Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer (#1513)

* Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer

Implements a new SSA-based security analyzer (G408) that detects
stateful misuse of ssh.PublicKeyCallback in SSH server configurations.
This vulnerability can lead to authentication bypass where a server
authenticates one SSH key but performs authorization checks on a
different key.

This addresses a critical security vulnerability (CVE-2024-45337, CVSS
9.1) that has affected production systems including Kubernetes and other
SSH-based services. The vulnerability occurs when developers incorrectly
capture and modify state within PublicKeyCallback closures, enabling
attackers to authenticate with one key while the server operates on
another key's credentials.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>

* Fix tests

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>

---------

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>

Author: ccojocar

README.md

@@ -213,6 +213,7 @@ directory you can supply `./...` as the input argument.
 - G405: Detect the usage of DES or RC4
 - G406: Detect the usage of MD4 or RIPEMD160
 - G407: Detect the usage of hardcoded Initialization Vector(IV)/Nonce
+- G408: Stateful misuse of ssh.PublicKeyCallback leading to auth bypass
 - G501: Import blocklist: crypto/md5
 - G502: Import blocklist: crypto/des
 - G503: Import blocklist: crypto/rc4

analyzers/analyzers_test.go

@@ -59,6 +59,10 @@ var _ = Describe("gosec analyzers", func() {
 			runner("G407", testutils.SampleCodeG407)
 		})
 
+		It("should detect SSH PublicKeyCallback stateful misuse", func() {
+			runner("G408", testutils.SampleCodeG408)
+		})
+
 		It("should detect out of bounds slice access", func() {
 			runner("G602", testutils.SampleCodeG602)
 		})

analyzers/analyzerslist.go

@@ -116,6 +116,7 @@ var defaultAnalyzers = []AnalyzerDefinition{
 	{"G115", "Type conversion which leads to integer overflow", newConversionOverflowAnalyzer},
 	{"G602", "Possible slice bounds out of range", newSliceBoundsAnalyzer},
 	{"G407", "Use of hardcoded IV/nonce for encryption", newHardCodedNonce},
+	{"G408", "Stateful misuse of ssh.PublicKeyCallback leading to auth bypass", newSSHCallbackAnalyzer},
 	{"G701", "SQL injection via taint analysis", newSQLInjectionAnalyzer},
 	{"G702", "Command injection via taint analysis", newCommandInjectionAnalyzer},
 	{"G703", "Path traversal via taint analysis", newPathTraversalAnalyzer},