From d0061bfd4b8974a7b427477994e112861e0cd7fe Mon Sep 17 00:00:00 2001 From: Porcupiney Hairs Date: Sun, 3 May 2020 19:57:06 +0530 Subject: [PATCH] Golang : Add MongoDB injection support This PR adds support for MongoDB injection to the existing SQL injection query. This models the official Golang MongoDB driver. A brief summary of changes made in this query are : 1. A `NoSQL.qll` files has been created to model a `NoSQLQueryString`. 2. An entry is added in `go.qll` by default as I find these changes may be generally useful. 3. Library tests along with there expected outputs are added. 4. Query tests are added. However, I am unable to add the expected output as qltest can't find depstubber. However, these can be easily added. I have created a separate codeql-go database with the same files and ran the query against the same. I can see there should be 14 correct results added from this PR. --- ql/src/go.qll | 1 + ql/src/semmle/go/frameworks/NoSQL.qll | 107 +++++ ql/src/semmle/go/security/SqlInjection.qll | 4 + .../security/SqlInjectionCustomizations.qll | 5 + .../go/frameworks/NoSQL/QueryString.expected | 14 + .../semmle/go/frameworks/NoSQL/QueryString.ql | 5 + .../semmle/go/frameworks/NoSQL/go.mod | 5 + .../semmle/go/frameworks/NoSQL/main.go | 52 +++ .../go.mongodb.org/mongo-driver/LICENSE | 201 +++++++++ .../mongo-driver/bson/primitive/stub.go | 23 + .../go.mongodb.org/mongo-driver/bson/stub.go | 5 + .../go.mongodb.org/mongo-driver/mongo/stub.go | 389 +++++++++++++++++ .../go/frameworks/NoSQL/vendor/modules.txt | 3 + .../Security/CWE-089/SqlInjection.expected | 43 ++ ql/test/query-tests/Security/CWE-089/go.mod | 5 +- .../query-tests/Security/CWE-089/mongoDB.go | 83 ++++ .../github.com/Masterminds/squirrel/stub.go | 117 ++---- .../go.mongodb.org/mongo-driver/LICENSE | 201 +++++++++ .../mongo-driver/bson/primitive/stub.go | 23 + .../go.mongodb.org/mongo-driver/bson/stub.go | 5 + .../mongo-driver/mongo/options/stub.go | 217 ++++++++++ .../go.mongodb.org/mongo-driver/mongo/stub.go | 393 ++++++++++++++++++ .../Security/CWE-089/vendor/modules.txt | 13 +- 23 files changed, 1812 insertions(+), 102 deletions(-) create mode 100644 ql/src/semmle/go/frameworks/NoSQL.qll create mode 100644 ql/test/library-tests/semmle/go/frameworks/NoSQL/QueryString.expected create mode 100644 ql/test/library-tests/semmle/go/frameworks/NoSQL/QueryString.ql create mode 100644 ql/test/library-tests/semmle/go/frameworks/NoSQL/go.mod create mode 100644 ql/test/library-tests/semmle/go/frameworks/NoSQL/main.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/LICENSE create mode 100644 ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/bson/primitive/stub.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/bson/stub.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/mongo/stub.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/modules.txt create mode 100644 ql/test/query-tests/Security/CWE-089/mongoDB.go create mode 100644 ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/LICENSE create mode 100644 ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/bson/primitive/stub.go create mode 100644 ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/bson/stub.go create mode 100644 ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/mongo/options/stub.go create mode 100644 ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/mongo/stub.go diff --git a/ql/src/go.qll b/ql/src/go.qll index 23457315d48..524717b7544 100644 --- a/ql/src/go.qll +++ b/ql/src/go.qll @@ -28,6 +28,7 @@ import semmle.go.frameworks.Email import semmle.go.frameworks.HTTP import semmle.go.frameworks.Macaron import semmle.go.frameworks.Mux +import semmle.go.frameworks.NoSQL import semmle.go.frameworks.SystemCommandExecutors import semmle.go.frameworks.SQL import semmle.go.frameworks.XPath diff --git a/ql/src/semmle/go/frameworks/NoSQL.qll b/ql/src/semmle/go/frameworks/NoSQL.qll new file mode 100644 index 00000000000..a49c3864b62 --- /dev/null +++ b/ql/src/semmle/go/frameworks/NoSQL.qll @@ -0,0 +1,107 @@ +/** + * Provides classes for working with NoSQL-related concepts such as queries. + */ + +import go + +/** Provides classes for working with NoSQL-related APIs. */ +module NoSQL { + /** + * A data-flow node whose string value is interpreted as (part of) a NoSQL query. + * + * Extends this class to refine existing API models. If you want to model new APIs, + * extend `NoSQL::QueryString::Range` instead. + */ + class NoSQLQueryString extends DataFlow::Node { + NoSQLQueryString::Range self; + + NoSQLQueryString() { this = self } + } + + //TODO : Replace the following two predicate definitions with a simple call to package() + private string mongoDb() { result = "go.mongodb.org/mongo-driver/mongo" } + + private string mongoBsonPrimitive() { result = "go.mongodb.org/mongo-driver/bson/primitive" } + + /** Provides classes for working with SQL query strings. */ + module NoSQLQueryString { + /** + * A data-flow node whose string value is interpreted as (part of) a NoSQL query. + * + * Extend this class to model new APIs. If you want to refine existing API models, + * extend `NoSQL::QueryString` instead. + */ + abstract class Range extends DataFlow::Node { } + + /** + * Holds if method `name` of `Collection` struct of `go.mongodb.org/mongo-driver/mongo` + * package interprets parameter `n` as a query. + */ + private predicate collectionMethods(string name, int n) { + // func (coll *Collection) CountDocuments(ctx context.Context, filter interface{}, opts ...*options.CountOptions) (int64, error) + name = "CountDocuments" and n = 1 + or + // func (coll *Collection) DeleteMany(ctx context.Context, filter interface{}, opts ...*options.DeleteOptions) (*DeleteResult, error) + name = "DeleteMany" and n = 1 + or + // func (coll *Collection) DeleteOne(ctx context.Context, filter interface{}, opts ...*options.DeleteOptions) (*DeleteResult, error) + name = "DeleteOne" and n = 1 + or + // func (coll *Collection) Distinct(ctx context.Context, fieldName string, filter interface{}, ...) ([]interface{}, error) + name = "Distinct" and n = 2 + or + // func (coll *Collection) Find(ctx context.Context, filter interface{}, opts ...*options.FindOptions) (*Cursor, error) + name = "Find" and n = 1 + or + // func (coll *Collection) FindOne(ctx context.Context, filter interface{}, opts ...*options.FindOneOptions) *SingleResult + name = "FindOne" and n = 1 + or + // func (coll *Collection) FindOneAndDelete(ctx context.Context, filter interface{}, ...) *SingleResult + name = "FindOneAndDelete" and n = 1 + or + // func (coll *Collection) FindOneAndReplace(ctx context.Context, filter interface{}, replacement interface{}, ...) *SingleResult + name = "FindOneAndReplace" and n = 1 + or + // func (coll *Collection) FindOneAndUpdate(ctx context.Context, filter interface{}, update interface{}, ...) *SingleResult + name = "FindOneAndUpdate" and n = 1 + or + // func (coll *Collection) ReplaceOne(ctx context.Context, filter interface{}, replacement interface{}, ...) (*UpdateResult, error) + name = "ReplaceOne" and n = 1 + or + // func (coll *Collection) UpdateMany(ctx context.Context, filter interface{}, update interface{}, ...) (*UpdateResult, error) + name = "UpdateMany" and n = 1 + or + // func (coll *Collection) UpdateOne(ctx context.Context, filter interface{}, update interface{}, ...) (*UpdateResult, error) + name = "UpdateOne" and n = 1 + or + // func (coll *Collection) Watch(ctx context.Context, pipeline interface{}, ...) (*ChangeStream, error) + name = "Watch" and n = 1 + or + // func (coll *Collection) Aggregate(ctx context.Context, pipeline interface{}, opts ...