Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

G307: Unsafe defer call of a method returning an error for defer file.Close() ? #512

Closed
koddr opened this issue Aug 17, 2020 · 4 comments
Closed

G307: Unsafe defer call of a method returning an error for defer file.Close() ? #512

koddr opened this issue Aug 17, 2020 · 4 comments
Labels
enhancement

Comments

@koddr
Copy link

koddr commented Aug 17, 2020

Summary

After update to latest Golang & gosec version, I see this security error:

[...] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
    49:         }
  > 50:         defer file.Close()
    51: 

Summary:
   Files: 6
   Lines: 231
   Nosec: 0
   Issues: 1

My function never changes and looks like:

// ...

// NewConfig returns a new decoded Config struct
func NewConfig(configPath string) (*Config, error) {
	// Validate config path
	if err := ValidateConfigPath(configPath); err != nil {
		return nil, err
	}

	// Create config structure
	config := &Config{}

	// Open config file
	file, err := os.Open(filepath.Clean(configPath))
	if err != nil {
		return nil, err
	}
	defer file.Close() // <-- error G307 (CWE-703) on this line

	// Init new YAML decode
	d := yaml.NewDecoder(file)

	// Start YAML decoding from file
	if err := d.Decode(&config); err != nil {
		return nil, err
	}

	return config, nil
}

// ...

Steps to reproduce the behavior

  1. Create function with open/close file
  2. Run gosec

gosec version

$ gosec

VERSION: 2.4.0
GIT TAG: v2.4.0
BUILD DATE: 2020-07-24T07:54:54Z

Go version (output of 'go version')

go version go1.15 linux/amd64

Operating system / Environment

$ uname -a

Linux vic-linux-pc 5.8.0-2-MANJARO #1 SMP PREEMPT Sat Aug 8 17:55:27 UTC 2020 x86_64 GNU/Linux

Expected behavior

No errors, or solve this error.

Actual behavior

CI (GitHub Actions) send warnings and skip my code to master branch (but this code wasn't changed and works fine at lower version).
@ccojocar
Copy link
Member

ccojocar commented Aug 17, 2020
edited

This is because https://golang.org/pkg/os/#File.Close returns and error which is not checked when calling defer. This was recently introduced to catch this kind of situation which could lead to a crash.

We should maybe rethink this rule since is a common pattern which might generate more headaches than catching security issues.

@koddr
Copy link
Author

koddr commented Aug 18, 2020

@ccojocar hi! Thanks for reply.

I think, better way to make it works, is skip defer ... lines from security checking. At this time, I (and other developers with the same problem) will still add a gosec comment to reset this line, so why not do it right away?

Because I have no idea, how to covering error with this language construction.

@ccojocar
Copy link
Member

This is a solution.

You can use this code snippet to avoid the warning:

defer func() {
    if err := file.Close(); err != nil { 
         logger.Printf("Error closing file: %s\n", err)
    }
}()

koddr added a commit to create-go-app/fiber-go-template that referenced this issue Aug 18, 2020
@koddr
Solve securego/gosec/issues/512
1d49b48
@koddr
Copy link
Author

