chore(golang): Add rules golang (#177)

.envrc.example

@@ -1,2 +1,3 @@
 export BEARER_VERSION=latest
 export BEARER_WORKSPACE=$PWD/../bearer
+export GO_EXEC=go

.github/workflows/canary_integration_tests.yml

@@ -34,6 +34,8 @@ jobs:
             "php/third_parties",
             "python/lang",
             "go/lang",
+            "go/gosec",
+            "go/gorilla",
           ]
     steps:
       - uses: actions/checkout@v3

.github/workflows/integration_tests.yml

@@ -41,6 +41,8 @@ jobs:
             "php/third_parties",
             "python/lang",
             "go/lang",
+            "go/gosec",
+            "go/gorilla",
           ]
     steps:
       - uses: actions/checkout@v3

rules/go/gorilla/insecure_cookie.yml

@@ -0,0 +1,108 @@
+patterns:
+  - pattern: $<SESSION>
+    filters:
+      - variable: SESSION
+        detection: go_gorilla_insecure_cookie_session
+        scope: cursor_strict
+      - either:
+          - not:
+              variable: SESSION
+              detection: go_gorilla_insecure_cookie_http_only_true
+              scope: cursor_strict
+          - not:
+              variable: SESSION
+              detection: go_gorilla_insecure_cookie_secure_true
+              scope: cursor_strict
+auxiliary:
+  - id: go_gorilla_insecure_cookie_sessions_init
+    patterns:
+      - import $<!>"github.com/gorilla/sessions"
+      - |
+        import (
+          $<!>"github.com/gorilla/sessions"
+        )
+  - id: go_gorilla_insecure_cookie_true
+    patterns:
+      - "true"
+  - id: go_gorilla_insecure_cookie_secure_true
+    patterns:
+      - pattern: "$<_>{ Secure: $<TRUE> }"
+        filters:
+          - variable: "TRUE"
+            detection: go_gorilla_insecure_cookie_true
+            scope: cursor
+  - id: go_gorilla_insecure_cookie_http_only_true
+    patterns:
+      - pattern: "$<_>{ HttpOnly: $<TRUE> }"
+        filters:
+          - variable: "TRUE"
+            detection: go_gorilla_insecure_cookie_true
+            scope: cursor
+  - id: go_gorilla_insecure_cookie_session
+    patterns:
+      - pattern: $<SESSION>.Options{}
+        filters:
+          - variable: SESSION
+            detection: go_gorilla_insecure_cookie_sessions_init
+            scope: cursor
+languages:
+  - go
+metadata:
+  description: "Missing secure options for cookie detected."
+  remediation_message: |
+    ## Description
+
+    Cookies are a critical component of web session management. However, improperly secured cookies can expose your application to attacks, such as session hijacking and cross-site scripting (XSS). It's essential to configure cookie security options properly, especially when using session management libraries like Gorilla Sessions in Go.
+
+    ## Remediations
+
+    To ensure that cookies, particularly session cookies, are secure:
+
+    ✅ Configure HttpOnly
+
+    Set the `HttpOnly` attribute to `true` within the Gorilla Sessions cookie store. This prevents client-side scripts from accessing the cookie data, reducing XSS attack risks.
+
+    ```go
+    import (
+        "github.com/gorilla/sessions"
+        "net/http"
+    )
+
+    var store = sessions.NewCookieStore([]byte("your-secret-key"))
+
+    func MyHandler(w http.ResponseWriter, r *http.Request) {
+        // Get a session. We're ignoring the error resulted from decoding an
+        // existing session: Get() always returns a session, even if empty.
+        session, _ := store.Get(r, "session-name")
+        // Set some session values.
+        session.Values["foo"] = "bar"
+        // Set the session to be HttpOnly.
+        session.Options.HttpOnly = true
+        // Save changes.
+        session.Save(r, w)
+    }
+    ```
+
+    ✅ Set Secure Flag
+
+    If your site is served over HTTPS, also set the `Secure` flag on the cookie to ensure it's transmitted over secure channels only.
+
+    ✅ Leverage Gorilla SecureCookie
+
+    Utilize the encoding/decoding capabilities of Gorilla's SecureCookie to securely store session data.
+
+    ✅ Implement Strong Session Management
+
+    Use Gorilla's session management features to create, renew, and expire sessions in a secure manner, preventing session fixation and other session-related attacks.
+
+    ## Resources
+
+    - [Gorilla Sessions Documentation](http://www.gorillatoolkit.org/pkg/sessions)
+    - [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
+    - [OWASP Cookies Properties](https://owasp.org/www-community/controls/SecureCookieAttribute)
+
+  cwe_id:
+    - 1004
+    - 614
+  id: go_gorilla_insecure_cookie
+  documentation_url: https://docs.bearer.com/reference/rules/go_gorilla_insecure_cookie