*options.AggregateOptions) (*Cursor, error) + name = "Aggregate" and n = 1 + } + + /** + * A query string used in an API function acting on a `Collection` struct of + * `go.mongodb.org/mongo-driver/mongo` package + */ + private class MongoDbCollectionQueryString extends Range { + MongoDbCollectionQueryString() { + exists(Method meth, string methodName, int n | + collectionMethods(methodName, n) and + meth.hasQualifiedName(mongoDb(), "Collection", methodName) and + this = meth.getACall().getArgument(n) + ) + } + } + } + + predicate isAdditionalMongoTaintStep(DataFlow::Node prev, DataFlow::Node succ) { + // Taint bson.E if input is tainted + exists(Write w, DataFlow::Node base, Field f | w.writesField(base, f, prev) | + base = succ.getASuccessor*() and + base.getType().hasQualifiedName(mongoBsonPrimitive(), "E") and + f.getName() = "Value" + ) + } +} diff --git a/ql/src/semmle/go/security/SqlInjection.qll b/ql/src/semmle/go/security/SqlInjection.qll index 70df0b4822f..0397ee8c665 100644 --- a/ql/src/semmle/go/security/SqlInjection.qll +++ b/ql/src/semmle/go/security/SqlInjection.qll @@ -23,6 +23,10 @@ module SqlInjection { override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isAdditionalTaintStep(DataFlow::Node prev, DataFlow::Node succ) { + NoSQL::isAdditionalMongoTaintStep(prev, succ) + } + override predicate isSanitizer(DataFlow::Node node) { super.isSanitizer(node) or node instanceof Sanitizer diff --git a/ql/src/semmle/go/security/SqlInjectionCustomizations.qll b/ql/src/semmle/go/security/SqlInjectionCustomizations.qll index b34c34954d8..d5b87271546 100644 --- a/ql/src/semmle/go/security/SqlInjectionCustomizations.qll +++ b/ql/src/semmle/go/security/SqlInjectionCustomizations.qll @@ -39,4 +39,9 @@ module SqlInjection { class SqlQueryAsSink extends Sink { SqlQueryAsSink() { this instanceof SQL::QueryString } } + + /** An NoSQL string, considered as a taint sink for SQL injection. */ + class NoSqlQueryAsSink extends Sink { + NoSqlQueryAsSink() { this instanceof NoSQL::NoSQLQueryString } + } } diff --git a/ql/test/library-tests/semmle/go/frameworks/NoSQL/QueryString.expected b/ql/test/library-tests/semmle/go/frameworks/NoSQL/QueryString.expected new file mode 100644 index 00000000000..109ad99673b --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/NoSQL/QueryString.expected @@ -0,0 +1,14 @@ +| main.go:24:22:24:29 | pipeline | +| main.go:27:27:27:32 | filter | +| main.go:29:23:29:28 | filter | +| main.go:30:22:30:27 | filter | +| main.go:32:32:32:37 | filter | +| main.go:35:17:35:22 | filter | +| main.go:36:20:36:25 | filter | +| main.go:37:29:37:34 | filter | +| main.go:38:30:38:35 | filter | +| main.go:39:29:39:34 | filter | +| main.go:45:23:45:28 | filter | +| main.go:47:23:47:28 | filter | +| main.go:48:22:48:27 | filter | +| main.go:49:18:49:25 | pipeline | diff --git a/ql/test/library-tests/semmle/go/frameworks/NoSQL/QueryString.ql b/ql/test/library-tests/semmle/go/frameworks/NoSQL/QueryString.ql new file mode 100644 index 00000000000..2bf41639937 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/NoSQL/QueryString.ql @@ -0,0 +1,5 @@ +import go +import semmle.go.frameworks.NoSQL + +from NoSQL::NoSQLQueryString qs +select qs diff --git a/ql/test/library-tests/semmle/go/frameworks/NoSQL/go.mod b/ql/test/library-tests/semmle/go/frameworks/NoSQL/go.mod new file mode 100644 index 00000000000..6cd131e192f --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/NoSQL/go.mod @@ -0,0 +1,5 @@ +module main + +go 1.14 + +require go.mongodb.org/mongo-driver v1.3.2 diff --git a/ql/test/library-tests/semmle/go/frameworks/NoSQL/main.go b/ql/test/library-tests/semmle/go/frameworks/NoSQL/main.go new file mode 100644 index 00000000000..438763a587e --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/NoSQL/main.go @@ -0,0 +1,52 @@ +package main + +//go:generate depstubber -vendor go.mongodb.org/mongo-driver/bson/primitive D +//go:generate depstubber -vendor go.mongodb.org/mongo-driver/mongo Collection,Pipeline + +import ( + "context" + + "go.mongodb.org/mongo-driver/bson" + "go.mongodb.org/mongo-driver/mongo" +) + +func test(coll *mongo.Collection, filter interface{}, models []WriteModel, ctx context.Context) { + + fieldName := "test" + document := filter + documents := []interface{}{ + document, + bson.D{{"name", "Bob"}}, + } + matchStage := bson.D{{"$match", filter}} + pipeline := mongo.Pipeline{matchStage} + + coll.Aggregate(ctx, pipeline, nil) + coll.BulkWrite(ctx, models, nil) + coll.Clone(nil) + coll.CountDocuments(ctx, filter, nil) + coll.Database() + coll.DeleteMany(ctx, filter, nil) + coll.DeleteOne(ctx, filter, nil) + + coll.Distinct(ctx, fieldName, filter) + coll.Drop(ctx) + coll.EstimatedDocumentCount(ctx, nil) + coll.Find(ctx, filter, nil) + coll.FindOne(ctx, filter, nil) + coll.FindOneAndDelete(ctx, filter, nil) + coll.FindOneAndReplace(ctx, filter, nil) + coll.FindOneAndUpdate(ctx, filter, nil) + coll.Indexes() + coll.InsertMany(ctx, documents) + coll.InsertOne(ctx, document, nil) + coll.Name() + replacement := bson.D{{"location", "NYC"}} + coll.ReplaceOne(ctx, filter, replacement) + update := bson.D{{"$inc", bson.D{{"age", 1}}}} + coll.UpdateMany(ctx, filter, update) + coll.UpdateOne(ctx, filter, update) + coll.Watch(ctx, pipeline) +} + +func main() {} diff --git a/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/LICENSE b/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/LICENSE new file mode 100644 index 00000000000..261eeb9e9f8 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/bson/primitive/stub.go b/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/bson/primitive/stub.go new file mode 100644 index 00000000000..6f07aaff4ee --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/bson/primitive/stub.go @@ -0,0 +1,23 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for go.mongodb.org/mongo-driver/bson/primitive, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: go.mongodb.org/mongo-driver/bson/primitive (exports: D; functions: ) + +// Package primitive is a stub of go.mongodb.org/mongo-driver/bson/primitive, generated by depstubber. +package primitive + +import () + +type D []E + +func (_ D) Map() M { + return nil +} + +type E struct { + Key string + Value interface{} +} + +type M map[string]interface{} diff --git a/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/bson/stub.go b/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/bson/stub.go new file mode 100644 index 00000000000..de80f55501f --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/bson/stub.go @@ -0,0 +1,5 @@ +package bson + +import "go.mongodb.org/mongo-driver/bson/primitive" + +type D = primitive.D diff --git a/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/mongo/stub.go b/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/mongo/stub.go new file mode 100644 index 00000000000..57fda704783 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/go.mongodb.org/mongo-driver/mongo/stub.go @@ -0,0 +1,389 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for go.mongodb.org/mongo-driver/mongo, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: