Merge pull request #18863 from egregius313/egregius313/go/mad/database/rqlite

Go: Add `database` sources for the `gorqlite` package
2026-04-24 08:15:14 +02:00 · 2025-02-27 12:41:39 -05:00
parent e08ae22ceb 4f204ee40f
commit 28770c526d
5 changed files with 347 additions and 0 deletions
--- a/go/ql/lib/change-notes/2025-02-25-go-database-rqlite-sources.md
+++ b/go/ql/lib/change-notes/2025-02-25-go-database-rqlite-sources.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `database` source models for the `github.com/rqlite/gorqlite` package.
--- a/go/ql/lib/ext/github.com.rqlite.gorqlite.model.yml
+++ b/go/ql/lib/ext/github.com.rqlite.gorqlite.model.yml
@@ -3,8 +3,21 @@ extensions:
      pack: codeql/go-all
      extensible: packageGrouping
    data:
+      - ["gorqlite", "github.com/kanikanema/gorqlite"]
      - ["gorqlite", "github.com/rqlite/gorqlite"]
      - ["gorqlite", "github.com/raindog308/gorqlite"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["group:gorqlite", "Connection", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryContext", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOne", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneContext", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneParameterized", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneParameterizedContext", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryParameterized", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryParameterizedContext", "", "", "ReturnValue[0]", "database", "manual"]
  - addsTo:
      pack: codeql/go-all
      extensible: sinkModel
@@ -33,3 +46,9 @@ extensions:
      - ["group:gorqlite", "Connection", True, "WriteOneParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
      - ["group:gorqlite", "Connection", True, "WriteParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
      - ["group:gorqlite", "Connection", True, "WriteParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["group:gorqlite", "QueryResult", True, "Map", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
+      - ["group:gorqlite", "QueryResult", True, "Slice", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
--- a/go/ql/lib/semmle/go/frameworks/Gorqlite.qll
+++ b/go/ql/lib/semmle/go/frameworks/Gorqlite.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `gorqlite` package.
+ */
+
+import go
+
+/**
+ * Provides classes modeling security-relevant aspects of the `gorqlite` package.
+ */
+module Gorqlite {
+  private string packagePath() {
+    result =
+      package([
+          "github.com/rqlite/gorqlite", "github.com/raindog308/gorqlite",
+          "github.com/kanikanema/gorqlite"
+        ], "")
+  }
+
+  // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data summaries yet.
+  private class QueryResultScan extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    QueryResultScan() {
+      // signature: func (qr *QueryResult) Scan(dest ...interface{}) error
+      this.hasQualifiedName(packagePath(), "QueryResult", "Scan") and
+      inp.isReceiver() and
+      outp.isParameter(_)
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
--- a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_rqlite_gorqlite.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_rqlite_gorqlite.go
@@ -0,0 +1,84 @@
+package test
+
+//go:generate depstubber -vendor github.com/rqlite/gorqlite Connection,QueryResult
+
+import (
+	"context"
+
+	"github.com/rqlite/gorqlite"
+)
+
+func parameterize(query string) gorqlite.ParameterizedStatement {
+	return gorqlite.ParameterizedStatement{
+		Query:     query,
+		Arguments: []interface{}{},
+	}
+}
+
+func test_rqlite_gorqlite(conn *gorqlite.Connection, ctx context.Context, query []string) {
+	v1, err := conn.Query(query) // $ source
+	if err != nil {
+		return
+	}
+
+	sink(v1) // $ hasTaintFlow="v1"
+
+	v2, err := conn.QueryContext(ctx, query) // $ source
+	if err != nil {
+		return
+	}
+
+	sink(v2) // $ hasTaintFlow="v2"
+
+	v3, err := conn.QueryOne(query[0]) // $ source
+	if err != nil {
+		return
+	}
+
+	r3, err := v3.Slice()
+	if err != nil {
+		return
+	}
+
+	sink(r3) // $ hasTaintFlow="r3"
+
+	v4, err := conn.QueryOneContext(ctx, query[0]) // $ source
+	if err != nil {
+		return
+	}
+
+	var r41, r42, r43 string
+	v4.Scan(&r41, &r42, &r43)
+
+	v5, err := conn.QueryOneParameterized(parameterize(query[0])) // $ source
+	if err != nil {
+		return
+	}
+
+	r5, err := v5.Map()
+
+	r5Name := r5["name"]
+
+	sink(r5Name) // $ hasTaintFlow="r5Name"
+
+	v6, err := conn.QueryOneParameterizedContext(ctx, parameterize(query[0])) // $ source
+	if err != nil {
+		return
+	}
+
+	sink(v6) // $ hasTaintFlow="v6"
+
+	v7, err := conn.QueryParameterized([]gorqlite.ParameterizedStatement{parameterize(query[0])}) // $ source
+	if err != nil {
+		return
+	}
+
+	sink(v7) // $ hasTaintFlow="v7"
+
+	v8, err := conn.QueryParameterizedContext(ctx, []gorqlite.ParameterizedStatement{parameterize(query[0])}) // $ source
+	if err != nil {
+		return
+	}
+
+	sink(v8) // $ hasTaintFlow="v8"
+}
--- a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/rqlite/gorqlite/stub.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/rqlite/gorqlite/stub.go
@@ -0,0 +1,205 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/rqlite/gorqlite, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/rqlite/gorqlite (exports: Connection,QueryResult; functions: )
+
+// Package gorqlite is a stub of github.com/rqlite/gorqlite, generated by depstubber.
