Skip to content

feat(G304): add os.Root remediation hint (Autofix) when Go >= 1.24 #1386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ccojocar merged 1 commit into from
Sep 16, 2025
Merged

feat(G304): add os.Root remediation hint (Autofix) when Go >= 1.24 #1386

ccojocar merged 1 commit into from
Sep 16, 2025

Conversation

@eshentials
Copy link

@eshentials eshentials commented Sep 15, 2025

Description

What
Closes #1297
Adds an Autofix suggestion to G304 issues recommending use of os.Root for path-scoped file operations when Go version >= 1.24.
The hint appears on flagged cases (unsafe Join, unresolved path identifiers, string concatenation in paths) and is gated by Go version.

Why
os.Root (Go 1.24+) constrains file operations under a fixed root and prevents directory/symlink traversal by design.
This gives developers a modern and more robust remediation path versus ad-hoc path sanitization alone.

How
Introduces osRootSuggestion() in rules/readfile.go, checks Go version via existing gosec.GoVersion(), and attaches the suggestion via Issue.Autofix when applicable.
No change to detection logic or severity; purely an advisory hint.
Examples (suggestion appears with G304)
os.OpenFile(filepath.Join(base, userInput), ...) when not paired with filepath.Clean
Unresolved path identifiers passed to os.Open/OpenFile/ReadFile
Binary path concatenations

Compatibility
Suggestion only shown for Go >= 1.24 (some Root methods land in 1.25).
Zero behavioral changes to rule triggering; tests remain green.

Tests
go test ./rules -v: 42 passed, 0 failed.

@eshentials
Copy link
Author

eshentials commented Sep 15, 2025

@ccojocar pls check

@codecov-commenter
Copy link

codecov-commenter commented Sep 15, 2025

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 76.92308% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.31%. Comparing base (1216c9b) to head (3470cd3).
⚠️ Report is 104 commits behind head on master.

Files with missing lines Patch % Lines
rules/readfile.go 76.92% 6 Missing ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #1386      +/-   ##
==========================================
- Coverage   68.49%   63.31%   -5.19%     
==========================================
  Files          75       74       -1     
  Lines        4384     5286     +902     
==========================================
+ Hits         3003     3347     +344     
- Misses       1233     1805     +572     
+ Partials      148      134      -14

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ccojocar ccojocar merged commit 506407e into securego:master Sep 16, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ccojocar ccojocar ccojocar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

suggest os.Root to avoid directory/symlink traversal

3 participants

@eshentials @codecov-commenter @ccojocar