forked from prysmaticlabs/prysm
-
Notifications
You must be signed in to change notification settings - Fork 1
/
analyzer.go
104 lines (92 loc) · 2.54 KB
/
analyzer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
// Package properpermissions implements a static analyzer to ensure that Prysm does not
// use ioutil.MkdirAll or os.WriteFile as they are unsafe when it comes to guaranteeing
// file permissions and not overriding existing permissions. Instead, users are warned
// to utilize shared/file as the canonical solution.
package properpermissions
import (
"errors"
"fmt"
"go/ast"
"golang.org/x/tools/go/analysis"
"golang.org/x/tools/go/analysis/passes/inspect"
"golang.org/x/tools/go/ast/inspector"
)
// Doc explaining the tool.
const Doc = "Tool to enforce usage of Prysm's internal file-writing utils instead of os.MkdirAll or ioutil.WriteFile"
var (
errUnsafePackage = errors.New(
"os and ioutil dir and file writing functions are not permissions-safe, use shared/file",
)
disallowedFns = []string{"MkdirAll", "WriteFile"}
)
// Analyzer runs static analysis.
var Analyzer = &analysis.Analyzer{
Name: "properpermissions",
Doc: Doc,
Requires: []*analysis.Analyzer{inspect.Analyzer},
Run: run,
}
func run(pass *analysis.Pass) (interface{}, error) {
inspection, ok := pass.ResultOf[inspect.Analyzer].(*inspector.Inspector)
if !ok {
return nil, errors.New("analyzer is not type *inspector.Inspector")
}
nodeFilter := []ast.Node{
(*ast.File)(nil),
(*ast.ImportSpec)(nil),
(*ast.CallExpr)(nil),
}
aliases := make(map[string]string)
inspection.Preorder(nodeFilter, func(node ast.Node) {
switch stmt := node.(type) {
case *ast.File:
// Reset aliases (per file).
aliases = make(map[string]string)
case *ast.ImportSpec:
// Collect aliases.
pkg := stmt.Path.Value
if pkg == "\"os\"" {
if stmt.Name != nil {
aliases[stmt.Name.Name] = pkg
} else {
aliases["os"] = pkg
}
}
if pkg == "\"io/ioutil\"" {
if stmt.Name != nil {
aliases[stmt.Name.Name] = pkg
} else {
aliases["ioutil"] = pkg
}
}
case *ast.CallExpr:
// Check if any of disallowed functions have been used.
for alias, pkg := range aliases {
for _, fn := range disallowedFns {
if isPkgDot(stmt.Fun, alias, fn) {
pass.Reportf(
node.Pos(),
fmt.Sprintf(
"%v: %s.%s() (from %s)",
errUnsafePackage,
alias,
fn,
pkg,
),
)
}
}
}
}
})
return nil, nil
}
func isPkgDot(expr ast.Expr, pkg, name string) bool {
sel, ok := expr.(*ast.SelectorExpr)
res := ok && isIdent(sel.X, pkg) && isIdent(sel.Sel, name)
return res
}
func isIdent(expr ast.Expr, ident string) bool {
id, ok := expr.(*ast.Ident)
return ok && id.Name == ident
}