+package gorqlite
+
+import (
+	context "context"
+)
+
+type Connection struct {
+	ID string
+}
+
+func (_ *Connection) Close() {}
+
+func (_ *Connection) ConsistencyLevel() (string, error) {
+	return "", nil
+}
+
+func (_ *Connection) Leader() (string, error) {
+	return "", nil
+}
+
+func (_ *Connection) Peers() ([]string, error) {
+	return nil, nil
+}
+
+func (_ *Connection) Query(_ []string) ([]QueryResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) QueryContext(_ context.Context, _ []string) ([]QueryResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) QueryOne(_ string) (QueryResult, error) {
+	return QueryResult{}, nil
+}
+
+func (_ *Connection) QueryOneContext(_ context.Context, _ string) (QueryResult, error) {
+	return QueryResult{}, nil
+}
+
+func (_ *Connection) QueryOneParameterized(_ ParameterizedStatement) (QueryResult, error) {
+	return QueryResult{}, nil
+}
+
+func (_ *Connection) QueryOneParameterizedContext(_ context.Context, _ ParameterizedStatement) (QueryResult, error) {
+	return QueryResult{}, nil
+}
+
+func (_ *Connection) QueryParameterized(_ []ParameterizedStatement) ([]QueryResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) QueryParameterizedContext(_ context.Context, _ []ParameterizedStatement) ([]QueryResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) Queue(_ []string) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueContext(_ context.Context, _ []string) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueOne(_ string) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueOneContext(_ context.Context, _ string) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueOneParameterized(_ ParameterizedStatement) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueOneParameterizedContext(_ context.Context, _ ParameterizedStatement) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueParameterized(_ []ParameterizedStatement) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueParameterizedContext(_ context.Context, _ []ParameterizedStatement) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) Request(_ []string) ([]RequestResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) RequestContext(_ context.Context, _ []string) ([]RequestResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) RequestParameterized(_ []ParameterizedStatement) ([]RequestResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) RequestParameterizedContext(_ context.Context, _ []ParameterizedStatement) ([]RequestResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) SetConsistencyLevel(_ interface{}) error {
+	return nil
+}
+
+func (_ *Connection) SetExecutionWithTransaction(_ bool) error {
+	return nil
+}
+
+func (_ *Connection) Write(_ []string) ([]WriteResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) WriteContext(_ context.Context, _ []string) ([]WriteResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) WriteOne(_ string) (WriteResult, error) {
+	return WriteResult{}, nil
+}
+
+func (_ *Connection) WriteOneContext(_ context.Context, _ string) (WriteResult, error) {
+	return WriteResult{}, nil
+}
+
+func (_ *Connection) WriteOneParameterized(_ ParameterizedStatement) (WriteResult, error) {
+	return WriteResult{}, nil
+}
+
+func (_ *Connection) WriteOneParameterizedContext(_ context.Context, _ ParameterizedStatement) (WriteResult, error) {
+	return WriteResult{}, nil
+}
+
+func (_ *Connection) WriteParameterized(_ []ParameterizedStatement) ([]WriteResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) WriteParameterizedContext(_ context.Context, _ []ParameterizedStatement) ([]WriteResult, error) {
+	return nil, nil
+}
+
+type ParameterizedStatement struct {
+	Query     string
+	Arguments []interface{}
+}
+
+type QueryResult struct {
+	Err    error
+	Timing float64
+}
+
+func (_ *QueryResult) Columns() []string {
+	return nil
+}
+
+func (_ *QueryResult) Map() (map[string]interface{}, error) {
+	return nil, nil
+}
+
+func (_ *QueryResult) Next() bool {
+	return false
+}
+
+func (_ *QueryResult) NumRows() int64 {
+	return 0
+}
+
+func (_ *QueryResult) RowNumber() int64 {
+	return 0
+}
+
+func (_ *QueryResult) Scan(_ ...interface{}) error {
+	return nil
+}
+
+func (_ *QueryResult) Slice() ([]interface{}, error) {
+	return nil, nil
+}
+
+func (_ *QueryResult) Types() []string {
+	return nil
+}
+
+type RequestResult struct {
+	Err   error
+	Query *QueryResult
+	Write *WriteResult
+}
+
+type WriteResult struct {
+	Err          error
+	Timing       float64
+	RowsAffected int64
+	LastInsertID int64
+}