diff --git a/ql/lib/semmle/go/frameworks/SQL.qll b/ql/lib/semmle/go/frameworks/SQL.qll index 05a207b87..66566f754 100644 --- a/ql/lib/semmle/go/frameworks/SQL.qll +++ b/ql/lib/semmle/go/frameworks/SQL.qll @@ -92,14 +92,11 @@ module SQL { // first argument to `squirrel.Expr` fn.hasQualifiedName(sq, "Expr") or - // first argument `pred`, `sql`, `from` to most methods of one of the `*Builder` classes + // first argument to the `Prefix`, `Suffix` or `Where` method of one of the `*Builder` classes exists(string builder | builder.matches("%Builder") | - fn.(Method) - .hasQualifiedName(sq, builder, - [ - "Prefix", "Column", "From", "JoinClause", "Join", "LeftJoin", "RightJoin", - "InnerJoin", "CrossJoin", "Where", "Having", "OrderByClause", "Suffix" - ]) + fn.(Method).hasQualifiedName(sq, builder, "Prefix") or + fn.(Method).hasQualifiedName(sq, builder, "Suffix") or + fn.(Method).hasQualifiedName(sq, builder, "Where") ) ) and this = fn.getACall().getArgument(0) and diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod b/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod index 6bcd0bee3..69db5c96c 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod @@ -3,7 +3,7 @@ module semmle.go.frameworks.SQL go 1.13 require ( - github.com/Masterminds/squirrel v1.5.2 + github.com/Masterminds/squirrel v1.1.0 github.com/go-pg/pg v8.0.6+incompatible github.com/go-pg/pg/v9 v9.1.3 github.com/go-sql-driver/mysql v1.6.0 // indirect diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go index e4a7f2e81..fa05b5b69 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go @@ -43,18 +43,8 @@ func test(db *sql.DB, ctx context.Context) { } func squirrelTest(querypart string) { - squirrel.Select("*").From("users").Prefix(querypart) // $ querystring=querypart - squirrel.Select("*").From("users").Column(querypart) // $ querystring=querypart - squirrel.Select("*").From("users").From(querypart) // $ querystring=querypart - squirrel.Select("*").From("users").JoinClause(querypart) // $ querystring=querypart - squirrel.Select("*").From("users").Join(querypart) // $ querystring=querypart - squirrel.Select("*").From("users").LeftJoin(querypart) // $ querystring=querypart - squirrel.Select("*").From("users").RightJoin(querypart) // $ querystring=querypart - squirrel.Select("*").From("users").InnerJoin(querypart) // $ querystring=querypart squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) // $ querystring=querypart squirrel.Select("*").From("users").Where(querypart) // $ querystring=querypart - squirrel.Select("*").From("users").Having(querypart) // $ querystring=querypart - squirrel.Select("*").From("users").OrderByClause(querypart) // $ querystring=querypart squirrel.Select("*").From("users").Suffix(querypart) // $ querystring=querypart } diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/Masterminds/squirrel/stub.go b/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/Masterminds/squirrel/stub.go index 888f07aa2..fc639e9e2 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/Masterminds/squirrel/stub.go +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/Masterminds/squirrel/stub.go @@ -17,7 +17,7 @@ type BaseRunner interface { Query(_ string, _ ...interface{}) (*sql.Rows, error) } -func Expr(_ string, _ ...interface{}) Sqlizer { +func Expr(_ string, _ ...interface{}) interface{} { return nil } @@ -43,10 +43,6 @@ func (_ SelectBuilder) Columns(_ ...string) SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) CrossJoin(_ string, _ ...interface{}) SelectBuilder { - return SelectBuilder{} -} - func (_ SelectBuilder) Distinct() SelectBuilder { return SelectBuilder{} } @@ -75,10 +71,6 @@ func (_ SelectBuilder) Having(_ interface{}, _ ...interface{}) SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) InnerJoin(_ string, _ ...interface{}) SelectBuilder { - return SelectBuilder{} -} - func (_ SelectBuilder) Join(_ string, _ ...interface{}) SelectBuilder { return SelectBuilder{} } @@ -111,10 +103,6 @@ func (_ SelectBuilder) OrderBy(_ ...string) SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) OrderByClause(_ interface{}, _ ...interface{}) SelectBuilder { - return SelectBuilder{} -} - func (_ SelectBuilder) PlaceholderFormat(_ PlaceholderFormat) SelectBuilder { return SelectBuilder{} } @@ -123,10 +111,6 @@ func (_ SelectBuilder) Prefix(_ string, _ ...interface{}) SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) PrefixExpr(_ Sqlizer) SelectBuilder { - return SelectBuilder{} -} - func (_ SelectBuilder) Query() (*sql.Rows, error) { return nil, nil } @@ -147,10 +131,6 @@ func (_ SelectBuilder) RemoveLimit() SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) RemoveOffset() SelectBuilder { - return SelectBuilder{} -} - func (_ SelectBuilder) RightJoin(_ string, _ ...interface{}) SelectBuilder { return SelectBuilder{} } @@ -171,10 +151,6 @@ func (_ SelectBuilder) Suffix(_ string, _ ...interface{}) SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) SuffixExpr(_ Sqlizer) SelectBuilder { - return SelectBuilder{} -} - func (_ SelectBuilder) ToSql() (string, []interface{}, error) { return "", nil, nil } @@ -182,7 +158,3 @@ func (_ SelectBuilder) ToSql() (string, []interface{}, error) { func (_ SelectBuilder) Where(_ interface{}, _ ...interface{}) SelectBuilder { return SelectBuilder{} } - -type Sqlizer interface { - ToSql() (string, []interface{}, error) -} diff --git a/ql/test/query-tests/Security/CWE-089/go.mod b/ql/test/query-tests/Security/CWE-089/go.mod index c37f16745..6101c095c 100644 --- a/ql/test/query-tests/Security/CWE-089/go.mod +++ b/ql/test/query-tests/Security/CWE-089/go.mod @@ -3,6 +3,6 @@ module Security.CWE-089 go 1.14 require ( - github.com/Masterminds/squirrel v1.5.2 + github.com/Masterminds/squirrel v1.1.0 go.mongodb.org/mongo-driver v1.3.3 ) diff --git a/ql/test/query-tests/Security/CWE-089/vendor/github.com/Masterminds/squirrel/stub.go b/ql/test/query-tests/Security/CWE-089/vendor/github.com/Masterminds/squirrel/stub.go index b83272538..0e85e0f5e 100644 --- a/ql/test/query-tests/Security/CWE-089/vendor/github.com/Masterminds/squirrel/stub.go +++ b/ql/test/query-tests/Security/CWE-089/vendor/github.com/Masterminds/squirrel/stub.go @@ -35,10 +35,6 @@ func (_ DeleteBuilder) Limit(_ uint64) DeleteBuilder { return DeleteBuilder{} } -func (_ DeleteBuilder) MustSql() (string, []interface{}) { - return "", nil -} - func (_ DeleteBuilder) Offset(_ uint64) DeleteBuilder { return DeleteBuilder{} } @@ -55,38 +51,18 @@ func (_ DeleteBuilder) Prefix(_ string, _ ...interface{}) DeleteBuilder { return DeleteBuilder{} } -func (_ DeleteBuilder) PrefixExpr(_ Sqlizer) DeleteBuilder { - return DeleteBuilder{} -} - func (_ DeleteBuilder) Query() (*sql.Rows, error) { return nil, nil } -func (_ DeleteBuilder) QueryContext(_ context.Context) (*sql.Rows, error) { - return nil, nil -} - -func (_ DeleteBuilder) QueryRowContext(_ context.Context) RowScanner { - return nil -} - func (_ DeleteBuilder) RunWith(_ BaseRunner) DeleteBuilder { return DeleteBuilder{} } -func (_ DeleteBuilder) ScanContext(_ context.Context, _ ...interface{}) error { - return nil -} - func (_ DeleteBuilder) Suffix(_ string, _ ...interface{}) DeleteBuilder { return DeleteBuilder{} } -func (_ DeleteBuilder) SuffixExpr(_ Sqlizer) DeleteBuilder { - return DeleteBuilder{} -} - func (_ DeleteBuilder) ToSql() (string, []interface{}, error) { return "", nil, nil } @@ -95,7 +71,7 @@ func (_ DeleteBuilder) Where(_ interface{}, _ ...interface{}) DeleteBuilder { return DeleteBuilder{} } -func Expr(_ string, _ ...interface{}) Sqlizer { +func Expr(_ string, _ ...interface{}) interface{} { return nil } @@ -117,10 +93,6 @@ func (_ InsertBuilder) Into(_ string) InsertBuilder { return InsertBuilder{} } -func (_ InsertBuilder) MustSql() (string, []interface{}) { - return "", nil -} - func (_ InsertBuilder) Options(_ ...string) InsertBuilder { return InsertBuilder{} } @@ -133,10 +105,6 @@ func (_ InsertBuilder) Prefix(_ string, _ ...interface{}) InsertBuilder { return InsertBuilder{} } -func (_ InsertBuilder) PrefixExpr(_ Sqlizer) InsertBuilder { - return InsertBuilder{} -} - func (_ InsertBuilder) Query() (*sql.Rows, error) { return nil, nil } @@ -177,10 +145,6 @@ func (_ InsertBuilder) Suffix(_ string, _ ...interface{}) InsertBuilder { return InsertBuilder{} } -func (_ InsertBuilder) SuffixExpr(_ Sqlizer) InsertBuilder { - return InsertBuilder{} -} - func (_ InsertBuilder) ToSql() (string, []interface{}, error) { return "", nil, nil } @@ -207,10 +171,6 @@ func (_ SelectBuilder) Columns(_ ...string) SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) CrossJoin(_ string, _ ...interface{}) SelectBuilder { - return SelectBuilder{} -} - func (_ SelectBuilder) Distinct() SelectBuilder { return SelectBuilder{} } @@ -239,10 +199,6 @@ func (_ SelectBuilder) Having(_ interface{}, _ ...interface{}) SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) InnerJoin(_ string, _ ...interface{}) SelectBuilder { - return SelectBuilder{} -} - func (_ SelectBuilder) Join(_ string, _ ...interface{}) SelectBuilder { return SelectBuilder{} } @@ -275,10 +231,6 @@ func (_ SelectBuilder) OrderBy(_ ...string) SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) OrderByClause(_ interface{}, _ ...interface{}) SelectBuilder { - return SelectBuilder{} -} - func (_ SelectBuilder) PlaceholderFormat(_ PlaceholderFormat) SelectBuilder { return SelectBuilder{} } @@ -287,10 +239,6 @@ func (_ SelectBuilder) Prefix(_ string, _ ...interface{}) SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) PrefixExpr(_ Sqlizer) SelectBuilder { - return SelectBuilder{} -} - func (_ SelectBuilder) Query() (*sql.Rows, error) { return nil, nil } @@ -311,10 +259,6 @@ func (_ SelectBuilder) RemoveLimit() SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) RemoveOffset() SelectBuilder { - return SelectBuilder{} -} - func (_ SelectBuilder) RightJoin(_ string, _ ...interface{}) SelectBuilder { return SelectBuilder{} } @@ -335,10 +279,6 @@ func (_ SelectBuilder) Suffix(_ string, _ ...interface{}) SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) SuffixExpr(_ Sqlizer) SelectBuilder { - return SelectBuilder{} -} - func (_ SelectBuilder) ToSql() (string, []interface{}, error) { return "", nil, nil } @@ -347,10 +287,6 @@ func (_ SelectBuilder) Where(_ interface{}, _ ...interface{}) SelectBuilder { return SelectBuilder{} } -type Sqlizer interface { - ToSql() (string, []interface{}, error) -} - var StatementBuilder StatementBuilderType = StatementBuilderType{} type StatementBuilderType struct{} @@ -367,10 +303,6 @@ func (_ StatementBuilderType) PlaceholderFormat(_ PlaceholderFormat) StatementBu return StatementBuilderType{} } -func (_ StatementBuilderType) Replace(_ string) InsertBuilder { - return InsertBuilder{} -} - func (_ StatementBuilderType) RunWith(_ BaseRunner) StatementBuilderType { return StatementBuilderType{} } @@ -383,10 +315,6 @@ func (_ StatementBuilderType) Update(_ string) UpdateBuilder { return UpdateBuilder{} } -func (_ StatementBuilderType) Where(_ interface{}, _ ...interface{}) StatementBuilderType { - return StatementBuilderType{} -} - type UpdateBuilder struct{} func (_ UpdateBuilder) Exec() (sql.Result, error) { @@ -401,10 +329,6 @@ func (_ UpdateBuilder) Limit(_ uint64) UpdateBuilder { return UpdateBuilder{} } -func (_ UpdateBuilder) MustSql() (string, []interface{}) { - return "", nil -} - func (_ UpdateBuilder) Offset(_ uint64) UpdateBuilder { return UpdateBuilder{} } @@ -421,10 +345,6 @@ func (_ UpdateBuilder) Prefix(_ string, _ ...interface{}) UpdateBuilder { return UpdateBuilder{} } -func (_ UpdateBuilder) PrefixExpr(_ Sqlizer) UpdateBuilder { - return UpdateBuilder{} -} - func (_ UpdateBuilder) Query() (*sql.Rows, error) { return nil, nil } @@ -465,10 +385,6 @@ func (_ UpdateBuilder) Suffix(_ string, _ ...interface{}) UpdateBuilder { return UpdateBuilder{} } -func (_ UpdateBuilder) SuffixExpr(_ Sqlizer) UpdateBuilder { - return UpdateBuilder{} -} - func (_ UpdateBuilder) Table(_ string) UpdateBuilder { return UpdateBuilder{} } diff --git a/ql/test/query-tests/Security/CWE-089/vendor/modules.txt b/ql/test/query-tests/Security/CWE-089/vendor/modules.txt index cbf41c04c..ddbc30953 100644 --- a/ql/test/query-tests/Security/CWE-089/vendor/modules.txt +++ b/ql/test/query-tests/Security/CWE-089/vendor/modules.txt @@ -1,4 +1,4 @@ -# github.com/Masterminds/squirrel v1.5.2 +# github.com/Masterminds/squirrel v1.1.0 ## explicit github.com/Masterminds/squirrel # go.mongodb.org/mongo-driver v1.3.3