Golang : Add SQL sinks for gorqlite and GoFrame frameworks

2026-04-19 14:04:09 +02:00 · 2022-06-03 22:18:31 +05:30
parent 79d8444b94
commit 15c58dee5f
15 changed files with 1604 additions and 0 deletions
--- a/go/ql/lib/change-notes/2022-12-03-gorqlite-goframe.md
+++ b/go/ql/lib/change-notes/2022-12-03-gorqlite-goframe.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Queries that care about SQL, such as `go/sql-injection`, now recognise SQL-consuming functions belonging to the `gorqlite` and `GoFrame` packages.
--- a/go/ql/lib/semmle/go/frameworks/SQL.qll
+++ b/go/ql/lib/semmle/go/frameworks/SQL.qll
@@ -103,6 +103,14 @@ module SQL {
    /** A string that might identify package `go-pg/pg/orm` or a specific version of it. */
    private string gopgorm() { result = package("github.com/go-pg/pg", "orm") }

+    /** A string that might identify package `github.com/rqlite/gorqlite` or `github.com/raindog308/gorqlite` or a specific version of it. */
+    private string gorqlite() {
+      result = package(["github.com/rqlite/gorqlite", "github.com/raindog308/gorqlite"], "")
+    }
+
+    /** A string that might identify package `github.com/gogf/gf/database/gdb` or a specific version of it. */
+    private string gogf() { result = package("github.com/gogf/gf", "database/gdb") }
+
    /**
     * A string argument to an API of `go-pg/pg` that is directly interpreted as SQL without
     * taking syntactic structure into account.
@@ -152,6 +160,65 @@ module SQL {
      }
    }

+    /**
+     * A string argument to an API of `github.com/rqlite/gorqlite`, or a specific version of it, that is directly interpreted as SQL without
+     * taking syntactic structure into account.
+     */
+    private class GorqliteQueryString extends Range {
+      GorqliteQueryString() {
+        // func (conn *Connection) Query(sqlStatements []string) (results []QueryResult, err error)
+        // func (conn *Connection) QueryOne(sqlStatement string) (qr QueryResult, err error)
+        // func (conn *Connection) Queue(sqlStatements []string) (seq int64, err error)
+        // func (conn *Connection) QueueOne(sqlStatement string) (seq int64, err error)
+        // func (conn *Connection) Write(sqlStatements []string) (results []WriteResult, err error)
+        // func (conn *Connection) WriteOne(sqlStatement string) (wr WriteResult, err error)
+        exists(Method m, string name | m.hasQualifiedName(gorqlite(), "Connection", name) |
+          name = ["Query", "QueryOne", "Queue", "QueueOne", "Write", "WriteOne"] and
+          this = m.getACall().getArgument(0)
+        )
+      }
+    }
+
+    /**
+     * A string argument to an API of `github.com/gogf/gf/database/gdb`, or a specific version of it, that is directly interpreted as SQL without
+     * taking syntactic structure into account.