go.mongodb.org/mongo-driver/mongo (exports: Collection,Pipeline; functions: ) + +// Package mongo is a stub of go.mongodb.org/mongo-driver/mongo, generated by depstubber. +package mongo + +import ( + context "context" + time "time" +) + +type BulkWriteResult struct { + InsertedCount int64 + MatchedCount int64 + ModifiedCount int64 + DeletedCount int64 + UpsertedCount int64 + UpsertedIDs map[int64]interface{} +} + +type ChangeStream struct { + Current interface{} +} + +func (_ *ChangeStream) Close(_ context.Context) error { + return nil +} + +func (_ *ChangeStream) Decode(_ interface{}) error { + return nil +} + +func (_ *ChangeStream) Err() error { + return nil +} + +func (_ *ChangeStream) ID() int64 { + return 0 +} + +func (_ *ChangeStream) Next(_ context.Context) bool { + return false +} + +func (_ *ChangeStream) ResumeToken() interface{} { + return nil +} + +func (_ *ChangeStream) TryNext(_ context.Context) bool { + return false +} + +type Client struct{} + +func (_ *Client) Connect(_ context.Context) error { + return nil +} + +func (_ *Client) Database(_ string, _ ...*interface{}) *Database { + return nil +} + +func (_ *Client) Disconnect(_ context.Context) error { + return nil +} + +func (_ *Client) ListDatabaseNames(_ context.Context, _ interface{}, _ ...*interface{}) ([]string, error) { + return nil, nil +} + +func (_ *Client) ListDatabases(_ context.Context, _ interface{}, _ ...*interface{}) (ListDatabasesResult, error) { + return ListDatabasesResult{}, nil +} + +func (_ *Client) NumberSessionsInProgress() int { + return 0 +} + +func (_ *Client) Ping(_ context.Context, _ *interface{}) error { + return nil +} + +func (_ *Client) StartSession(_ ...*interface{}) (Session, error) { + return nil, nil +} + +func (_ *Client) UseSession(_ context.Context, _ func(SessionContext) error) error { + return nil +} + +func (_ *Client) UseSessionWithOptions(_ context.Context, _ *interface{}, _ func(SessionContext) error) error { + return nil +} + +func (_ *Client) Watch(_ context.Context, _ interface{}, _ ...*interface{}) (*ChangeStream, error) { + return nil, nil +} + +type Collection struct{} + +func (_ *Collection) Aggregate(_ context.Context, _ interface{}, _ ...*interface{}) (*Cursor, error) { + return nil, nil +} + +func (_ *Collection) BulkWrite(_ context.Context, _ []WriteModel, _ ...*interface{}) (*BulkWriteResult, error) { + return nil, nil +} + +func (_ *Collection) Clone(_ ...*interface{}) (*Collection, error) { + return nil, nil +} + +func (_ *Collection) CountDocuments(_ context.Context, _ interface{}, _ ...*interface{}) (int64, error) { + return 0, nil +} + +func (_ *Collection) Database() *Database { + return nil +} + +func (_ *Collection) DeleteMany(_ context.Context, _ interface{}, _ ...*interface{}) (*DeleteResult, error) { + return nil, nil +} + +func (_ *Collection) DeleteOne(_ context.Context, _ interface{}, _ ...*interface{}) (*DeleteResult, error) { + return nil, nil +} + +func (_ *Collection) Distinct(_ context.Context, _ string, _ interface{}, _ ...*interface{}) ([]interface{}, error) { + return nil, nil +} + +func (_ *Collection) Drop(_ context.Context) error { + return nil +} + +func (_ *Collection) EstimatedDocumentCount(_ context.Context, _ ...*interface{}) (int64, error) { + return 0, nil +} + +func (_ *Collection) Find(_ context.Context, _ interface{}, _ ...*interface{}) (*Cursor, error) { + return nil, nil +} + +func (_ *Collection) FindOne(_ context.Context, _ interface{}, _ ...*interface{}) *SingleResult { + return nil +} + +func (_ *Collection) FindOneAndDelete(_ context.Context, _ interface{}, _ ...*interface{}) *SingleResult { + return nil +} + +func (_ *Collection) FindOneAndReplace(_ context.Context, _ interface{}, _ interface{}, _ ...*interface{}) *SingleResult { + return nil +} + +func (_ *Collection) FindOneAndUpdate(_ context.Context, _ interface{}, _ interface{}, _ ...*interface{}) *SingleResult { + return nil +} + +func (_ *Collection) Indexes() IndexView { + return IndexView{} +} + +func (_ *Collection) InsertMany(_ context.Context, _ []interface{}, _ ...*interface{}) (*InsertManyResult, error) { + return nil, nil +} + +func (_ *Collection) InsertOne(_ context.Context, _ interface{}, _ ...*interface{}) (*InsertOneResult, error) { + return nil, nil +} + +func (_ *Collection) Name() string { + return "" +} + +func (_ *Collection) ReplaceOne(_ context.Context, _ interface{}, _ interface{}, _ ...*interface{}) (*UpdateResult, error) { + return nil, nil +} + +func (_ *Collection) UpdateMany(_ context.Context, _ interface{}, _ interface{}, _ ...*interface{}) (*UpdateResult, error) { + return nil, nil +} + +func (_ *Collection) UpdateOne(_ context.Context, _ interface{}, _ interface{}, _ ...*interface{}) (*UpdateResult, error) { + return nil, nil +} + +func (_ *Collection) Watch(_ context.Context, _ interface{}, _ ...*interface{}) (*ChangeStream, error) { + return nil, nil +} + +type Cursor struct { + Current interface{} +} + +func (_ *Cursor) All(_ context.Context, _ interface{}) error { + return nil +} + +func (_ *Cursor) Close(_ context.Context) error { + return nil +} + +func (_ *Cursor) Decode(_ interface{}) error { + return nil +} + +func (_ *Cursor) Err() error { + return nil +} + +func (_ *Cursor) ID() int64 { + return 0 +} + +func (_ *Cursor) Next(_ context.Context) bool { + return false +} + +func (_ *Cursor) TryNext(_ context.Context) bool { + return false +} + +type Database struct{} + +func (_ *Database) Aggregate(_ context.Context, _ interface{}, _ ...*interface{}) (*Cursor, error) { + return nil, nil +} + +func (_ *Database) Client() *Client { + return nil +} + +func (_ *Database) Collection(_ string, _ ...*interface{}) *Collection { + return nil +} + +func (_ *Database) Drop(_ context.Context) error { + return nil +} + +func (_ *Database) ListCollectionNames(_ context.Context, _ interface{}, _ ...*interface{}) ([]string, error) { + return nil, nil +} + +func (_ *Database) ListCollections(_ context.Context, _ interface{}, _ ...*interface{}) (*Cursor, error) { + return nil, nil +} + +func (_ *Database) Name() string { + return "" +} + +func (_ *Database) ReadConcern() *interface{} { + return nil +} + +func (_ *Database) ReadPreference() *interface{} { + return nil +} + +func (_ *Database) RunCommand(_ context.Context, _ interface{}, _ ...*interface{}) *SingleResult { + return nil +} + +func (_ *Database) RunCommandCursor(_ context.Context, _ interface{}, _ ...*interface{}) (*Cursor, error) { + return nil, nil +} + +func (_ *Database) Watch(_ context.Context, _ interface{}, _ ...*interface{}) (*ChangeStream, error) { + return nil, nil +} + +func (_ *Database) WriteConcern() *interface{} { + return nil +} + +type DatabaseSpecification struct { + Name string + SizeOnDisk int64 + Empty bool +} + +type DeleteResult struct { + DeletedCount int64 +} + +type IndexModel struct { + Keys interface{} + Options *interface{} +} + +type IndexView struct{} + +func (_ IndexView) CreateMany(_ context.Context, _ []IndexModel, _ ...*interface{}) ([]string, error) { + return nil, nil +} + +func (_ IndexView) CreateOne(_ context.Context, _ IndexModel, _ ...*interface{}) (string, error) { + return "", nil +} + +func (_ IndexView) DropAll(_ context.Context, _ ...*interface{}) (interface{}, error) { + return nil, nil +} + +func (_ IndexView) DropOne(_ context.Context, _ string, _ ...