mirror of
https://gitlab.com/pulsechaincom/prysm-pulse.git
synced 2024-12-23 11:57:18 +00:00
ee5d75732d
* Add pkg crypto * Update go.yml Co-authored-by: prylabs-bulldozer[bot] <58059840+prylabs-bulldozer[bot]@users.noreply.github.com>
85 lines
2.4 KiB
Go
85 lines
2.4 KiB
Go
// Package cryptorand implements a static analyzer to ensure that the crypto/rand package is used
|
|
// for randomness throughout the codebase.
|
|
package cryptorand
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"go/ast"
|
|
"strings"
|
|
|
|
"golang.org/x/tools/go/analysis"
|
|
"golang.org/x/tools/go/analysis/passes/inspect"
|
|
"golang.org/x/tools/go/ast/inspector"
|
|
)
|
|
|
|
// Doc explaining the tool.
|
|
const Doc = "Tool to enforce the use of stronger crypto: crypto/rand instead of math/rand"
|
|
|
|
var errWeakCrypto = errors.New("crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/crypto/rand")
|
|
|
|
// Analyzer runs static analysis.
|
|
var Analyzer = &analysis.Analyzer{
|
|
Name: "cryptorand",
|
|
Doc: Doc,
|
|
Requires: []*analysis.Analyzer{inspect.Analyzer},
|
|
Run: run,
|
|
}
|
|
|
|
func run(pass *analysis.Pass) (interface{}, error) {
|
|
inspection, ok := pass.ResultOf[inspect.Analyzer].(*inspector.Inspector)
|
|
if !ok {
|
|
return nil, errors.New("analyzer is not type *inspector.Inspector")
|
|
}
|
|
|
|
nodeFilter := []ast.Node{
|
|
(*ast.File)(nil),
|
|
(*ast.ImportSpec)(nil),
|
|
(*ast.CallExpr)(nil),
|
|
}
|
|
|
|
aliases := make(map[string]string)
|
|
disallowedFns := []string{"NewSource", "New", "Seed", "Int63", "Uint32", "Uint64", "Int31", "Int",
|
|
"Int63n", "Int31n", "Intn", "Float64", "Float32", "Perm", "Shuffle", "Read"}
|
|
|
|
inspection.Preorder(nodeFilter, func(node ast.Node) {
|
|
switch stmt := node.(type) {
|
|
case *ast.File:
|
|
// Reset aliases (per file).
|
|
aliases = make(map[string]string)
|
|
case *ast.ImportSpec:
|
|
// Collect aliases to rand packages.
|
|
pkg := stmt.Path.Value
|
|
if strings.HasSuffix(pkg, "/rand\"") && !strings.Contains(pkg, "/prysm/crypto/rand") {
|
|
if stmt.Name != nil {
|
|
aliases[stmt.Name.Name] = stmt.Path.Value
|
|
} else {
|
|
aliases["rand"] = stmt.Path.Value
|
|
}
|
|
}
|
|
case *ast.CallExpr:
|
|
// Check if any of disallowed functions have been used.
|
|
for pkg, path := range aliases {
|
|
for _, fn := range disallowedFns {
|
|
if isPkgDot(stmt.Fun, pkg, fn) {
|
|
pass.Reportf(node.Pos(), fmt.Sprintf(
|
|
"%s: %s.%s() (from %s)", errWeakCrypto.Error(), pkg, fn, path))
|
|
}
|
|
}
|
|
}
|
|
}
|
|
})
|
|
|
|
return nil, nil
|
|
}
|
|
|
|
func isPkgDot(expr ast.Expr, pkg, name string) bool {
|
|
sel, ok := expr.(*ast.SelectorExpr)
|
|
return ok && isIdent(sel.X, pkg) && isIdent(sel.Sel, name)
|
|
}
|
|
|
|
func isIdent(expr ast.Expr, ident string) bool {
|
|
id, ok := expr.(*ast.Ident)
|
|
return ok && id.Name == ident
|
|
}
|