+     */
+    private class GogfQueryString extends Range {
+      GogfQueryString() {
+        exists(Method m, string name | m.implements(gogf(), ["DB", "Core", "TX"], name) |
+          // func (c *Core) Exec(sql string, args ...interface{}) (result sql.Result, err error)
+          // func (c *Core) GetAll(sql string, args ...interface{}) (Result, error)
+          // func (c *Core) GetArray(sql string, args ...interface{}) ([]Value, error)
+          // func (c *Core) GetCount(sql string, args ...interface{}) (int, error)
+          // func (c *Core) GetOne(sql string, args ...interface{}) (Record, error)
+          // func (c *Core) GetValue(sql string, args ...interface{}) (Value, error)
+          // func (c *Core) Prepare(sql string, execOnMaster ...bool) (*Stmt, error)
+          // func (c *Core) Query(sql string, args ...interface{}) (rows *sql.Rows, err error)
+          // func (c *Core) Raw(rawSql string, args ...interface{}) *Model
+          name =
+            [
+              "Query", "Exec", "Prepare", "GetAll", "GetOne", "GetValue", "GetArray", "GetCount",
+              "Raw"
+            ] and
+          this = m.getACall().getArgument(0)
+          or
+          // func (c *Core) GetScan(pointer interface{}, sql string, args ...interface{}) error
+          // func (c *Core) GetStruct(pointer interface{}, sql string, args ...interface{}) error
+          // func (c *Core) GetStructs(pointer interface{}, sql string, args ...interface{}) error
+          name = ["GetScan", "GetStruct", "GetStructs"] and
+          this = m.getACall().getArgument(1)
+          or
+          // func (c *Core) DoCommit(ctx context.Context, link Link, sql string, args []interface{}) (newSql string, newArgs []interface{}, err error)
+          // func (c *Core) DoExec(ctx context.Context, link Link, sql string, args ...interface{}) (result sql.Result, err error)
+          // func (c *Core) DoGetAll(ctx context.Context, link Link, sql string, args ...interface{}) (result Result, err error)
+          // func (c *Core) DoPrepare(ctx context.Context, link Link, sql string) (*Stmt, error)
+          // func (c *Core) DoQuery(ctx context.Context, link Link, sql string, args ...interface{}) (rows *sql.Rows, err error)
+          name = ["DoGetAll", "DoQuery", "DoExec", "DoCommit", "DoPrepare"] and
+          this = m.getACall().getArgument(2)
+        )
+      }
+    }
+
    /** A taint model for various methods on the struct `Formatter` of `go-pg/pg/orm`. */
    private class PgOrmFormatterFunction extends TaintTracking::FunctionModel, Method {
      FunctionInput i;
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/go.mod
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/go.mod
@@ -0,0 +1,26 @@
+module main
+
+go 1.19
+
+require github.com/gogf/gf v1.16.9
+
+require (
+	github.com/BurntSushi/toml v0.3.1 // indirect
+	github.com/clbanning/mxj v1.8.5-0.20200714211355-ff02cfb8ea28 // indirect
+	github.com/fatih/color v1.12.0 // indirect
+	github.com/fsnotify/fsnotify v1.4.9 // indirect
+	github.com/go-sql-driver/mysql v1.6.0 // indirect
+	github.com/gomodule/redigo v1.8.5 // indirect
+	github.com/gorilla/websocket v1.4.2 // indirect
+	github.com/grokify/html-strip-tags-go v0.0.1 // indirect
+	github.com/mattn/go-colorable v0.1.8 // indirect
+	github.com/mattn/go-isatty v0.0.12 // indirect
+	github.com/mattn/go-runewidth v0.0.9 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	go.opentelemetry.io/otel v1.0.0 // indirect
+	go.opentelemetry.io/otel/trace v1.0.0 // indirect
+	golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 // indirect
+	golang.org/x/sys v0.0.0-20210423082822-04245dca01da // indirect