*interface{}) (interface{}, error) { + return nil, nil +} + +func (_ IndexView) List(_ context.Context, _ ...*interface{}) (*Cursor, error) { + return nil, nil +} + +type InsertManyResult struct { + InsertedIDs []interface{} +} + +type InsertOneResult struct { + InsertedID interface{} +} + +type ListDatabasesResult struct { + Databases []DatabaseSpecification + TotalSize int64 +} + +type Pipeline []interface{} + +type Session interface { + AbortTransaction(_ context.Context) error + AdvanceClusterTime(_ interface{}) error + AdvanceOperationTime(_ *interface{}) error + Client() *Client + ClusterTime() interface{} + CommitTransaction(_ context.Context) error + EndSession(_ context.Context) + OperationTime() *interface{} + StartTransaction(_ ...*interface{}) error + WithTransaction(_ context.Context, _ func(SessionContext) (interface{}, error), _ ...*interface{}) (interface{}, error) +} + +type SessionContext interface { + AbortTransaction(_ context.Context) error + AdvanceClusterTime(_ interface{}) error + AdvanceOperationTime(_ *interface{}) error + Client() *Client + ClusterTime() interface{} + CommitTransaction(_ context.Context) error + Deadline() (time.Time, bool) + Done() <-chan struct{} + EndSession(_ context.Context) + Err() error + OperationTime() *interface{} + StartTransaction(_ ...*interface{}) error + Value(_ interface{}) interface{} + WithTransaction(_ context.Context, _ func(SessionContext) (interface{}, error), _ ...*interface{}) (interface{}, error) +} + +type SingleResult struct{} + +func (_ *SingleResult) Decode(_ interface{}) error { + return nil +} + +func (_ *SingleResult) DecodeBytes() (interface{}, error) { + return nil, nil +} + +func (_ *SingleResult) Err() error { + return nil +} + +type UpdateResult struct { + MatchedCount int64 + ModifiedCount int64 + UpsertedCount int64 + UpsertedID interface{} +} + +func (_ *UpdateResult) UnmarshalBSON(_ []byte) error { + return nil +} + +type WriteModel interface{} diff --git a/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/modules.txt b/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/modules.txt new file mode 100644 index 00000000000..bcea2f371ea --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/modules.txt @@ -0,0 +1,3 @@ +# go.mongodb.org/mongo-driver v1.3.2 +## explicit +go.mongodb.org/mongo-driver diff --git a/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/ql/test/query-tests/Security/CWE-089/SqlInjection.expected index e2ff8cbd7ec..89f2978af2f 100644 --- a/ql/test/query-tests/Security/CWE-089/SqlInjection.expected +++ b/ql/test/query-tests/Security/CWE-089/SqlInjection.expected @@ -41,6 +41,20 @@ edges | main.go:60:3:60:25 | selection of Category : slice type | main.go:61:11:61:11 | q | | main.go:60:4:60:15 | star expression [Category] : slice type | main.go:60:3:60:25 | selection of Category : slice type | | main.go:60:5:60:15 | RequestData [pointer, Category] | main.go:60:4:60:15 | star expression [Category] : slice type | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:57:22:57:29 | pipeline | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:61:27:61:32 | filter | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:63:23:63:28 | filter | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:64:22:64:27 | filter | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:66:32:66:37 | filter | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:69:17:69:22 | filter | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:70:20:70:25 | filter | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:71:29:71:34 | filter | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:72:30:72:35 | filter | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:73:29:73:34 | filter | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:78:23:78:28 | filter | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:79:23:79:28 | filter | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:80:22:80:27 | filter | +| mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:81:18:81:25 | pipeline | nodes | SqlInjection.go:11:3:11:9 | selection of URL : pointer type | semmle.label | selection of URL : pointer type | | SqlInjection.go:12:11:12:11 | q | semmle.label | q | @@ -92,6 +106,21 @@ nodes | main.go:60:4:60:15 | star expression [Category] : slice type | semmle.label | star expression [Category] : slice type | | main.go:60:5:60:15 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] | | main.go:61:11:61:11 | q | semmle.label | q | +| mongoDB.go:40:20:40:30 | call to Referer : string | semmle.label | call to Referer : string | +| mongoDB.go:57:22:57:29 | pipeline | semmle.label | pipeline | +| mongoDB.go:61:27:61:32 | filter | semmle.label | filter | +| mongoDB.go:63:23:63:28 | filter | semmle.label | filter | +| mongoDB.go:64:22:64:27 | filter | semmle.label | filter | +| mongoDB.go:66:32:66:37 | filter | semmle.label | filter | +| mongoDB.go:69:17:69:22 | filter | semmle.label | filter | +| mongoDB.go:70:20:70:25 | filter | semmle.label | filter | +| mongoDB.go:71:29:71:34 | filter | semmle.label | filter | +| mongoDB.go:72:30:72:35 | filter | semmle.label | filter | +| mongoDB.go:73:29:73:34 | filter | semmle.label | filter | +| mongoDB.go:78:23:78:28 | filter | semmle.label | filter | +| mongoDB.go:79:23:79:28 | filter | semmle.label | filter | +| mongoDB.go:80:22:80:27 | filter | semmle.label | filter | +| mongoDB.go:81:18:81:25 | pipeline | semmle.label | pipeline | #select | SqlInjection.go:12:11:12:11 | q | SqlInjection.go:11:3:11:9 | selection of URL : pointer type | SqlInjection.go:12:11:12:11 | q | This query depends on $@. | SqlInjection.go:11:3:11:9 | selection of URL | a user-provided value | | issue48.go:22:11:22:12 | q3 | issue48.go:17:25:17:32 | selection of Body : ReadCloser | issue48.go:22:11:22:12 | q3 | This query depends on $@. | issue48.go:17:25:17:32 | selection of Body | a user-provided value | @@ -104,3 +133,17 @@ nodes | main.go:43:11:43:11 | q | main.go:39:25:39:31 | selection of URL : pointer type | main.go:43:11:43:11 | q | This query depends on $@. | main.go:39:25:39:31 | selection of URL | a user-provided value | | main.go:52:11:52:11 | q | main.go:48:28:48:34 | selection of URL : pointer type | main.go:52:11:52:11 | q | This query depends on $@. | main.go:48:28:48:34 | selection of URL | a user-provided value | | main.go:61:11:61:11 | q | main.go:57:28:57:34 | selection of URL : pointer type | main.go:61:11:61:11 | q | This query depends on $@. | main.go:57:28:57:34 | selection of URL | a user-provided value | +| mongoDB.go:57:22:57:29 | pipeline | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:57:22:57:29 | pipeline | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | +| mongoDB.go:61:27:61:32 | filter | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:61:27:61:32 | filter | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | +| mongoDB.go:63:23:63:28 | filter | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:63:23:63:28 | filter | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | +| mongoDB.go:64:22:64:27 | filter | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:64:22:64:27 | filter | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | +| mongoDB.go:66:32:66:37 | filter | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:66:32:66:37 | filter | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | +| mongoDB.go:69:17:69:22 | filter | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:69:17:69:22 | filter | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | +| mongoDB.go:70:20:70:25 | filter | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:70:20:70:25 | filter | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | +| mongoDB.go:71:29:71:34 | filter | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:71:29:71:34 | filter | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | +| mongoDB.go:72:30:72:35 | filter | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:72:30:72:35 | filter | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | +| mongoDB.go:73:29:73:34 | filter | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:73:29:73:34 | filter | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | +| mongoDB.go:78:23:78:28 | filter | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:78:23:78:28 | filter | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | +| mongoDB.go:79:23:79:28 | filter | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:79:23:79:28 | filter | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | +| mongoDB.go:80:22:80:27 | filter | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:80:22:80:27 | filter | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | +| mongoDB.go:81:18:81:25 | pipeline | mongoDB.go:40:20:40:30 | call to Referer : string | mongoDB.go:81:18:81:25 | pipeline | This query depends on $@. | mongoDB.go:40:20:40:30 | call to Referer | a user-provided value | diff --git a/ql/test/query-tests/Security/CWE-089/go.mod b/ql/test/query-tests/Security/CWE-089/go.mod index 9c55bcb4ffc..6101c095cbc 100644 --- a/ql/test/query-tests/Security/CWE-089/go.mod +++ b/ql/test/query-tests/Security/CWE-089/go.mod @@ -4,8 +4,5 @@ go 1.14 require ( github.com/Masterminds/squirrel v1.1.0 - github.com/github/depstubber v0.0.0-20200414023404-c355b630c381 // indirect - github.com/go-sql-driver/mysql v1.5.0 // indirect - github.com/lib/pq v1.3.0 // indirect - github.com/mattn/go-sqlite3 v2.0.3+incompatible // indirect + go.mongodb.org/mongo-driver v1.3.3 ) diff --git a/ql/test/query-tests/Security/CWE-089/mongoDB.go b/ql/test/query-tests/Security/CWE-089/mongoDB.go new file mode 100644 index 00000000000..818f8adb13c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-089/mongoDB.go @@ -0,0 +1,83 @@ +package main + +//go:generate depstubber -vendor go.mongodb.org/mongo-driver/bson/primitive D +//go:generate depstubber -vendor go.mongodb.org/mongo-driver/mongo Pipeline Connect +//go:generate depstubber -vendor go.mongodb.org/mongo-driver/mongo/options "" Client + +import ( + "context" + "fmt" + "log" + "net/http" + + "go.mongodb.org/mongo-driver/bson" + "go.mongodb.org/mongo-driver/mongo" + "go.mongodb.org/mongo-driver/mongo/options" +) + +func mongo2(w http.ResponseWriter, r *http.Request) { + + // Set client options + clientOptions := options.Client().ApplyURI("mongodb://test:test@localhost:27017") + + // Connect to MongoDB + client, err := mongo.Connect(context.TODO(), clientOptions) + if err != nil { + log.Fatal(err) + } + + // Check the connection + err = client.Ping(context.TODO(), nil) + if err != nil { + log.Fatal(err) + } + + fmt.Println("Connected to MongoDB!") + + // Get a handle for your collection + db := client.Database("test") + coll := db.Collection("collection") + untrustedInput := r.Referer() + + filter := bson.D{{"name", untrustedInput}} + + fieldName := "test" + document := filter + documents := []interface{}{ + document, + bson.D{{"name", "Bob"}}, + } + matchStage := bson.D{{"$match", filter}} + pipeline := mongo.Pipeline{matchStage} + ctx := context.TODO() + replacement := bson.D{{"location", "NYC"}} + update := bson.D{{"$inc", bson.D{{"age", 1}}}} + // models := nil + + coll.Aggregate(ctx, pipeline, nil) + // coll.BulkWrite(ctx, models, nil) + coll.BulkWrite(ctx, nil, nil) + coll.Clone(nil) + coll.CountDocuments(ctx, filter, nil) + coll.Database() + coll.DeleteMany(ctx, filter, nil) + coll.DeleteOne(ctx, filter, nil) + + coll.Distinct(ctx, fieldName, filter) + coll.Drop(ctx) + coll.EstimatedDocumentCount(ctx, nil) + coll.Find(ctx, filter, nil) + coll.FindOne(ctx, filter, nil) + coll.FindOneAndDelete(ctx, filter, nil) + coll.FindOneAndReplace(ctx, filter, nil) + coll.FindOneAndUpdate(ctx, filter, nil) + coll.Indexes() + coll.InsertMany(ctx, documents) + coll.InsertOne(ctx, document, nil) + coll.Name() + coll.ReplaceOne(ctx, filter, replacement) + coll.UpdateMany(ctx, filter, update) + coll.UpdateOne(ctx, filter, update) + coll.Watch(ctx, pipeline) + +} diff --git a/ql/test/query-tests/Security/CWE-089/vendor/github.com/Masterminds/squirrel/stub.go b/ql/test/query-tests/Security/CWE-089/vendor/github.com/Masterminds/squirrel/stub.go index 925f13e5a8c..0e85e0f5e84 100644 --- a/ql/test/query-tests/Security/CWE-089/vendor/github.com/Masterminds/squirrel/stub.go +++ b/ql/test/query-tests/Security/CWE-089/vendor/github.com/Masterminds/squirrel/stub.go @@ -1,6 +1,7 @@ // Code generated by depstubber. DO NOT EDIT. // This is a simple stub for github.com/Masterminds/squirrel, strictly for use in testing. +// See the LICENSE file for information about the licensing of the original library. // Source: github.com/Masterminds/squirrel (exports: ; functions: Expr,StatementBuilder) // Package squirrel is a stub of github.com/Masterminds/squirrel, generated by depstubber. @@ -12,25 +13,17 @@ import ( ) type BaseRunner interface { - Exec(_ string, _ ...interface{}) (sql.Result, interface { - Error() string - }) - Query(_ string, _ ...interface{}) (*sql.Rows, interface { - Error() string - }) + Exec(_ string, _ ...interface{}) (sql.Result, error) + Query(_ string, _ ...interface{}) (*sql.Rows, error) } type DeleteBuilder struct{} -func (_ DeleteBuilder) Exec() (sql.Result, interface { - Error() string -}) { +func (_ DeleteBuilder) Exec() (sql.Result, error) { return nil, nil } -func (_ DeleteBuilder) ExecContext(_ context.Context) (sql.Result, interface { - Error() string -}) { +func (_ DeleteBuilder) ExecContext(_ context.Context) (sql.Result, error) { return nil, nil } @@ -58,9 +51,7 @@ func (_ DeleteBuilder) Prefix(_ string, _ ...interface{}) DeleteBuilder { return DeleteBuilder{} } -func (_ DeleteBuilder) Query() (*sql.Rows, interface { - Error() string -}) { +func (_ DeleteBuilder) Query() (*sql.Rows, error) { return nil, nil } @@ -72,9 +63,7 @@ func (_ DeleteBuilder) Suffix(_ string, _ ...interface{}) DeleteBuilder { return DeleteBuilder{} } -func (_ DeleteBuilder) ToSql() (string, []interface{}, interface { - Error() string -}) { +func (_ DeleteBuilder) ToSql() (string, []interface{}, error) { return "", nil, nil } @@ -92,15 +81,11 @@ func (_ InsertBuilder) Columns(_ ...string) InsertBuilder { return InsertBuilder{} } -func (_ InsertBuilder) Exec() (sql.Result, interface { - Error() string -}) { +func (_ InsertBuilder) Exec() (sql.Result, error) { return nil, nil } -func (_ InsertBuilder) ExecContext(_ context.Context) (sql.Result, interface { - Error() string -}) { +func (_ InsertBuilder) ExecContext(_ context.Context) (sql.Result, error) { return nil, nil } @@ -120,15 +105,11 @@ func (_ InsertBuilder) Prefix(_ string, _ ...interface{}) InsertBuilder { return