From 1be0cc57a808dd40a5522df6476e1371f7463be4 Mon Sep 17 00:00:00 2001
From: Max Schaefer <max@semmle.com>
Date: Fri, 6 Mar 2020 14:24:51 +0000
Subject: [PATCH] Add test case from
 https://github.com/github/codeql-go/issues/48.

---
 .../Security/CWE-089/SqlInjection.expected    | 14 ++++++
 .../query-tests/Security/CWE-089/issue48.go   | 47 +++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 ql/test/query-tests/Security/CWE-089/issue48.go

diff --git a/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
index 60a68b5f652..86e127c29eb 100644
--- a/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
+++ b/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
@@ -1,5 +1,9 @@
 edges
 | SqlInjection.go:11:3:11:9 | selection of URL : pointer type | SqlInjection.go:12:11:12:11 | q |
+| issue48.go:22:25:22:32 | selection of Body : ReadCloser | issue48.go:27:11:27:12 | q3 |
+| issue48.go:32:26:32:33 | selection of Body : ReadCloser | issue48.go:37:11:37:12 | q4 |
+| issue48.go:42:17:42:50 | type conversion : slice type | issue48.go:46:11:46:12 | q5 |
+| issue48.go:42:24:42:30 | selection of URL : pointer type | issue48.go:42:17:42:50 | type conversion : slice type |
 | main.go:10:11:10:16 | selection of Form : Values | main.go:10:11:10:28 | index expression |
 | main.go:14:63:14:67 | selection of URL : pointer type | main.go:14:11:14:84 | call to Sprintf |
 | main.go:15:63:15:84 | call to Get : string | main.go:15:11:15:85 | call to Sprintf |
@@ -40,6 +44,13 @@ edges
 nodes
 | SqlInjection.go:11:3:11:9 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
 | SqlInjection.go:12:11:12:11 | q | semmle.label | q |
+| issue48.go:22:25:22:32 | selection of Body : ReadCloser | semmle.label | selection of Body : ReadCloser |
+| issue48.go:27:11:27:12 | q3 | semmle.label | q3 |
+| issue48.go:32:26:32:33 | selection of Body : ReadCloser | semmle.label | selection of Body : ReadCloser |
+| issue48.go:37:11:37:12 | q4 | semmle.label | q4 |
+| issue48.go:42:17:42:50 | type conversion : slice type | semmle.label | type conversion : slice type |
+| issue48.go:42:24:42:30 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
+| issue48.go:46:11:46:12 | q5 | semmle.label | q5 |
 | main.go:10:11:10:16 | selection of Form : Values | semmle.label | selection of Form : Values |
 | main.go:10:11:10:28 | index expression | semmle.label | index expression |
 | main.go:14:11:14:84 | call to Sprintf | semmle.label | call to Sprintf |
@@ -83,6 +94,9 @@ nodes
 | main.go:61:11:61:11 | q | semmle.label | q |
 #select
 | SqlInjection.go:12:11:12:11 | q | SqlInjection.go:11:3:11:9 | selection of URL : pointer type | SqlInjection.go:12:11:12:11 | q | This query depends on $@. | SqlInjection.go:11:3:11:9 | selection of URL | a user-provided value |
+| issue48.go:27:11:27:12 | q3 | issue48.go:22:25:22:32 | selection of Body : ReadCloser | issue48.go:27:11:27:12 | q3 | This query depends on $@. | issue48.go:22:25:22:32 | selection of Body | a user-provided value |
+| issue48.go:37:11:37:12 | q4 | issue48.go:32:26:32:33 | selection of Body : ReadCloser | issue48.go:37:11:37:12 | q4 | This query depends on $@. | issue48.go:32:26:32:33 | selection of Body | a user-provided value |
+| issue48.go:46:11:46:12 | q5 | issue48.go:42:24:42:30 | selection of URL : pointer type | issue48.go:46:11:46:12 | q5 | This query depends on $@. | issue48.go:42:24:42:30 | selection of URL | a user-provided value |
 | main.go:10:11:10:28 | index expression | main.go:10:11:10:16 | selection of Form : Values | main.go:10:11:10:28 | index expression | This query depends on $@. | main.go:10:11:10:16 | selection of Form | a user-provided value |
 | main.go:14:11:14:84 | call to Sprintf | main.go:14:63:14:67 | selection of URL : pointer type | main.go:14:11:14:84 | call to Sprintf | This query depends on $@. | main.go:14:63:14:67 | selection of URL | a user-provided value |
 | main.go:15:11:15:85 | call to Sprintf | main.go:15:63:15:84 | call to Get : string | main.go:15:11:15:85 | call to Sprintf | This query depends on $@. | main.go:15:63:15:84 | call to Get | a user-provided value |
diff --git a/ql/test/query-tests/Security/CWE-089/issue48.go b/ql/test/query-tests/Security/CWE-089/issue48.go
new file mode 100644
index 00000000000..a3f7ca42c05
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-089/issue48.go
@@ -0,0 +1,47 @@
+package main
+
+// see https://github.com/github/codeql-go/issues/48
+
+import (
+	"database/sql"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+)
+
+type RequestStruct struct {
+	Id       int64    `db:"id"`
+	Category []string `db:"category"`
+}
+
+func handler(db *sql.DB, req *http.Request) {
+	// read data from request body and unmarshal to a indeterminacy struct
+	// POST: {"a": "b", "category": "test"}
+	var RequestDataFromJson map[string]interface{}
+	b, _ := ioutil.ReadAll(req.Body)
+	json.Unmarshal(b, &RequestDataFromJson)
+
+	q3 := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE",
+		RequestDataFromJson["category"])
+	db.Query(q3) // NOT OK
+
+	// read data from request body and unmarshal to a determined struct
+	// POST: {"id": "1", "category": "test"}
+	var RequestDataFromJson2 RequestStruct
+	b2, _ := ioutil.ReadAll(req.Body)
+	json.Unmarshal(b2, &RequestDataFromJson2)
+
+	q4 := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE",
+		RequestDataFromJson2.Category)
+	db.Query(q4) // NOT OK
+
+	// read json data from a url parameter
+	// GET: ?json={"id": 1, "category": "test"}
+	var RequestDataFromJson3 RequestStruct
+	json.Unmarshal([]byte(req.URL.Query()["json"][0]), &RequestDataFromJson3)
+
+	q5 := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE",
+		RequestDataFromJson3.Category)
+	db.Query(q5) // NOT OK
+}