Add database/sql/driver taint-tracking

2026-01-30 06:42:57 +01:00 · 2020-09-15 17:57:31 +02:00
parent 5e4d75561c
commit 24e8a18d22
2 changed files with 114 additions and 0 deletions
--- a/ql/src/semmle/go/frameworks/SQL.qll
+++ b/ql/src/semmle/go/frameworks/SQL.qll
@@ -48,6 +48,41 @@ module SQL {
    }
  }

+  private class SqlDriverMethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    SqlDriverMethodModels() {
+      // signature: func (NotNull).ConvertValue(v interface{}) (Value, error)
+      this.hasQualifiedName("database/sql/driver", "NotNull", "ConvertValue") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func (Null).ConvertValue(v interface{}) (Value, error)
+      this.hasQualifiedName("database/sql/driver", "Null", "ConvertValue") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func (ValueConverter).ConvertValue(v interface{}) (Value, error)
+      this.implements("database/sql/driver", "ValueConverter", "ConvertValue") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func (Conn).Prepare(query string) (Stmt, error)
+      this.implements("database/sql/driver", "Conn", "Prepare") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func (ConnPrepareContext).PrepareContext(ctx context.Context, query string) (Stmt, error)
+      this.implements("database/sql/driver", "ConnPrepareContext", "PrepareContext") and
+      (inp.isParameter(1) and outp.isResult(0))
+      or
+      // signature: func (Valuer).Value() (Value, error)
+      this.implements("database/sql/driver", "Valuer", "Value") and
+      (inp.isReceiver() and outp.isResult(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
  /**
   * A data-flow node whose string value is interpreted as (part of) a SQL query.
   *
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/DatabaseSqlDriver.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/DatabaseSqlDriver.go
@@ -0,0 +1,79 @@
+// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
+
+package main
+
+import "database/sql/driver"
+
+func TaintStepTest_DatabaseSqlDriverNotNullConvertValue_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface656 := sourceCQL.(interface{})
+	var mediumObjCQL driver.NotNull
+	intoValue414, _ := mediumObjCQL.ConvertValue(fromInterface656)
+	return intoValue414
+}
+
+func TaintStepTest_DatabaseSqlDriverNullConvertValue_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface518 := sourceCQL.(interface{})
+	var mediumObjCQL driver.Null
+	intoValue650, _ := mediumObjCQL.ConvertValue(fromInterface518)
+	return intoValue650
+}
+
+func TaintStepTest_DatabaseSqlDriverValueConverterConvertValue_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface784 := sourceCQL.(interface{})
+	var mediumObjCQL driver.ValueConverter
+	intoValue957, _ := mediumObjCQL.ConvertValue(fromInterface784)
+	return intoValue957
+}
+
+func TaintStepTest_DatabaseSqlDriverConnPrepare_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString520 := sourceCQL.(string)
+	var mediumObjCQL driver.Conn
+	intoStmt443, _ := mediumObjCQL.Prepare(fromString520)
+	return intoStmt443
+}
+
+func TaintStepTest_DatabaseSqlDriverConnPrepareContextPrepareContext_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString127 := sourceCQL.(string)
+	var mediumObjCQL driver.ConnPrepareContext
+	intoStmt483, _ := mediumObjCQL.PrepareContext(nil, fromString127)
+	return intoStmt483
+}
+
+func TaintStepTest_DatabaseSqlDriverValuerValue_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValuer989 := sourceCQL.(driver.Valuer)
+	intoValue982, _ := fromValuer989.Value()
+	return intoValue982
+}
+
+func RunAllTaints_DatabaseSqlDriver() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_DatabaseSqlDriverNotNullConvertValue_B0I0O0(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_DatabaseSqlDriverNullConvertValue_B0I0O0(source)
+		sink(1, out)
+	}
+	{
+		source := newSource(2)
+		out := TaintStepTest_DatabaseSqlDriverValueConverterConvertValue_B0I0O0(source)
+		sink(2, out)
+	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_DatabaseSqlDriverConnPrepare_B0I0O0(source)
+		sink(3, out)
+	}
+	{
+		source := newSource(4)
+		out := TaintStepTest_DatabaseSqlDriverConnPrepareContextPrepareContext_B0I0O0(source)
+		sink(4, out)
+	}
+	{
+		source := newSource(5)
+		out := TaintStepTest_DatabaseSqlDriverValuerValue_B0I0O0(source)
+		sink(5, out)
+	}
+}