InsertBuilder{} } -func (_ InsertBuilder) Query() (*sql.Rows, interface { - Error() string -}) { +func (_ InsertBuilder) Query() (*sql.Rows, error) { return nil, nil } -func (_ InsertBuilder) QueryContext(_ context.Context) (*sql.Rows, interface { - Error() string -}) { +func (_ InsertBuilder) QueryContext(_ context.Context) (*sql.Rows, error) { return nil, nil } @@ -144,15 +125,11 @@ func (_ InsertBuilder) RunWith(_ BaseRunner) InsertBuilder { return InsertBuilder{} } -func (_ InsertBuilder) Scan(_ ...interface{}) interface { - Error() string -} { +func (_ InsertBuilder) Scan(_ ...interface{}) error { return nil } -func (_ InsertBuilder) ScanContext(_ context.Context, _ ...interface{}) interface { - Error() string -} { +func (_ InsertBuilder) ScanContext(_ context.Context, _ ...interface{}) error { return nil } @@ -168,9 +145,7 @@ func (_ InsertBuilder) Suffix(_ string, _ ...interface{}) InsertBuilder { return InsertBuilder{} } -func (_ InsertBuilder) ToSql() (string, []interface{}, interface { - Error() string -}) { +func (_ InsertBuilder) ToSql() (string, []interface{}, error) { return "", nil, nil } @@ -179,15 +154,11 @@ func (_ InsertBuilder) Values(_ ...interface{}) InsertBuilder { } type PlaceholderFormat interface { - ReplacePlaceholders(_ string) (string, interface { - Error() string - }) + ReplacePlaceholders(_ string) (string, error) } type RowScanner interface { - Scan(_ ...interface{}) interface { - Error() string - } + Scan(_ ...interface{}) error } type SelectBuilder struct{} @@ -204,15 +175,11 @@ func (_ SelectBuilder) Distinct() SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) Exec() (sql.Result, interface { - Error() string -}) { +func (_ SelectBuilder) Exec() (sql.Result, error) { return nil, nil } -func (_ SelectBuilder) ExecContext(_ context.Context) (sql.Result, interface { - Error() string -}) { +func (_ SelectBuilder) ExecContext(_ context.Context) (sql.Result, error) { return nil, nil } @@ -272,15 +239,11 @@ func (_ SelectBuilder) Prefix(_ string, _ ...interface{}) SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) Query() (*sql.Rows, interface { - Error() string -}) { +func (_ SelectBuilder) Query() (*sql.Rows, error) { return nil, nil } -func (_ SelectBuilder) QueryContext(_ context.Context) (*sql.Rows, interface { - Error() string -}) { +func (_ SelectBuilder) QueryContext(_ context.Context) (*sql.Rows, error) { return nil, nil } @@ -304,15 +267,11 @@ func (_ SelectBuilder) RunWith(_ BaseRunner) SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) Scan(_ ...interface{}) interface { - Error() string -} { +func (_ SelectBuilder) Scan(_ ...interface{}) error { return nil } -func (_ SelectBuilder) ScanContext(_ context.Context, _ ...interface{}) interface { - Error() string -} { +func (_ SelectBuilder) ScanContext(_ context.Context, _ ...interface{}) error { return nil } @@ -320,9 +279,7 @@ func (_ SelectBuilder) Suffix(_ string, _ ...interface{}) SelectBuilder { return SelectBuilder{} } -func (_ SelectBuilder) ToSql() (string, []interface{}, interface { - Error() string -}) { +func (_ SelectBuilder) ToSql() (string, []interface{}, error) { return "", nil, nil } @@ -360,15 +317,11 @@ func (_ StatementBuilderType) Update(_ string) UpdateBuilder { type UpdateBuilder struct{} -func (_ UpdateBuilder) Exec() (sql.Result, interface { - Error() string -}) { +func (_ UpdateBuilder) Exec() (sql.Result, error) { return nil, nil } -func (_ UpdateBuilder) ExecContext(_ context.Context) (sql.Result, interface { - Error() string -}) { +func (_ UpdateBuilder) ExecContext(_ context.Context) (sql.Result, error) { return nil, nil } @@ -392,15 +345,11 @@ func (_ UpdateBuilder) Prefix(_ string, _ ...interface{}) UpdateBuilder { return UpdateBuilder{} } -func (_ UpdateBuilder) Query() (*sql.Rows, interface { - Error() string -}) { +func (_ UpdateBuilder) Query() (*sql.Rows, error) { return nil, nil } -func (_ UpdateBuilder) QueryContext(_ context.Context) (*sql.Rows, interface { - Error() string -}) { +func (_ UpdateBuilder) QueryContext(_ context.Context) (*sql.Rows, error) { return nil, nil } @@ -416,15 +365,11 @@ func (_ UpdateBuilder) RunWith(_ BaseRunner) UpdateBuilder { return UpdateBuilder{} } -func (_ UpdateBuilder) Scan(_ ...interface{}) interface { - Error() string -} { +func (_ UpdateBuilder) Scan(_ ...interface{}) error { return nil } -func (_ UpdateBuilder) ScanContext(_ context.Context, _ ...interface{}) interface { - Error() string -} { +func (_ UpdateBuilder) ScanContext(_ context.Context, _ ...interface{}) error { return nil } @@ -444,9 +389,7 @@ func (_ UpdateBuilder) Table(_ string) UpdateBuilder { return UpdateBuilder{} } -func (_ UpdateBuilder) ToSql() (string, []interface{}, interface { - Error() string -}) { +func (_ UpdateBuilder) ToSql() (string, []interface{}, error) { return "", nil, nil } diff --git a/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/LICENSE b/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/LICENSE new file mode 100644 index 00000000000..261eeb9e9f8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/bson/primitive/stub.go b/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/bson/primitive/stub.go new file mode 100644 index 00000000000..6f07aaff4ee --- /dev/null +++ b/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/bson/primitive/stub.go @@ -0,0 +1,23 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for go.mongodb.org/mongo-driver/bson/primitive, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: go.mongodb.org/mongo-driver/bson/primitive (exports: D; functions: ) + +// Package primitive is a stub of go.mongodb.org/mongo-driver/bson/primitive, generated by depstubber. +package primitive + +import () + +type D []E + +func (_ D) Map() M { + return nil +} + +type E struct { + Key string + Value interface{} +} + +type M map[string]interface{} diff --git a/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/bson/stub.go b/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/bson/stub.go new file mode 100644 index 00000000000..de80f55501f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/bson/stub.go @@ -0,0 +1,5 @@ +package bson + +import "go.mongodb.org/mongo-driver/bson/primitive" + +type D = primitive.D diff --git a/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/mongo/options/stub.go b/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/mongo/options/stub.go new file mode 100644 index 00000000000..a9275c51610 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/mongo/options/stub.go @@ -0,0 +1,217 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for go.mongodb.org/mongo-driver/mongo/options, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: go.mongodb.org/mongo-driver/mongo/options (exports: ; functions: Client) + +// Package options is a stub of go.mongodb.org/mongo-driver/mongo/options, generated by depstubber. +package options + +import ( + context "context" + tls "crypto/tls" + net "net" + time "time" +) + +type AutoEncryptionOptions struct { + KeyVaultClientOptions *ClientOptions + KeyVaultNamespace string + KmsProviders map[string]map[string]interface{} + SchemaMap map[string]interface{} + BypassAutoEncryption *bool + ExtraOptions map[string]interface{} +} + +func (_ *AutoEncryptionOptions) SetBypassAutoEncryption(_ bool) *AutoEncryptionOptions { + return nil +} + +func (_ *AutoEncryptionOptions) SetExtraOptions(_ map[string]interface{}) *AutoEncryptionOptions { + return nil +} + +func (_ *AutoEncryptionOptions) SetKeyVaultClientOptions(_ *ClientOptions) *AutoEncryptionOptions { + return nil +} + +func (_ *AutoEncryptionOptions) SetKeyVaultNamespace(_ string) *AutoEncryptionOptions { + return nil +} + +func (_ *AutoEncryptionOptions) SetKmsProviders(_ map[string]map[string]interface{}) *AutoEncryptionOptions { + return nil +} + +func (_ *AutoEncryptionOptions) SetSchemaMap(_ map[string]interface{}) *AutoEncryptionOptions { + return nil +} + +func Client() *ClientOptions { + return nil +} + +type ClientOptions struct { + AppName *string + Auth *Credential + ConnectTimeout *time.Duration + Compressors []string + Dialer ContextDialer + HeartbeatInterval *time.Duration + Hosts []string + LocalThreshold *time.Duration + MaxConnIdleTime *time.Duration + MaxPoolSize *uint64 + MinPoolSize *uint64 + PoolMonitor *interface{} + Monitor *interface{} + ReadConcern *interface{} + ReadPreference *interface{} + Registry *interface{} + ReplicaSet *string + RetryWrites *bool + RetryReads *bool + ServerSelectionTimeout *time.Duration + Direct *bool + SocketTimeout *time.Duration + TLSConfig *tls.Config + WriteConcern *interface{} + ZlibLevel *int + ZstdLevel *int + AutoEncryptionOptions *AutoEncryptionOptions + AuthenticateToAnything *bool + Deployment interface{} +} + +func (_ *ClientOptions) ApplyURI(_ string) *ClientOptions { + return nil +} + +func (_ *ClientOptions) GetURI() string { + return "" +} + +func (_ *ClientOptions) SetAppName(_ string) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetAuth(_ Credential) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetAutoEncryptionOptions(_ *AutoEncryptionOptions) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetCompressors(_ []string) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetConnectTimeout(_ time.Duration) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetDialer(_ ContextDialer) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetDirect(_ bool) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetHeartbeatInterval(_ time.Duration) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetHosts(_ []string) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetLocalThreshold(_ time.Duration) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetMaxConnIdleTime(_ time.Duration) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetMaxPoolSize(_ uint64) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetMinPoolSize(_ uint64) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetMonitor(_ *interface{}) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetPoolMonitor(_ *interface{}) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetReadConcern(_ *interface{}) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetReadPreference(_ *interface{}) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetRegistry(_ *interface{}) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetReplicaSet(_ string) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetRetryReads(_ bool) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetRetryWrites(_ bool) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetServerSelectionTimeout(_ time.Duration) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetSocketTimeout(_ time.Duration) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetTLSConfig(_ *tls.Config) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetWriteConcern(_ *interface{}) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetZlibLevel(_ int) *ClientOptions { + return nil +} + +func (_ *ClientOptions) SetZstdLevel(_ int) *ClientOptions { + return nil +} + +func (_ *ClientOptions) Validate() error { + return nil +} + +type ContextDialer interface { + DialContext(_ context.Context, _ string, _ string) (net.Conn, error) +} + +type Credential struct { + AuthMechanism string + AuthMechanismProperties map[string]string + AuthSource string + Username string + Password string + PasswordSet bool +} diff --git a/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/mongo/stub.go b/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/mongo/stub.go new file mode 100644 index 00000000000..1a06732dbb1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/mongo/stub.go @@ -0,0 +1,393 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for go.mongodb.org/mongo-driver/mongo, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: go.mongodb.org/mongo-driver/mongo (exports: Pipeline; functions: Connect) + +// Package mongo is a stub of go.mongodb.org/mongo-driver/mongo, generated by depstubber. +package mongo + +import ( + context "context" + time "time" +) + +type BulkWriteResult struct { + InsertedCount int64 + MatchedCount int64 + ModifiedCount int64 + DeletedCount int64 + UpsertedCount int64 + UpsertedIDs map[int64]interface{} +} + +type ChangeStream struct { + Current interface{} +} + +func (_ *ChangeStream) Close(_ context.Context) error { + return nil +} + +func (_ *ChangeStream) Decode(_ interface{}) error { + return nil +} + +func (_ *ChangeStream) Err() error { + return nil +} + +func (_ *ChangeStream) ID() int64 { + return 0 +} + +func (_ *ChangeStream) Next(_ context.Context) bool { + return false +} + +func (_ *ChangeStream) ResumeToken() interface{} { + return nil +} + +func (_ *ChangeStream) TryNext(_ context.Context) bool { + return false +} + +type Client struct{} + +func (_ *Client) Connect(_ context.Context) error { + return nil +} + +func (_ *Client) Database(_ string, _ ...*interface{}) *Database { + return nil +} + +func (_ *Client) Disconnect(_ context.Context) error { + return nil +} + +func (_ *Client) ListDatabaseNames(_ context.Context, _ interface{}, _ ...*interface{}) ([]string, error) { + return nil, nil +} + +func (_ *Client) ListDatabases(_ context.Context, _ interface{}, _ ...*interface{}) (ListDatabasesResult, error) { + return ListDatabasesResult{}, nil +} + +func (_ *Client) NumberSessionsInProgress() int { + return 0 +} + +func (_ *Client) Ping(_ context.Context, _ *interface{}) error { + return nil +} + +func (_ *Client) StartSession(_ ...*interface{}) (Session, error) { + return nil, nil +} + +func (_ *Client) UseSession(_ context.Context, _ func(SessionContext) error) error { + return nil +} + +func (_ *Client) UseSessionWithOptions(_ context.Context, _ *interface{}, _ func(SessionContext) error) error { + return nil +} + +func (_ *Client) Watch(_ context.Context, _ interface{}, _ ...*interface{}) (*ChangeStream, error) { + return nil, nil +} + +type Collection struct{} + +func (_ *Collection) Aggregate(_ context.Context, _ interface{}, _ ...*interface{}) (*Cursor, error) { + return nil, nil +} + +func (_ *Collection) BulkWrite(_ context.Context, _ []WriteModel, _ ...*interface{}) (*BulkWriteResult, error) { + return nil, nil +} + +func (_ *Collection) Clone(_ ...*interface{}) (*Collection, error) { + return nil, nil +} + +func (_ *Collection) CountDocuments(_ context.Context, _ interface{}, _ ...*interface{}) (int64, error) { + return 0, nil +} + +func (_ *Collection) Database() *Database { + return nil +} + +func (_ *Collection) DeleteMany(_ context.Context, _ interface{}, _ ...*interface{}) (*DeleteResult, error) { + return nil, nil +} + +func (_ *Collection) DeleteOne(_ context.Context, _ interface{}, _ ...