+	golang.org/x/text v0.3.6 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+)
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/gogf.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/gogf.expected
@@ -0,0 +1,47 @@
+| gogf.go:12:9:12:11 | sql |
+| gogf.go:13:11:13:13 | sql |
+| gogf.go:14:13:14:15 | sql |
+| gogf.go:15:13:15:15 | sql |
+| gogf.go:16:11:16:13 | sql |
+| gogf.go:17:13:17:15 | sql |
+| gogf.go:18:12:18:14 | sql |
+| gogf.go:19:10:19:12 | sql |
+| gogf.go:20:8:20:10 | sql |
+| gogf.go:21:17:21:19 | sql |
+| gogf.go:22:19:22:21 | sql |
+| gogf.go:23:20:23:22 | sql |
+| gogf.go:24:23:24:25 | sql |
+| gogf.go:25:21:25:23 | sql |
+| gogf.go:26:23:26:25 | sql |
+| gogf.go:27:22:27:24 | sql |
+| gogf.go:28:24:28:26 | sql |
+| gogf.go:32:9:32:11 | sql |
+| gogf.go:33:11:33:13 | sql |
+| gogf.go:34:13:34:15 | sql |
+| gogf.go:35:13:35:15 | sql |
+| gogf.go:36:11:36:13 | sql |
+| gogf.go:37:13:37:15 | sql |
+| gogf.go:38:12:38:14 | sql |
+| gogf.go:39:10:39:12 | sql |
+| gogf.go:40:8:40:10 | sql |
+| gogf.go:41:17:41:19 | sql |
+| gogf.go:42:23:42:25 | sql |
+| gogf.go:43:21:43:23 | sql |
+| gogf.go:44:23:44:25 | sql |
+| gogf.go:45:22:45:24 | sql |
+| gogf.go:46:24:46:26 | sql |
+| gogf.go:51:9:51:11 | sql |
+| gogf.go:52:11:52:13 | sql |
+| gogf.go:53:13:53:15 | sql |
+| gogf.go:54:13:54:15 | sql |
+| gogf.go:55:11:55:13 | sql |
+| gogf.go:56:13:56:15 | sql |
+| gogf.go:57:12:57:14 | sql |
+| gogf.go:58:10:58:12 | sql |
+| gogf.go:59:8:59:10 | sql |
+| gogf.go:60:17:60:19 | sql |
+| gogf.go:61:23:61:25 | sql |
+| gogf.go:62:21:62:23 | sql |
+| gogf.go:63:23:63:25 | sql |
+| gogf.go:64:22:64:24 | sql |
+| gogf.go:65:24:65:26 | sql |
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/gogf.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/gogf.go
@@ -0,0 +1,70 @@
+package main
+
+//go:generate depstubber -vendor github.com/gogf/gf/frame/g "" DB
+//go:generate depstubber -vendor github.com/gogf/gf/database/gdb DB,Core,TX ""
+
+import (
+	"github.com/gogf/gf/database/gdb"
+	"github.com/gogf/gf/frame/g"
+)
+
+func gogfCoreTest(sql string, c *gdb.Core) {
+	c.Exec(sql, nil)               // $ querystring=sql
+	c.GetAll(sql, nil)             // $ querystring=sql
+	c.GetArray(sql, nil)           // $ querystring=sql
+	c.GetCount(sql, nil)           // $ querystring=sql
+	c.GetOne(sql, nil)             // $ querystring=sql
+	c.GetValue(sql, nil)           // $ querystring=sql
+	c.Prepare(sql, true)           // $ querystring=sql
+	c.Query(sql, nil)              // $ querystring=sql
+	c.Raw(sql, nil)                // $ querystring=sql
+	c.GetScan(nil, sql, nil)       // $ querystring=sql
+	c.GetStruct(nil, sql, nil)     // $ querystring=sql
+	c.GetStructs(nil, sql, nil)    // $ querystring=sql
+	c.DoCommit(nil, nil, sql, nil) // $ querystring=sql
+	c.DoExec(nil, nil, sql, nil)   // $ querystring=sql
+	c.DoGetAll(nil, nil, sql, nil) // $ querystring=sql
+	c.DoQuery(nil, nil, sql, nil)  // $ querystring=sql
+	c.DoPrepare(nil, nil, sql)     // $ querystring=sql
+}
+
+func gogfDbtest(sql string, c gdb.DB) {
+	c.Exec(sql, nil)               // $ querystring=sql
+	c.GetAll(sql, nil)             // $ querystring=sql
+	c.GetArray(sql, nil)           // $ querystring=sql
+	c.GetCount(sql, nil)           // $ querystring=sql
+	c.GetOne(sql, nil)             // $ querystring=sql
+	c.GetValue(sql, nil)           // $ querystring=sql
+	c.Prepare(sql, true)           // $ querystring=sql
+	c.Query(sql, nil)              // $ querystring=sql
+	c.Raw(sql, nil)                // $ querystring=sql
+	c.GetScan(nil, sql, nil)       // $ querystring=sql
+	c.DoCommit(nil, nil, sql, nil) // $ querystring=sql
+	c.DoExec(nil, nil, sql, nil)   // $ querystring=sql
+	c.DoGetAll(nil, nil, sql, nil) // $ querystring=sql