rules/go/lang/information_leakage.yml

@@ -0,0 +1,43 @@
+patterns:
+  - pattern: $<HTTP>.Error($<_>, $<ERROR_DETAILS>$<...>)
+    filters:
+      - variable: HTTP
+        detection: go_lang_information_leakage_http_init
+        scope: cursor
+      - variable: ERROR_DETAILS
+        detection: go_lang_information_leakage_error_details
+        scope: cursor
+auxiliary:
+  - id: go_lang_information_leakage_error_details
+    patterns:
+      - $<_>.Error()
+  - id: go_lang_information_leakage_http_init
+    patterns:
+      - import $<!>"net/http"
+      - |
+        import (
+          $<!>"net/http"
+        )
+languages:
+  - go
+severity: warning
+metadata:
+  description: Possible information leakage detected.
+  remediation_message: |
+    ## Description
+
+    Exposing an exception message is risky because it may contain sensitive information such as the technical details of your application or environment (which in turn could expose your application to path traversal attacks, for example), or worse, user-specific data.
+
+    ## Remediations
+
+    ❌ Avoid printing the full stack trace
+
+    ✅ Less is more! Only log the minimum required details in error messages
+
+    ## Resources
+
+    - [Web Application Security Consortium: Information Leakage](http://projects.webappsec.org/w/page/13246936/Information%20Leakage)
+  cwe_id:
+    - 209
+  id: go_lang_information_leakage
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_information_leakage

rules/go/lang/insecure_cookie.yml

@@ -0,0 +1,84 @@
+patterns:
+  - pattern: $<COOKIE>
+    filters:
+      - variable: COOKIE
+        detection: go_lang_insecure_cookie_http_cookie
+        scope: cursor_strict
+      - either:
+          - not:
+              variable: COOKIE
+              detection: go_lang_insecure_cookie_secure_true
+              scope: cursor_strict
+          - not:
+              variable: COOKIE
+              detection: go_lang_insecure_cookie_http_only_true
+              scope: cursor_strict
+auxiliary:
+  - id: go_lang_insecure_cookie_cookie_init
+    patterns:
+      - import $<!>"net/http"
+      - |
+        import (
+          $<!>"net/http"
+        )
+  - id: go_lang_insecure_cookie_true
+    patterns:
+      - "true"
+  - id: go_lang_insecure_cookie_http_cookie
+    patterns:
+      - pattern: $<HTTP>.Cookie{}
+        filters:
+          - variable: HTTP
+            detection: go_lang_insecure_cookie_cookie_init
+            scope: cursor
+  - id: go_lang_insecure_cookie_secure_true
+    patterns:
+      - pattern: "$<_>{ Secure: $<TRUE> }"
+        filters:
+          - variable: "TRUE"
+            detection: go_lang_insecure_cookie_true
+            scope: cursor
+  - id: go_lang_insecure_cookie_http_only_true
+    patterns:
+      - pattern: "$<_>{ HttpOnly: $<TRUE> }"
+        filters:
+          - variable: "TRUE"
+            detection: go_lang_insecure_cookie_true
+            scope: cursor
+languages:
+  - go
+metadata:
+  description: "Missing secure options for cookie detected."
+  remediation_message: |
+    ## Description
+
+    Cookies without proper security settings can be vulnerable to cross-site scripting (XSS) attacks and potentially provide an avenue for unauthorized access to your application.
+
+    ## Remediations
+
+    To enhance cookie security and protect against common web exploits:
+
+    ✅ **Use HttpOnly Flag**: Set the `HttpOnly` attribute for cookies to `true`. This prevents client-side scripts from accessing the cookie, reducing the risk of client-side attacks.
+
+    ```go
+    http.SetCookie(w, &http.Cookie{
+        Name:     "session_token",
+        Value:    sessionToken,
+        HttpOnly: true, // Secure the cookie from client-side scripts
+        // Additional flags like Secure, SameSite, etc., should be set as needed.
+    })
+    ```
+
+    ✅ **Additional Cookie Attributes**: Alongside `HttpOnly`, consider setting `Secure`, `SameSite`, and `Domain` attributes to further secure cookies based on your application’s requirements.
+
+    ## Resources
+
+    For best practices on setting cookies securely, explore:
+
+    - [OWASP Secure Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
+    - [MDN Web Docs: HttpOnly Cookie Attribute](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)
+  cwe_id:
+    - 1004
+    - 614
+  id: go_lang_insecure_cookie
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_insecure_cookie

rules/go/lang/xml_external_entity_vulnerability.yml

@@ -0,0 +1,36 @@
+imports:
+  - go_shared_lang_dynamic_request_input
+patterns:
+  - pattern: $<XML>.Unmarshal($<USER_INPUT>$<...>)
+    filters:
+      - variable: XML
+        detection: go_lang_xml_external_entity_vulnerability_xml_init
+      - variable: USER_INPUT
+        detection: go_shared_lang_dynamic_request_input
+auxiliary:
+  - id: go_lang_xml_external_entity_vulnerability_xml_init
+    patterns:
+      - import $<!>"encoding/xml"
+      - |
+        import (
+          $<!>"encoding/xml"
+        )
+languages:
+  - go
+severity: high
+metadata:
+  description: XML External Entity vulnerability detected.
+  remediation_message: |
+    ## Description
+    Avoid parsing untrusted data as XML. Such data could include URIs that resolve to resources that are outside of the current context, leading to XML External Entity (XXE) injection.
+
+    ## Remediations
+
+    ❌ Do not enable parsing of external entities.
+
+    ## Resources
+    - [OWASP XML External Entity (XXE) prevention cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
+  cwe_id:
+    - 611
+  id: go_lang_xml_external_entity_vulnerability
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_xml_external_entity_vulnerability

scripts/invoke.sh

@@ -16,7 +16,7 @@ cp -R $test_location $tmp_location
 
 if [ -n "$BEARER_WORKSPACE" ]; then
   cd $BEARER_WORKSPACE
-  go run ./cmd/bearer/main.go scan $tmp_location \
+  $GO_EXEC run ./cmd/bearer/main.go scan $tmp_location \
     --only-rule=$rule_id \
     --quiet \
     --disable-default-rules=true \