CodeQL Dataflow SQL Injection (Go)

• Intro
• Build a CodeQL database
• Run the queries
• Notes

Intro

• Minimal Go example to demonstrate taint flow: untrusted input from stdin flows into a dynamically constructed SQL string and is executed via exec.Command("sqlite3", ...).

• Two CodeQL queries are included:

  • SourceGetUserInfo.ql: matches the return value of getUserInfo() as a taint source.
  • SinkExecCommandThirdArg.ql: matches the 3rd argument of exec.Command(...) as a taint sink.

Build a CodeQL database

Assumes Go toolchain and CodeQL CLI are installed and on PATH.

  cd codeql/codeql-dataflow-sql-injection-go

  # Optional: fetch deps if any
  go mod init example.com/adduser 2>/dev/null || true
  go mod tidy 2>/dev/null || true

  # Create the CodeQL database (Go extractor auto-detected)
  codeql database create db.4b6900 --language=go --command=./build.sh

If you already have a database, you can skip creation and reuse it.

Run the queries

First, install the pack dependencies, then analyze the database with this pack.

  cd codeql/codeql-dataflow-sql-injection-go

  # Install dependencies for the pack
  codeql pack install

  # Run both queries in this directory against the database
  codeql database analyze db.4b6900 . \
         --format=sarifv2.1.0 \
         --output=results.sarif

To run a single query:

  codeql database analyze db SourceGetUserInfo.ql --format=text
  codeql database analyze db.4b6900 \
         SinkExecCommandThirdArg.ql \
         --format=sarifv2.1.0 \
         --output=SinkExecCommandThirdArg.sarif

Notes

• The queries use AST matching (not dataflow) to demonstrate precise source/sink identification. You can wire them into a taint configuration to perform full dataflow analysis.