+	c.DoQuery(nil, nil, sql, nil)  // $ querystring=sql
+	c.DoPrepare(nil, nil, sql)     // $ querystring=sql
+}
+
+func gogfGTest(sql string) {
+	c := g.DB("ad")
+	c.Exec(sql, nil)               // $ querystring=sql
+	c.GetAll(sql, nil)             // $ querystring=sql
+	c.GetArray(sql, nil)           // $ querystring=sql
+	c.GetCount(sql, nil)           // $ querystring=sql
+	c.GetOne(sql, nil)             // $ querystring=sql
+	c.GetValue(sql, nil)           // $ querystring=sql
+	c.Prepare(sql, true)           // $ querystring=sql
+	c.Query(sql, nil)              // $ querystring=sql
+	c.Raw(sql, nil)                // $ querystring=sql
+	c.GetScan(nil, sql, nil)       // $ querystring=sql
+	c.DoCommit(nil, nil, sql, nil) // $ querystring=sql
+	c.DoExec(nil, nil, sql, nil)   // $ querystring=sql
+	c.DoGetAll(nil, nil, sql, nil) // $ querystring=sql
+	c.DoQuery(nil, nil, sql, nil)  // $ querystring=sql
+	c.DoPrepare(nil, nil, sql)     // $ querystring=sql
+}
+
+func main() {
+	return
+}
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/gogf.ql
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/gogf.ql
@@ -0,0 +1,4 @@
+import go
+
+from SQL::QueryString qs
+select qs
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/vendor/github.com/gogf/gf/database/gdb/stub.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/vendor/github.com/gogf/gf/database/gdb/stub.go
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/vendor/github.com/gogf/gf/frame/g/stub.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/vendor/github.com/gogf/gf/frame/g/stub.go
@@ -0,0 +1,14 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/gogf/gf/frame/g, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/gogf/gf/frame/g (exports: ; functions: DB)
+
+// Package g is a stub of github.com/gogf/gf/frame/g, generated by depstubber.
+package g
+
+import "github.com/gogf/gf/database/gdb"
+
+func DB(_ ...string) gdb.DB {
+	return nil
+}
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/vendor/modules.txt
@@ -0,0 +1,57 @@
+# github.com/gogf/gf v1.16.9
+## explicit
+github.com/gogf/gf
+# github.com/BurntSushi/toml v0.3.1
+## explicit
+github.com/BurntSushi/toml
+# github.com/clbanning/mxj v1.8.5-0.20200714211355-ff02cfb8ea28
+## explicit
+github.com/clbanning/mxj
+# github.com/fatih/color v1.12.0
+## explicit
+github.com/fatih/color
+# github.com/fsnotify/fsnotify v1.4.9
+## explicit
+github.com/fsnotify/fsnotify
+# github.com/go-sql-driver/mysql v1.6.0
+## explicit
+github.com/go-sql-driver/mysql
+# github.com/gomodule/redigo v1.8.5
+## explicit
+github.com/gomodule/redigo
+# github.com/gorilla/websocket v1.4.2
+## explicit
+github.com/gorilla/websocket
+# github.com/grokify/html-strip-tags-go v0.0.1
+## explicit
+github.com/grokify/html-strip-tags-go
+# github.com/mattn/go-colorable v0.1.8
+## explicit
+github.com/mattn/go-colorable
+# github.com/mattn/go-isatty v0.0.12
+## explicit
+github.com/mattn/go-isatty
+# github.com/mattn/go-runewidth v0.0.9
+## explicit
+github.com/mattn/go-runewidth
+# github.com/olekukonko/tablewriter v0.0.5
+## explicit
+github.com/olekukonko/tablewriter
+# go.opentelemetry.io/otel v1.0.0
+## explicit
+go.opentelemetry.io/otel
+# go.opentelemetry.io/otel/trace v1.0.0
+## explicit
+go.opentelemetry.io/otel/trace
+# golang.org/x/net v0.0.0-20210520170846-37e1c6afe023
+## explicit
+golang.org/x/net
+# golang.org/x/sys v0.0.0-20210423082822-04245dca01da
+## explicit
+golang.org/x/sys
+# golang.org/x/text v0.3.6
+## explicit
+golang.org/x/text
+# gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
+## explicit
+gopkg.in/yaml.v3
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/go.mod
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/go.mod
