Add the G304 rule example

Aisuko · Aisuko · commit 905c174bfbf9 · 2020-04-15T22:24:54.000+08:00
Signed-off-by: Aisuko &lt;urakiny@gmail.com&gt;
diff --git a/docs/rules/g304_file-path_provided_as_taint_input.md b/docs/rules/g304_file-path_provided_as_taint_input.md
@@ -0,0 +1,60 @@
+---
+id: g304
+title: G304: File path provided as taint input
+---
+
+Trying to open a file provided as an input in a variable. The content of this variable might be controlled by an attacker who could change it to hold unauthorised file paths form the system.  In this way, it is possible to exfiltrate confidential information or such.
+
+## Example problematic code:
+
+```
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"strings"
+)
+
+func main() {
+	repoFile := "path_of_file"
+	byContext, err := ioutil.ReadFile(repoFile)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("%s", string(byContext))
+}
+```
+
+## Gosec command line output
+
+```
+[examples/main.go:11] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
+  > ioutil.ReadFile(repoFile)
+```
+
+## The right way
+
+```
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"path/filepath"
+	"strings"
+)
+
+func main() {
+	repoFile := "path_of_file"
+	byContext, err := ioutil.ReadFile(filepath.Clean(repoFile))
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("%s", string(byContext))
+}
+```
+
+## See also
+
+* https://pkg.go.dev/path/filepath?tab=doc#Clean
diff --git a/website/sidebars.json b/website/sidebars.json
@@ -7,7 +7,8 @@
           "rules/g103",
           "rules/g104",
           "rules/g107",
-          "rules/g201-g202"
+          "rules/g201-g202",
+          "rules/g304"
       ]
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,8 @@`
`7`	`7`	`"rules/g103",`
`8`	`8`	`"rules/g104",`
`9`	`9`	`"rules/g107",`
`10`		`- "rules/g201-g202"`
	`10`	`+ "rules/g201-g202",`
	`11`	`+ "rules/g304"`
`11`	`12`	`]`
`12`	`13`	`}`
`13`	`14`	`}`