Add support for Bun library

go/ql/lib/change-notes/2023-06-28--add-support-for-bun-framework.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Support for the bun framework has been added.
+

go/ql/lib/semmle/go/frameworks/SQL.qll

@@ -289,3 +289,52 @@ module Xorm {
     }
   }
 }
+
+/**
+ * Provides classes for working with the [Bun](https://bun.uptrace.dev/) package.
+ */
+module Bun {
+  /** Gets the package name for Xorm. */
+  string packagePath() { result = package("github.com/uptrace/bun", "") }
+
+  /** A model for sinks of XORM. */
+  private class BunSink extends SQL::QueryString::Range {
+    BunSink() {
+      exists(Function f, int arg |
+        f.(Method)
+            .hasQualifiedName(packagePath(), ["DB", "Conn"],
+              ["ExecContext", "PrepareContext", "QueryContext", "QueryRowContext"]) and
+        arg = 1
+        or
+        f.(Method)
+            .hasQualifiedName(packagePath(), ["DB", "Conn"],
+              ["Exec", "NewRaw", "Prepare", "Query", "QueryRow", "Raw"]) and
+        arg = 0
+        or
+        exists(string tp, string m | f.(Method).hasQualifiedName(packagePath(), tp, m) |
+          tp.matches("%Query") and
+          m =
+            [
+              "ColumnExpr", "DistinctOn", "For", "GroupExpr", "Having", "ModelTableExpr",
+              "OrderExpr", "TableExpr", "Where", "WhereIn", "WhereInMulti", "WhereOr"
+            ] and
+          arg = 0
+          or
+          tp.matches("%Query") and
+          m = ["FormatQuery", "With", "WithRecursive"] and
+          arg = 1
+          or
+          tp = "RawQuery" and
+          m = ["NewRaw"] and
+          arg = 0
+          or
+          tp = "RawQuery" and
+          m = ["NewRawQuery"] and
+          arg = 1
+        )
+      |
+        this = f.getACall().getArgument(arg)
+      )
+    }
+  }
+}

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/bun.expected

@@ -0,0 +1,16 @@
+| bun.go:27:10:27:18 | untrusted | github.com/uptrace/bun | DB | Exec |
+| bun.go:28:22:28:30 | untrusted | github.com/uptrace/bun | DB | ExecContext |
+| bun.go:29:26:29:34 | untrusted | github.com/uptrace/bun | DB | QueryRowContext |
+| bun.go:30:28:30:36 | untrusted | github.com/uptrace/bun | SelectQuery | ColumnExpr |
+| bun.go:30:28:30:36 | untrusted | github.com/uptrace/bun | countQuery | ColumnExpr |
+| bun.go:30:28:30:36 | untrusted | github.com/uptrace/bun | selectExistsQuery | ColumnExpr |
+| bun.go:30:28:30:36 | untrusted | github.com/uptrace/bun | selectQueryBuilder | ColumnExpr |
+| bun.go:30:28:30:36 | untrusted | github.com/uptrace/bun | whereExistsQuery | ColumnExpr |
+| bun.go:31:12:31:20 | untrusted | github.com/uptrace/bun | DB | NewRaw |
+| bun.go:32:23:32:31 | untrusted | github.com/uptrace/bun | DB | QueryContext |
+| bun.go:33:26:33:34 | untrusted | github.com/uptrace/bun | DB | QueryRowContext |
+| bun.go:34:14:34:22 | untrusted | github.com/uptrace/bun | DB | QueryRow |
+| bun.go:35:9:35:17 | untrusted | github.com/uptrace/bun | DB | Raw |
+| bun.go:36:11:36:19 | untrusted | github.com/uptrace/bun | DB | Query |
+| bun.go:37:13:37:21 | untrusted | github.com/uptrace/bun | DB | Prepare |
+| bun.go:38:25:38:33 | untrusted | github.com/uptrace/bun | DB | PrepareContext |

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/bun.go

@@ -0,0 +1,39 @@
+package main
+
+import (
+	"context"
+	"database/sql"
+
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/dialect/sqlitedialect"
+	"github.com/uptrace/bun/driver/sqliteshim"
+	"github.com/uptrace/bun/extra/bundebug"
+)
+
+func getUntrustedString() string {
+	return "trouble"
+}
+
+func main() {
+	untrusted := getUntrustedString()
+
+	var num int
+	ctx := context.Background()
+	sqlite, err := sql.Open(sqliteshim.ShimName, "file::memory:?cache=shared")
+	if err != nil {
+		panic(err)
+	}
+	db := bun.NewDB(sqlite, sqlitedialect.New())
+	db.Exec(untrusted)
+	db.ExecContext(ctx, untrusted)
+	db.QueryRowContext(ctx, untrusted).Scan(&num)
+	db.NewSelect().ColumnExpr(untrusted).Exec(ctx)
+	db.NewRaw(untrusted).Scan(ctx, &num)
+	db.QueryContext(ctx, untrusted)
+	db.QueryRowContext(ctx, untrusted)
+	db.QueryRow(untrusted)
+	db.Raw(untrusted)
+	db.Query(untrusted)
+	db.Prepare(untrusted)
+	db.PrepareContext(ctx, untrusted)
+}

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/bun.ql

@@ -0,0 +1,5 @@
+import go
+
+from SQL::QueryString qs, Method meth, string a, string b, string c
+where meth.hasQualifiedName(a, b, c) and qs = meth.getACall().getSyntacticArgument(_)
+select qs, a, b, c

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/db/codeql-database.yml

@@ -0,0 +1,10 @@
+---
+sourceLocationPrefix: /Users/pwntester/src/github.com/github/codeql/go/ql/test/library-tests/semmle/go/frameworks/SQL/bun
+baselineLinesOfCode: 549377
+unicodeNewlines: false
+columnKind: utf8
+primaryLanguage: go
+creationMetadata:
+  cliVersion: 2.13.3
+  creationTime: 2023-06-28T10:24:43.573371Z
+finalised: true