*interface{}) (*DeleteResult, error) { + return nil, nil +} + +func (_ *Collection) Distinct(_ context.Context, _ string, _ interface{}, _ ...*interface{}) ([]interface{}, error) { + return nil, nil +} + +func (_ *Collection) Drop(_ context.Context) error { + return nil +} + +func (_ *Collection) EstimatedDocumentCount(_ context.Context, _ ...*interface{}) (int64, error) { + return 0, nil +} + +func (_ *Collection) Find(_ context.Context, _ interface{}, _ ...*interface{}) (*Cursor, error) { + return nil, nil +} + +func (_ *Collection) FindOne(_ context.Context, _ interface{}, _ ...*interface{}) *SingleResult { + return nil +} + +func (_ *Collection) FindOneAndDelete(_ context.Context, _ interface{}, _ ...*interface{}) *SingleResult { + return nil +} + +func (_ *Collection) FindOneAndReplace(_ context.Context, _ interface{}, _ interface{}, _ ...*interface{}) *SingleResult { + return nil +} + +func (_ *Collection) FindOneAndUpdate(_ context.Context, _ interface{}, _ interface{}, _ ...*interface{}) *SingleResult { + return nil +} + +func (_ *Collection) Indexes() IndexView { + return IndexView{} +} + +func (_ *Collection) InsertMany(_ context.Context, _ []interface{}, _ ...*interface{}) (*InsertManyResult, error) { + return nil, nil +} + +func (_ *Collection) InsertOne(_ context.Context, _ interface{}, _ ...*interface{}) (*InsertOneResult, error) { + return nil, nil +} + +func (_ *Collection) Name() string { + return "" +} + +func (_ *Collection) ReplaceOne(_ context.Context, _ interface{}, _ interface{}, _ ...*interface{}) (*UpdateResult, error) { + return nil, nil +} + +func (_ *Collection) UpdateMany(_ context.Context, _ interface{}, _ interface{}, _ ...*interface{}) (*UpdateResult, error) { + return nil, nil +} + +func (_ *Collection) UpdateOne(_ context.Context, _ interface{}, _ interface{}, _ ...*interface{}) (*UpdateResult, error) { + return nil, nil +} + +func (_ *Collection) Watch(_ context.Context, _ interface{}, _ ...*interface{}) (*ChangeStream, error) { + return nil, nil +} + +func Connect(_ context.Context, _ ...*interface{}) (*Client, error) { + return nil, nil +} + +type Cursor struct { + Current interface{} +} + +func (_ *Cursor) All(_ context.Context, _ interface{}) error { + return nil +} + +func (_ *Cursor) Close(_ context.Context) error { + return nil +} + +func (_ *Cursor) Decode(_ interface{}) error { + return nil +} + +func (_ *Cursor) Err() error { + return nil +} + +func (_ *Cursor) ID() int64 { + return 0 +} + +func (_ *Cursor) Next(_ context.Context) bool { + return false +} + +func (_ *Cursor) TryNext(_ context.Context) bool { + return false +} + +type Database struct{} + +func (_ *Database) Aggregate(_ context.Context, _ interface{}, _ ...*interface{}) (*Cursor, error) { + return nil, nil +} + +func (_ *Database) Client() *Client { + return nil +} + +func (_ *Database) Collection(_ string, _ ...*interface{}) *Collection { + return nil +} + +func (_ *Database) Drop(_ context.Context) error { + return nil +} + +func (_ *Database) ListCollectionNames(_ context.Context, _ interface{}, _ ...*interface{}) ([]string, error) { + return nil, nil +} + +func (_ *Database) ListCollections(_ context.Context, _ interface{}, _ ...*interface{}) (*Cursor, error) { + return nil, nil +} + +func (_ *Database) Name() string { + return "" +} + +func (_ *Database) ReadConcern() *interface{} { + return nil +} + +func (_ *Database) ReadPreference() *interface{} { + return nil +} + +func (_ *Database) RunCommand(_ context.Context, _ interface{}, _ ...*interface{}) *SingleResult { + return nil +} + +func (_ *Database) RunCommandCursor(_ context.Context, _ interface{}, _ ...*interface{}) (*Cursor, error) { + return nil, nil +} + +func (_ *Database) Watch(_ context.Context, _ interface{}, _ ...*interface{}) (*ChangeStream, error) { + return nil, nil +} + +func (_ *Database) WriteConcern() *interface{} { + return nil +} + +type DatabaseSpecification struct { + Name string + SizeOnDisk int64 + Empty bool +} + +type DeleteResult struct { + DeletedCount int64 +} + +type IndexModel struct { + Keys interface{} + Options *interface{} +} + +type IndexView struct{} + +func (_ IndexView) CreateMany(_ context.Context, _ []IndexModel, _ ...*interface{}) ([]string, error) { + return nil, nil +} + +func (_ IndexView) CreateOne(_ context.Context, _ IndexModel, _ ...*interface{}) (string, error) { + return "", nil +} + +func (_ IndexView) DropAll(_ context.Context, _ ...*interface{}) (interface{}, error) { + return nil, nil +} + +func (_ IndexView) DropOne(_ context.Context, _ string, _ ...*interface{}) (interface{}, error) { + return nil, nil +} + +func (_ IndexView) List(_ context.Context, _ ...*interface{}) (*Cursor, error) { + return nil, nil +} + +type InsertManyResult struct { + InsertedIDs []interface{} +} + +type InsertOneResult struct { + InsertedID interface{} +} + +type ListDatabasesResult struct { + Databases []DatabaseSpecification + TotalSize int64 +} + +type Pipeline []interface{} + +type Session interface { + AbortTransaction(_ context.Context) error + AdvanceClusterTime(_ interface{}) error + AdvanceOperationTime(_ *interface{}) error + Client() *Client + ClusterTime() interface{} + CommitTransaction(_ context.Context) error + EndSession(_ context.Context) + OperationTime() *interface{} + StartTransaction(_ ...*interface{}) error + WithTransaction(_ context.Context, _ func(SessionContext) (interface{}, error), _ ...*interface{}) (interface{}, error) +} + +type SessionContext interface { + AbortTransaction(_ context.Context) error + AdvanceClusterTime(_ interface{}) error + AdvanceOperationTime(_ *interface{}) error + Client() *Client + ClusterTime() interface{} + CommitTransaction(_ context.Context) error + Deadline() (time.Time, bool) + Done() <-chan struct{} + EndSession(_ context.Context) + Err() error + OperationTime() *interface{} + StartTransaction(_ ...*interface{}) error + Value(_ interface{}) interface{} + WithTransaction(_ context.Context, _ func(SessionContext) (interface{}, error), _ ...*interface{}) (interface{}, error) +} + +type SingleResult struct{} + +func (_ *SingleResult) Decode(_ interface{}) error { + return nil +} + +func (_ *SingleResult) DecodeBytes() (interface{}, error) { + return nil, nil +} + +func (_ *SingleResult) Err() error { + return nil +} + +type UpdateResult struct { + MatchedCount int64 + ModifiedCount int64 + UpsertedCount int64 + UpsertedID interface{} +} + +func (_ *UpdateResult) UnmarshalBSON(_ []byte) error { + return nil +} + +type WriteModel interface{} diff --git a/ql/test/query-tests/Security/CWE-089/vendor/modules.txt b/ql/test/query-tests/Security/CWE-089/vendor/modules.txt index c32aa371c7a..ddbc30953a2 100644 --- a/ql/test/query-tests/Security/CWE-089/vendor/modules.txt +++ b/ql/test/query-tests/Security/CWE-089/vendor/modules.txt @@ -1,15 +1,6 @@ # github.com/Masterminds/squirrel v1.1.0 ## explicit github.com/Masterminds/squirrel -# github.com/github/depstubber v0.0.0-20200414023404-c355b630c381 +# go.mongodb.org/mongo-driver v1.3.3 ## explicit -github.com/github/depstubber -# github.com/go-sql-driver/mysql v1.5.0 -## explicit -github.com/go-sql-driver/mysql -# github.com/lib/pq v1.3.0 -## explicit -github.com/lib/pq -# github.com/mattn/go-sqlite3 v2.0.3+incompatible -## explicit -github.com/mattn/go-sqlite3 +go.mongodb.org/mongo-driver