variable: CALLER
+            detection: go_lang_logger_leak_logrus
+          - variable: CALLER
+            detection: go_lang_logger_leak_seelog
+      - variable: METHOD
+        regex: \A(WithFields\.)?(Info|Debug|Error|Trace|Fatal|Panic|Warn)\z
+      - not:
+          variable: INPUT
+          detection: string_literal
+          scope: cursor
+      - not:
+          variable: INPUT
+          detection: go_shared_lang_datatype
+          scope: result
+  - pattern: |
+      $<CALLER>.$<METHOD>($<...>$<INPUT>$<...>);
+    filters:
+      - variable: CALLER
+        detection: go_lang_logger_leak_glog
+      - variable: METHOD
+        regex: \A(Info|Warning|Error|Fatal)(Contex)?(Depth)?(f)?\z
+      - not:
+          variable: INPUT
+          detection: string_literal
+          scope: cursor
+      - not:
+          variable: INPUT
+          detection: go_shared_lang_datatype
+          scope: result
+  - pattern: |
+      $<ZAP>.$<METHOD>($<...>$<INPUT>$<...>);
+    filters:
+      - variable: ZAP
+        detection: go_lang_logger_leak_zap
+      - variable: METHOD
+        regex: \A(WithFields\.)?(Info|Log|Error|Fatal|DPanic|Warn)\z
+      - not:
+          variable: INPUT
+          detection: string_literal
+          scope: cursor
+      - not:
+          variable: INPUT
+          detection: go_shared_lang_datatype
+          scope: result
+auxiliary:
+  - id: go_lang_logger_leak_logger
+    patterns:
+      - log
+      - log.New();
+      - log.Default();
+      - import $<!>"log"
+      - |
+        import (
+          $<!>"log"
+        )
+  - id: go_lang_logger_leak_zerolog
+    patterns:
+      - import $<!>"github.com/rs/zerolog"
+      - |
+        import (
+          $<!>"github.com/rs/zerolog"
+        )
+  - id: go_lang_logger_leak_logrus
+    patterns:
+      - logrus.New();
+      - import $<!>"github.com/sirupsen/logrus"
+      - |
+        import (
+          $<!>"github.com/sirupsen/logrus"
+        )
+  - id: go_lang_logger_leak_zap
+    patterns:
+      - zap.$<_>().Sugar()
+      - zap.$<_>()
+  - id: go_lang_logger_leak_seelog
+    patterns:
+      - import $<!>"github.com/cihub/seelog"
+      - |
+        import (
+          $<!>"github.com/cihub/seelog"
+        )
+  - id: go_lang_logger_leak_glog
+    patterns:
+      - import $<!>"github.com/golang/glog"
+      - |
+        import (
+          $<!>"github.com/golang/glog"
+        )
+languages:
+  - go
+severity: warning
+metadata:
+  description: "Leakage of information in logger message"
+  remediation_message: |
+    ## Description
+
+    Leaking data to loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of dynamic data or variables sent to loggers.
+
+    ## Remediations
+
+    ❌ Avoid using variables or dynamic data in logger messages:
+
+    ```go
+    logger.info(f"User is: '{user.email}'")
+    ```
+  cwe_id:
+    - 532
+  id: go_lang_logger_leak
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_logger_leak
+  cloud_code_suggestions: true

tests/go/lang/log_output_neutralization/testdata/main.go

@@ -27,7 +27,7 @@ func bad() {
 
 func bad2() {
 	// bearer:expected go_lang_log_output_neutralization
-	zerolog.Info.Msg(os.Args[0])
+	zerolog.Info().Msg(os.Args[0])
 	// bearer:expected go_lang_log_output_neutralization
 	zerolog.Print(os.Args[0])
 }

tests/go/lang/logger/test.js

@@ -1,30 +1,15 @@
-const {
-  createNewInvoker,
-  getEnvironment,
-} = require("../../../helper.js")
+const { createNewInvoker, getEnvironment } = require("../../../helper.js")
 const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
 
 describe(ruleId, () => {
   const invoke = createNewInvoker(ruleId, ruleFile, testBase)
 
-
-    test("bad", () => {
-      const testCase = "bad.go"
+  test("logger", () => {
+    const testCase = "main.go"
 
-      const results = invoke(testCase)
+    const results = invoke(testCase)
 
-      expect(results.Missing).toEqual([])
-      expect(results.Extra).toEqual([])
-    })
-
-
-    test("ok", () => {
-      const testCase = "ok.go"
-
-      const results = invoke(testCase)
-
-      expect(results.Missing).toEqual([])
-      expect(results.Extra).toEqual([])
-    })
-
-})
+    expect(results.Missing).toEqual([])
+    expect(results.Extra).toEqual([])
+  })
+})