1package rules 2 3import ( 4 "go/ast" 5 6 "github.com/securego/gosec/v2" 7) 8 9type pprofCheck struct { 10 gosec.MetaData 11 importPath string 12 importName string 13} 14 15// ID returns the ID of the check 16func (p *pprofCheck) ID() string { 17 return p.MetaData.ID 18} 19 20// Match checks for pprof imports 21func (p *pprofCheck) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) { 22 if node, ok := n.(*ast.ImportSpec); ok { 23 if p.importPath == unquote(node.Path.Value) && node.Name != nil && p.importName == node.Name.Name { 24 return gosec.NewIssue(c, node, p.ID(), p.What, p.Severity, p.Confidence), nil 25 } 26 } 27 return nil, nil 28} 29 30// NewPprofCheck detects when the profiling endpoint is automatically exposed 31func NewPprofCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { 32 return &pprofCheck{ 33 MetaData: gosec.MetaData{ 34 ID: id, 35 Severity: gosec.High, 36 Confidence: gosec.High, 37 What: "Profiling endpoint is automatically exposed on /debug/pprof", 38 }, 39 importPath: "net/http/pprof", 40 importName: "_", 41 }, []ast.Node{(*ast.ImportSpec)(nil)} 42} 43