koddr commented Aug 18, 2020

Thanks, that works! 👍

@koddr koddr closed this as completed Aug 18, 2020
@tomtau tomtau mentioned this issue Oct 22, 2020
Merged
@croissanne croissanne mentioned this issue Mar 18, 2021
Merged
@da-ar da-ar mentioned this issue Jun 3, 2021
Merged
@ryantd ryantd mentioned this issue Jun 22, 2021
Merged
@terrytangyuan terrytangyuan mentioned this issue Jun 23, 2021
Merged
1 task
@gcase555 gcase555 mentioned this issue Jun 23, 2021
Merged
@ivolzhevbt ivolzhevbt mentioned this issue Jul 1, 2021
Merged
@030 030 mentioned this issue Oct 10, 2021
Closed
@achiku achiku mentioned this issue Oct 18, 2021
Closed
@rajendraindukuri rajendraindukuri mentioned this issue Oct 29, 2021
Merged
@ppcamp ppcamp mentioned this issue Nov 14, 2021
Merged
@jorge-ibm jorge-ibm mentioned this issue Nov 19, 2021
Merged
alexandernst pushed a commit to Develatio/nebulant-cli that referenced this issue Jan 3, 2022
@NachE
G307 -- securego/gosec#512
236a48d
alexandernst pushed a commit to Develatio/nebulant-cli that referenced this issue Jan 3, 2022
@NachE @alexandernst
G307 -- securego/gosec#512
9fc18be
@daemon1024 daemon1024 mentioned this issue May 6, 2022
Merged
@lucasgarfield lucasgarfield mentioned this issue Jun 21, 2022
Merged
vpayno added a commit to vpayno/gophercises-quizgame that referenced this issue Aug 2, 2022
@vpayno
fix: resolve gosec error G307
854cf06 
```
G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File"
```

Solution from:
securego/gosec#512
vpayno added a commit to vpayno/gophercises-quizgame that referenced this issue Aug 2, 2022
@vpayno
fix: resolve gosec error G307
3df294f 
```
G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File"
```

Solution from:
securego/gosec#512
@geraldywy geraldywy mentioned this issue Sep 12, 2022
Merged
@daemon1024 daemon1024 mentioned this issue Feb 7, 2023
Merged
2 tasks
kaihendry added a commit to kaihendry/ltabus that referenced this issue Feb 14, 2023
@kaihendry
Address G307 securego/gosec#512
661ba8a
This was referenced Feb 16, 2023
Open
Open
This was referenced Feb 17, 2023
Closed
Closed
rm3l added a commit to redhat-developer/odo that referenced this issue Mar 27, 2023
@rm3l
Make sure to handle error returned by ReadCloser.Close in 'defer' sta…
deebf3d 
…tements

This is considered unsafe by gosec otherwise. See [1].

[1] securego/gosec#512
rm3l added a commit to redhat-developer/odo that referenced this issue Mar 27, 2023
@rm3l
Make sure to handle error returned by ReadCloser.Close in 'defer' sta…
a1be6d6 
…tements in 'helper_http.go'

This is considered unsafe by gosec otherwise. See [1].

This also makes sure to fix the warning with calling defer in a loop.

[1] securego/gosec#512
@rgmz rgmz mentioned this issue Apr 17, 2023
Merged
3 tasks
@Piccirello Piccirello mentioned this issue Apr 28, 2023
Merged
rm3l added a commit to redhat-developer/odo that referenced this issue May 16, 2023
@rm3l
Make sure to handle error returned by io.Closer.Close() in 'defer' st…
b7eaaeb 
…atements

This is considered unsafe by gosec otherwise.

[1] securego/gosec#512
[2] securego/gosec#714
[3] https://www.joeshaw.org/dont-defer-close-on-writable-files/
openshift-merge-robot pushed a commit to redhat-developer/odo that referenced this issue May 16, 2023
@dependabot @rm3l
Go: Bump github.com/securego/gosec/v2 from 2.14.0 to 2.15.0 (#6686)
50cb5c9 
* Go: Bump github.com/securego/gosec/v2 from 2.14.0 to 2.15.0

Bumps [github.com/securego/gosec/v2](https://github.com/securego/gosec) from 2.14.0 to 2.15.0.
- [Release notes](https://github.com/securego/gosec/releases)
- [Changelog](https://github.com/securego/gosec/blob/master/.goreleaser.yml)
- [Commits](securego/gosec@v2.14.0...v2.15.0)

---
updated-dependencies:
- dependency-name: github.com/securego/gosec/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Make sure to handle error returned by io.Closer.Close() in 'defer' statements

This is considered unsafe by gosec otherwise.

[1] securego/gosec#512
[2] securego/gosec#714
[3] https://www.joeshaw.org/dont-defer-close-on-writable-files/

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Armel Soro <asoro@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ccojocar @koddr