fix in style

Author: Евгений Балякин

cmd/baseline.go

@@ -45,6 +45,10 @@ func newBaselineCommand(stdout io.Writer, stderr io.Writer, exitCode *int) *cobr
 }
 
 func runBaselineInitConfig(config baselineInitConfig, stdout io.Writer, stderr io.Writer) int {
+	if scanIsRunningAsRoot() {
+		return stopRootScan(stderr)
+	}
+
 	database, err := matcher.LoadDefaultDatabase()
 	if err != nil {
 		fmt.Fprintln(stderr, err)

cmd/scan.go

@@ -74,6 +74,10 @@ func addScanFlags(command *cobra.Command, config *scanConfig) {
 }
 
 func runScanConfig(config scanConfig, stdout io.Writer, stderr io.Writer, version string) int {
+	if scanIsRunningAsRoot() {
+		return stopRootScan(stderr)
+	}
+
 	database, err := matcher.LoadDefaultDatabase()
 	if err != nil {
 		fmt.Fprintln(stderr, err)

cmd/types.go

@@ -1,6 +1,8 @@
 package cmd
 
 import (
+	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"strings"
@@ -18,8 +20,14 @@ const (
 	exitHigh     = 2
 	exitRuntime  = 3
 	exitUsage    = 4
+
+	rootUserID       = 0
+	rootScanWarning  = "sudocheck should not be run as root."
+	rootScanGuidance = "Please run sudocheck as the unprivileged user you want to audit; no checks were performed."
 )
 
+var getEffectiveUserID = os.Geteuid
+
 type stringList []string
 
 func (values *stringList) String() string {
@@ -49,6 +57,16 @@ func exitForFindings(findings []model.Finding, failOn model.Severity) int {
 	return exitHigh
 }
 
+func scanIsRunningAsRoot() bool {
+	return getEffectiveUserID() == rootUserID
+}
+
+func stopRootScan(stderr io.Writer) int {
+	fmt.Fprintln(stderr, rootScanWarning)
+	fmt.Fprintln(stderr, rootScanGuidance)
+	return exitUsage
+}
+
 func inferFormat(format string, jsonOutput bool, sarifOutput bool, reportPath string) string {
 	if jsonOutput {
 		return formatJSON

cmd/types_test.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"bytes"
+	"strings"
 	"testing"
 
 	"github.com/balyakin/sudocheck/internal/model"
@@ -35,3 +36,54 @@ func TestExitForFindingsFailsOnMedium(t *testing.T) {
 		t.Fatal("expected non-zero exit code")
 	}
 }
+
+func TestRunScanConfigRefusesRootUser(t *testing.T) {
+	runAsRootForTest(t)
+
+	stdout := bytes.Buffer{}
+	stderr := bytes.Buffer{}
+
+	exitCode := runScanConfig(scanConfig{}, &stdout, &stderr, "dev")
+
+	if exitCode != exitUsage {
+		t.Fatalf("expected usage exit code, got %d", exitCode)
+	}
+	if stdout.String() != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout.String())
+	}
+	if !strings.Contains(stderr.String(), rootScanGuidance) {
+		t.Fatalf("expected root guidance in stderr, got %q", stderr.String())
+	}
+}
+
+func TestRunBaselineInitConfigRefusesRootUser(t *testing.T) {
+	runAsRootForTest(t)
+
+	stdout := bytes.Buffer{}
+	stderr := bytes.Buffer{}
+	config := baselineInitConfig{output: "sudocheck.baseline.json"}
+
+	exitCode := runBaselineInitConfig(config, &stdout, &stderr)
+
+	if exitCode != exitUsage {
+		t.Fatalf("expected usage exit code, got %d", exitCode)
+	}
+	if stdout.String() != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout.String())
+	}
+	if !strings.Contains(stderr.String(), rootScanGuidance) {
+		t.Fatalf("expected root guidance in stderr, got %q", stderr.String())
+	}
+}
+
+func runAsRootForTest(t *testing.T) {
+	t.Helper()
+
+	originalGetEffectiveUserID := getEffectiveUserID
+	getEffectiveUserID = func() int {
+		return rootUserID
+	}
+	t.Cleanup(func() {
+		getEffectiveUserID = originalGetEffectiveUserID
+	})
+}

internal/reporter/terminal.go

@@ -14,8 +14,8 @@ var (
 	bannerStyle   = lipgloss.NewStyle().Bold(true).Foreground(lipgloss.Color("14"))
 	criticalStyle = lipgloss.NewStyle().
 			Bold(true).
-			Foreground(lipgloss.Color("15")).
-			Background(lipgloss.Color("9"))
+			Foreground(lipgloss.Color("9")).
+			Inline(true)
 	highStyle   = lipgloss.NewStyle().Foreground(lipgloss.Color("9"))
 	mediumStyle = lipgloss.NewStyle().Foreground(lipgloss.Color("11"))
 	lowStyle    = lipgloss.NewStyle().Foreground(lipgloss.Color("14"))
@@ -70,7 +70,9 @@ func renderFinding(finding model.Finding, options Options) string {
 	builder := strings.Builder{}
 	header := fmt.Sprintf("%s %s — %s %s (%s)", severityIcon(finding.Severity),
 		strings.ToUpper(string(finding.Severity)), finding.Source, finding.BinaryName, finding.Detail)
-	builder.WriteString(renderStyled(header+"\n", severityStyle(finding.Severity), options))
+	styledHeader := renderStyled(header, severityStyle(finding.Severity), options)
+	builder.WriteString(strings.TrimLeft(styledHeader, " \t"))
+	builder.WriteString("\n")
 	builder.WriteString("┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄\n")
 	if len(finding.Exploits) > 0 && !options.HideExploits {
 		builder.WriteString(fmt.Sprintf("Exploit:  %s\n", finding.Exploits[0].Command))
@@ -140,5 +142,5 @@ func renderStyled(value string, style lipgloss.Style, options Options) string {
 	if options.NoColor {
 		return value
 	}
-	return style.Render(value)
+	return strings.TrimRight(style.Render(value), " \t")
 }

internal/reporter/terminal_test.go

@@ -48,3 +48,34 @@ func TestRenderTerminalMatchesSpecFindingShape(t *testing.T) {
 		}
 	}
 }
+
+func TestRenderTerminalCriticalFindingHasNoLeadingPadding(t *testing.T) {
+	report := model.Report{
+		Version: "v0.1.0",
+		Summary: model.Summary{
+			Critical: 1,
+			Total:    1,
+		},
+		Findings: []model.Finding{
+			{
+				Severity:   model.SeverityCritical,
+				Source:     "sudo",
+				BinaryName: "all",
+				Detail:     "PASSWD, run as ALL : ALL",
+			},
+		},
+	}
+
+	output := RenderTerminal(report, Options{})
+
+	for _, line := range strings.Split(output, "\n") {
+		if strings.Contains(line, "CRITICAL —") {
+			if strings.HasPrefix(line, " ") {
+				t.Fatalf("expected critical finding line without leading padding, got %q", line)
+			}
+			return
+		}
+	}
+
+	t.Fatalf("expected critical finding line, got:\n%s", output)
+}