@@ -0,0 +1,5 @@
+module main
+
+go 1.18
+
+require github.com/rqlite/gorqlite v0.0.0-20220528150909-c4e99ae96be6
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/gorqlite.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/gorqlite.expected
@@ -0,0 +1,6 @@
+| gorqlite.go:11:13:11:16 | sqls |
+| gorqlite.go:12:13:12:16 | sqls |
+| gorqlite.go:13:13:13:16 | sqls |
+| gorqlite.go:14:16:14:18 | sql |
+| gorqlite.go:15:16:15:18 | sql |
+| gorqlite.go:16:16:16:18 | sql |
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/gorqlite.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/gorqlite.go
@@ -0,0 +1,20 @@
+package main
+
+//go:generate depstubber -vendor github.com/rqlite/gorqlite Connection Open
+
+import (
+	"github.com/rqlite/gorqlite"
+)
+
+func gorqlitetest(sql string, sqls []string) {
+	conn, _ := gorqlite.Open("dbUrl")
+	conn.Query(sqls)   // $ querystring=sqls
+	conn.Queue(sqls)   // $ querystring=sqls
+	conn.Write(sqls)   // $ querystring=sqls
+	conn.QueryOne(sql) // $ querystring=sql
+	conn.QueueOne(sql) // $ querystring=sql
+	conn.WriteOne(sql) // $ querystring=sql
+}
+func main() {
+	return
+}
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/gorqlite.ql
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/gorqlite.ql
@@ -0,0 +1,4 @@
+import go
+
+from SQL::QueryString qs
+select qs
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/vendor/github.com/rqlite/gorqlite/stub.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/vendor/github.com/rqlite/gorqlite/stub.go
@@ -0,0 +1,102 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/rqlite/gorqlite, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/rqlite/gorqlite (exports: Connection; functions: Open)
+
+// Package gorqlite is a stub of github.com/rqlite/gorqlite, generated by depstubber.
+package gorqlite
+
+type Connection struct {
+	ID string
+}
+
+func (_ *Connection) Close() {}
+
+func (_ *Connection) ConsistencyLevel() (string, error) {
+	return "", nil
+}
+
+func (_ *Connection) Leader() (string, error) {
+	return "", nil
+}
+
+func (_ *Connection) Peers() ([]string, error) {
+	return nil, nil
+}
+
+func (_ *Connection) Query(_ []string) ([]QueryResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) QueryOne(_ string) (QueryResult, error) {
+	return QueryResult{}, nil
+}
+
+func (_ *Connection) Queue(_ []string) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueOne(_ string) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) SetConsistencyLevel(_ string) error {
+	return nil
+}
+
+func (_ *Connection) SetExecutionWithTransaction(_ bool) error {
+	return nil
+}
+
+func (_ *Connection) Write(_ []string) ([]WriteResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) WriteOne(_ string) (WriteResult, error) {
+	return WriteResult{}, nil
+}
+
+func Open(_ string) (Connection, error) {
+	return Connection{}, nil
+}
+
+type QueryResult struct {
+	Err    error
+	Timing float64
+}
+
+func (_ *QueryResult) Columns() []string {
+	return nil
+}
+
+func (_ *QueryResult) Map() (map[string]interface{}, error) {
+	return nil, nil
+}
+
+func (_ *QueryResult) Next() bool {
+	return false
+}
+
+func (_ *QueryResult) NumRows() int64 {
+	return 0
+}
+
+func (_ *QueryResult) RowNumber() int64 {
+	return 0
+}
+
+func (_ *QueryResult) Scan(_ ...interface{}) error {
+	return nil
+}
+
+func (_ *QueryResult) Types() []string {
+	return nil
+}
+
+type WriteResult struct {
+	Err          error
+	Timing       float64
+	RowsAffected int64
+	LastInsertID int64
+}
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/vendor/modules.txt
@@ -0,0 +1,3 @@
+# github.com/rqlite/gorqlite v0.0.0-20220528150909-c4e99ae96be6
+## explicit
+github.com/rqlite/gorqlite