diff --git a/change-notes/2021-05-06-xorm.md b/change-notes/2021-05-06-xorm.md new file mode 100644 index 00000000000..0398530b950 --- /dev/null +++ b/change-notes/2021-05-06-xorm.md @@ -0,0 +1,2 @@ +lgtm,codescanning +* Added support for the `xorm.io/xorm` package diff --git a/ql/src/semmle/go/frameworks/SQL.qll b/ql/src/semmle/go/frameworks/SQL.qll index f626fe097ca..b8c51750b8f 100644 --- a/ql/src/semmle/go/frameworks/SQL.qll +++ b/ql/src/semmle/go/frameworks/SQL.qll @@ -224,3 +224,33 @@ module Gorm { result = package(["github.com/jinzhu/gorm", "github.com/go-gorm/gorm", "gorm.io/gorm"], "") } } + +/** + * Provides classes for working with the [XORM](https://xorm.io/) package. + */ +module Xorm { + /** Gets the package name for Xorm. */ + string packagePath() { result = package(["xorm.io/xorm", "github.com/go-xorm/xorm"], "") } + + /** A model for sinks of XORM. */ + private class XormSink extends SQL::QueryString::Range { + XormSink() { + exists(Method meth, string type, string name, int n | + meth.hasQualifiedName(Xorm::packagePath(), type, name) and + this = meth.getACall().getArgument(n) and + type = ["Engine", "Session"] + | + name = + [ + "Query", "Exec", "QueryString", "QueryInterface", "SQL", "Where", "And", "Or", "Alias", + "NotIn", "In", "Select", "SetExpr", "OrderBy", "Having", "GroupBy" + ] and + n = 0 + or + name = ["SumInt", "Sum", "Sums", "SumsInt"] and n = 1 + or + name = "Join" and n = [0, 1, 2] + ) + } + } +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod b/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod index 23bb420b262..69db5c96c41 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod @@ -6,4 +6,9 @@ require ( github.com/Masterminds/squirrel v1.1.0 github.com/go-pg/pg v8.0.6+incompatible github.com/go-pg/pg/v9 v9.1.3 + github.com/go-sql-driver/mysql v1.6.0 // indirect + github.com/go-xorm/xorm v0.7.9 + github.com/lib/pq v1.10.2 // indirect + github.com/mattn/go-sqlite3 v1.14.7 // indirect + xorm.io/xorm v1.1.0 ) diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/go-xorm/xorm/stub.go b/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/go-xorm/xorm/stub.go new file mode 100644 index 00000000000..9853e015547 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/go-xorm/xorm/stub.go @@ -0,0 +1,917 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/go-xorm/xorm, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/go-xorm/xorm (exports: Engine,Session; functions: ) + +// Package xorm is a stub of github.com/go-xorm/xorm, generated by depstubber. +package xorm + +import ( + context "context" + sql "database/sql" + io "io" + reflect "reflect" + strings "strings" + time "time" +) + +type ContextCache interface { + Get(_ string) interface{} + Put(_ string, _ interface{}) +} + +type Engine struct { + ColumnMapper interface{} + TableMapper interface{} + TagIdentifier string + Tables map[reflect.Type]interface{} + Cacher interface{} + TZLocation *time.Location + DatabaseTZ *time.Location +} + +func (_ *Engine) After(_ func(interface{})) *Session { + return nil +} + +func (_ *Engine) Alias(_ string) *Session { + return nil +} + +func (_ *Engine) AllCols() *Session { + return nil +} + +func (_ *Engine) Asc(_ ...string) *Session { + return nil +} + +func (_ *Engine) AutoIncrStr() string { + return "" +} + +func (_ *Engine) Before(_ func(interface{})) *Session { + return nil +} + +func (_ *Engine) BufferSize(_ int) *Session { + return nil +} + +func (_ *Engine) Cascade(_ ...bool) *Session { + return nil +} + +func (_ *Engine) Charset(_ string) *Session { + return nil +} + +func (_ *Engine) ClearCache(_ ...interface{}) error { + return nil +} + +func (_ *Engine) ClearCacheBean(_ interface{}, _ string) error { + return nil +} + +func (_ *Engine) Clone() (*Engine, error) { + return nil, nil +} + +func (_ *Engine) Close() error { + return nil +} + +func (_ *Engine) Cols(_ ...string) *Session { + return nil +} + +func (_ *Engine) CondDeleted(_ string) interface{} { + return nil +} + +func (_ *Engine) Context(_ context.Context) *Session { + return nil +} + +func (_ *Engine) Count(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) CreateIndexes(_ interface{}) error { + return nil +} + +func (_ *Engine) CreateTables(_ ...interface{}) error { + return nil +} + +func (_ *Engine) CreateUniques(_ interface{}) error { + return nil +} + +func (_ *Engine) DB() interface{} { + return nil +} + +func (_ *Engine) DBMetas() ([]interface{}, error) { + return nil, nil +} + +func (_ *Engine) DataSourceName() string { + return "" +} + +func (_ *Engine) Decr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Delete(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) Desc(_ ...string) *Session { + return nil +} + +func (_ *Engine) Dialect() interface{} { + return nil +} + +func (_ *Engine) Distinct(_ ...string) *Session { + return nil +} + +func (_ *Engine) DriverName() string { + return "" +} + +func (_ *Engine) DropIndexes(_ interface{}) error { + return nil +} + +func (_ *Engine) DropTables(_ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpAll(_ io.Writer, _ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpAllToFile(_ string, _ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpTables(_ []interface{}, _ io.Writer, _ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpTablesToFile(_ []interface{}, _ string, _ ...interface{}) error { + return nil +} + +func (_ *Engine) Exec(_ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *Engine) Exist(_ ...interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) Find(_ interface{}, _ ...interface{}) error { + return nil +} + +func (_ *Engine) FindAndCount(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) Get(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) GetCacher(_ string) interface{} { + return nil +} + +func (_ *Engine) GetColumnMapper() interface{} { + return nil +} + +func (_ *Engine) GetDefaultCacher() interface{} { + return nil +} + +func (_ *Engine) GetTZDatabase() *time.Location { + return nil +} + +func (_ *Engine) GetTZLocation() *time.Location { + return nil +} + +func (_ *Engine) GetTableMapper() interface{} { + return nil +} + +func (_ *Engine) GobRegister(_ interface{}) *Engine { + return nil +} + +func (_ *Engine) GroupBy(_ string) *Session { + return nil +} + +func (_ *Engine) Having(_ string) *Session { + return nil +} + +func (_ *Engine) ID(_ interface{}) *Session { + return nil +} + +func (_ *Engine) IDOf(_ interface{}) interface{} { + return nil +} + +func (_ *Engine) IDOfV(_ reflect.Value) interface{} { + return nil +} + +func (_ *Engine) Id(_ interface{}) *Session { + return nil +} + +func (_ *Engine) IdOf(_ interface{}) interface{} { + return nil +} + +func (_ *Engine) IdOfV(_ reflect.Value) interface{} { + return nil +} + +func (_ *Engine) Import(_ io.Reader) ([]sql.Result, error) { + return nil, nil +} + +func (_ *Engine) ImportFile(_ string) ([]sql.Result, error) { + return nil, nil +} + +func (_ *Engine) In(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Incr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Insert(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) InsertOne(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) IsTableEmpty(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) IsTableExist(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) Iterate(_ interface{}, _ IterFunc) error { + return nil +} + +func (_ *Engine) Join(_ string, _ interface{}, _ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Limit(_ int, _ ...int) *Session { + return nil +} + +func (_ *Engine) Logger() interface{} { + return nil +} + +func (_ *Engine) MapCacher(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Engine) MustCols(_ ...string) *Session { + return nil +} + +func (_ *Engine) NewDB() (interface{}, error) { + return nil, nil +} + +func (_ *Engine) NewSession() *Session { + return nil +} + +func (_ *Engine) NoAutoCondition(_ ...bool) *Session { + return nil +} + +func (_ *Engine) NoAutoTime() *Session { + return nil +} + +func (_ *Engine) NoCache() *Session { + return nil +} + +func (_ *Engine) NoCascade() *Session { + return nil +} + +func (_ *Engine) NotIn(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Nullable(_ ...string) *Session { + return nil +} + +func (_ *Engine) Omit(_ ...string) *Session { + return nil +} + +func (_ *Engine) OrderBy(_ string) *Session { + return nil +} + +func (_ *Engine) Ping() error { + return nil +} + +func (_ *Engine) PingContext(_ context.Context) error { + return nil +} + +func (_ *Engine) Prepare() *Session { + return nil +} + +func (_ *Engine) Query(_ ...interface{}) ([]map[string][]byte, error) { + return nil, nil +} + +func (_ *Engine) QueryInterface(_ ...interface{}) ([]map[string]interface{}, error) { + return nil, nil +} + +func (_ *Engine) QueryString(_ ...interface{}) ([]map[string]string, error) { + return nil, nil +} + +func (_ *Engine) Quote(_ string) string { + return "" +} + +func (_ *Engine) QuoteTo(_ *strings.Builder, _ string) {} + +func (_ *Engine) Rows(_ interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *Engine) SQL(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) SQLType(_ interface{}) string { + return "" +} + +func (_ *Engine) Select(_ string) *Session { + return nil +} + +func (_ *Engine) SetCacher(_ string, _ interface{}) {} + +func (_ *Engine) SetColumnMapper(_ interface{}) {} + +func (_ *Engine) SetConnMaxLifetime(_ time.Duration) {} + +func (_ *Engine) SetDefaultCacher(_ interface{}) {} + +func (_ *Engine) SetDefaultContext(_ context.Context) {} + +func (_ *Engine) SetDisableGlobalCache(_ bool) {} + +func (_ *Engine) SetExpr(_ string, _ interface{}) *Session { + return nil +} + +func (_ *Engine) SetLogLevel(_ interface{}) {} + +func (_ *Engine) SetLogger(_ interface{}) {} + +func (_ *Engine) SetMapper(_ interface{}) {} + +func (_ *Engine) SetMaxIdleConns(_ int) {} + +func (_ *Engine) SetMaxOpenConns(_ int) {} + +func (_ *Engine) SetSchema(_ string) {} + +func (_ *Engine) SetTZDatabase(_ *time.Location) {} + +func (_ *Engine) SetTZLocation(_ *time.Location) {} + +func (_ *Engine) SetTableMapper(_ interface{}) {} + +func (_ *Engine) ShowExecTime(_ ...bool) {} + +func (_ *Engine) ShowSQL(_ ...bool) {} + +func (_ *Engine) Sql(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) SqlType(_ interface{}) string { + return "" +} + +func (_ *Engine) StoreEngine(_ string) *Session { + return nil +} + +func (_ *Engine) Sum(_ interface{}, _ string) (float64, error) { + return 0, nil +} + +func (_ *Engine) SumInt(_ interface{}, _ string) (int64, error) { + return 0, nil +} + +func (_ *Engine) Sums(_ interface{}, _ ...string) ([]float64, error) { + return nil, nil +} + +func (_ *Engine) SumsInt(_ interface{}, _ ...string) ([]int64, error) { + return nil, nil +} + +func (_ *Engine) SupportInsertMany() bool { + return false +} + +func (_ *Engine) Sync(_ ...interface{}) error { + return nil +} + +func (_ *Engine) Sync2(_ ...interface{}) error { + return nil +} + +func (_ *Engine) Table(_ interface{}) *Session { + return nil +} + +func (_ *Engine) TableInfo(_ interface{}) *Table { + return nil +} + +func (_ *Engine) TableName(_ interface{}, _ ...bool) string { + return "" +} + +func (_ *Engine) Transaction(_ func(*Session) (interface{}, error)) (interface{}, error) { + return nil, nil +} + +func (_ *Engine) UnMapType(_ reflect.Type) {} + +func (_ *Engine) Unscoped() *Session { + return nil +} + +func (_ *Engine) Update(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) UseBool(_ ...string) *Session { + return nil +} + +func (_ *Engine) Where(_ interface{}, _ ...interface{}) *Session { + return nil +} + +type IterFunc func(int, interface{}) error + +type Rows struct{} + +func (_ *Rows) Close() error { + return nil +} + +func (_ *Rows) Err() error { + return nil +} + +func (_ *Rows) Next() bool { + return false +} + +func (_ *Rows) Scan(_ interface{}) error { + return nil +} + +type Session struct{} + +func (_ *Session) After(_ func(interface{})) *Session { + return nil +} + +func (_ *Session) Alias(_ string) *Session { + return nil +} + +func (_ *Session) AllCols() *Session { + return nil +} + +func (_ *Session) And(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Asc(_ ...string) *Session { + return nil +} + +func (_ *Session) Before(_ func(interface{})) *Session { + return nil +} + +func (_ *Session) Begin() error { + return nil +} + +func (_ *Session) BufferSize(_ int) *Session { + return nil +} + +func (_ *Session) Cascade(_ ...bool) *Session { + return nil +} + +func (_ *Session) Charset(_ string) *Session { + return nil +} + +func (_ *Session) Clone() *Session { + return nil +} + +func (_ *Session) Close() {} + +func (_ *Session) Cols(_ ...string) *Session { + return nil +} + +func (_ *Session) Commit() error { + return nil +} + +func (_ *Session) Conds() interface{} { + return nil +} + +func (_ *Session) Context(_ context.Context) *Session { + return nil +} + +func (_ *Session) ContextCache(_ ContextCache) *Session { + return nil +} + +func (_ *Session) Count(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) CreateIndexes(_ interface{}) error { + return nil +} + +func (_ *Session) CreateTable(_ interface{}) error { + return nil +} + +func (_ *Session) CreateUniques(_ interface{}) error { + return nil +} + +func (_ *Session) DB() interface{} { + return nil +} + +func (_ *Session) Decr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Delete(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) Desc(_ ...string) *Session { + return nil +} + +func (_ *Session) Distinct(_ ...string) *Session { + return nil +} + +func (_ *Session) DropIndexes(_ interface{}) error { + return nil +} + +func (_ *Session) DropTable(_ interface{}) error { + return nil +} + +func (_ *Session) Exec(_ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *Session) Exist(_ ...interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) Find(_ interface{}, _ ...interface{}) error { + return nil +} + +func (_ *Session) FindAndCount(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) ForUpdate() *Session { + return nil +} + +func (_ *Session) Get(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) GroupBy(_ string) *Session { + return nil +} + +func (_ *Session) Having(_ string) *Session { + return nil +} + +func (_ *Session) ID(_ interface{}) *Session { + return nil +} + +func (_ *Session) Id(_ interface{}) *Session { + return nil +} + +func (_ *Session) In(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Incr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Init() {} + +func (_ *Session) Insert(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) InsertMulti(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) InsertOne(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) IsClosed() bool { + return false +} + +func (_ *Session) IsTableEmpty(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) IsTableExist(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) Iterate(_ interface{}, _ IterFunc) error { + return nil +} + +func (_ *Session) Join(_ string, _ interface{}, _ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) LastSQL() (string, []interface{}) { + return "", nil +} + +func (_ *Session) Limit(_ int, _ ...int) *Session { + return nil +} + +func (_ *Session) MustCols(_ ...string) *Session { + return nil +} + +func (_ *Session) NoAutoCondition(_ ...bool) *Session { + return nil +} + +func (_ *Session) NoAutoTime() *Session { + return nil +} + +func (_ *Session) NoCache() *Session { + return nil +} + +func (_ *Session) NoCascade() *Session { + return nil +} + +func (_ *Session) NotIn(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Nullable(_ ...string) *Session { + return nil +} + +func (_ *Session) Omit(_ ...string) *Session { + return nil +} + +func (_ *Session) Or(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) OrderBy(_ string) *Session { + return nil +} + +func (_ *Session) Ping() error { + return nil +} + +func (_ *Session) PingContext(_ context.Context) error { + return nil +} + +func (_ *Session) Prepare() *Session { + return nil +} + +func (_ *Session) Query(_ ...interface{}) ([]map[string][]byte, error) { + return nil, nil +} + +func (_ *Session) QueryInterface(_ ...interface{}) ([]map[string]interface{}, error) { + return nil, nil +} + +func (_ *Session) QuerySliceString(_ ...interface{}) ([][]string, error) { + return nil, nil +} + +func (_ *Session) QueryString(_ ...interface{}) ([]map[string]string, error) { + return nil, nil +} + +func (_ *Session) Rollback() error { + return nil +} + +func (_ *Session) Rows(_ interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *Session) SQL(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Select(_ string) *Session { + return nil +} + +func (_ *Session) SetExpr(_ string, _ interface{}) *Session { + return nil +} + +func (_ *Session) Sql(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) StoreEngine(_ string) *Session { + return nil +} + +func (_ *Session) Sum(_ interface{}, _ string) (float64, error) { + return 0, nil +} + +func (_ *Session) SumInt(_ interface{}, _ string) (int64, error) { + return 0, nil +} + +func (_ *Session) Sums(_ interface{}, _ ...string) ([]float64, error) { + return nil, nil +} + +func (_ *Session) SumsInt(_ interface{}, _ ...string) ([]int64, error) { + return nil, nil +} + +func (_ *Session) Sync2(_ ...interface{}) error { + return nil +} + +func (_ *Session) Table(_ interface{}) *Session { + return nil +} + +func (_ *Session) Unscoped() *Session { + return nil +} + +func (_ *Session) Update(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) UseBool(_ ...string) *Session { + return nil +} + +func (_ *Session) Where(_ interface{}, _ ...interface{}) *Session { + return nil +} + +type Table struct { + Table interface{} + Name string +} + +func (_ Table) AddColumn(_ interface{}) {} + +func (_ Table) AddIndex(_ interface{}) {} + +func (_ Table) AutoIncrColumn() interface{} { + return nil +} + +func (_ Table) ColumnType(_ string) reflect.Type { + return nil +} + +func (_ Table) Columns() []interface{} { + return nil +} + +func (_ Table) ColumnsSeq() []string { + return nil +} + +func (_ Table) DeletedColumn() interface{} { + return nil +} + +func (_ Table) GetColumn(_ string) interface{} { + return nil +} + +func (_ Table) GetColumnIdx(_ string, _ int) interface{} { + return nil +} + +func (_ Table) PKColumns() []interface{} { + return nil +} + +func (_ Table) UpdatedColumn() interface{} { + return nil +} + +func (_ Table) VersionColumn() interface{} { + return nil +} + +func (_ *Table) IsValid() bool { + return false +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/LICENSE b/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/LICENSE new file mode 100644 index 00000000000..84d2ae5386d --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/LICENSE @@ -0,0 +1,27 @@ +Copyright (c) 2013 - 2015 The Xorm Authors +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +* Neither the name of the {organization} nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/stub.go b/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/stub.go new file mode 100644 index 00000000000..ccadc994d34 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/stub.go @@ -0,0 +1,824 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for xorm.io/xorm, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: xorm.io/xorm (exports: Engine,Session; functions: ) + +// Package xorm is a stub of xorm.io/xorm, generated by depstubber. +package xorm + +import ( + context "context" + sql "database/sql" + io "io" + reflect "reflect" + strings "strings" + time "time" +) + +type Engine struct { + TZLocation *time.Location + DatabaseTZ *time.Location +} + +func (_ *Engine) AddHook(_ interface{}) {} + +func (_ *Engine) After(_ func(interface{})) *Session { + return nil +} + +func (_ *Engine) Alias(_ string) *Session { + return nil +} + +func (_ *Engine) AllCols() *Session { + return nil +} + +func (_ *Engine) Asc(_ ...string) *Session { + return nil +} + +func (_ *Engine) AutoIncrStr() string { + return "" +} + +func (_ *Engine) Before(_ func(interface{})) *Session { + return nil +} + +func (_ *Engine) BufferSize(_ int) *Session { + return nil +} + +func (_ *Engine) Cascade(_ ...bool) *Session { + return nil +} + +func (_ *Engine) Charset(_ string) *Session { + return nil +} + +func (_ *Engine) ClearCache(_ ...interface{}) error { + return nil +} + +func (_ *Engine) ClearCacheBean(_ interface{}, _ string) error { + return nil +} + +func (_ *Engine) Close() error { + return nil +} + +func (_ *Engine) Cols(_ ...string) *Session { + return nil +} + +func (_ *Engine) Context(_ context.Context) *Session { + return nil +} + +func (_ *Engine) Count(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) CreateIndexes(_ interface{}) error { + return nil +} + +func (_ *Engine) CreateTables(_ ...interface{}) error { + return nil +} + +func (_ *Engine) CreateUniques(_ interface{}) error { + return nil +} + +func (_ *Engine) DB() interface{} { + return nil +} + +func (_ *Engine) DBMetas() ([]interface{}, error) { + return nil, nil +} + +func (_ *Engine) DataSourceName() string { + return "" +} + +func (_ *Engine) Decr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Delete(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) Desc(_ ...string) *Session { + return nil +} + +func (_ *Engine) Dialect() interface{} { + return nil +} + +func (_ *Engine) Distinct(_ ...string) *Session { + return nil +} + +func (_ *Engine) DriverName() string { + return "" +} + +func (_ *Engine) DropIndexes(_ interface{}) error { + return nil +} + +func (_ *Engine) DropTables(_ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpAll(_ io.Writer, _ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpAllToFile(_ string, _ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpTables(_ []interface{}, _ io.Writer, _ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpTablesToFile(_ []interface{}, _ string, _ ...interface{}) error { + return nil +} + +func (_ *Engine) EnableSessionID(_ bool) {} + +func (_ *Engine) Exec(_ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *Engine) Exist(_ ...interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) Find(_ interface{}, _ ...interface{}) error { + return nil +} + +func (_ *Engine) FindAndCount(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) Get(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) GetCacher(_ string) interface{} { + return nil +} + +func (_ *Engine) GetColumnMapper() interface{} { + return nil +} + +func (_ *Engine) GetDefaultCacher() interface{} { + return nil +} + +func (_ *Engine) GetTZDatabase() *time.Location { + return nil +} + +func (_ *Engine) GetTZLocation() *time.Location { + return nil +} + +func (_ *Engine) GetTableMapper() interface{} { + return nil +} + +func (_ *Engine) GroupBy(_ string) *Session { + return nil +} + +func (_ *Engine) Having(_ string) *Session { + return nil +} + +func (_ *Engine) ID(_ interface{}) *Session { + return nil +} + +func (_ *Engine) Import(_ io.Reader) ([]sql.Result, error) { + return nil, nil +} + +func (_ *Engine) ImportFile(_ string) ([]sql.Result, error) { + return nil, nil +} + +func (_ *Engine) In(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Incr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Insert(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) InsertOne(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) IsTableEmpty(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) IsTableExist(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) Iterate(_ interface{}, _ IterFunc) error { + return nil +} + +func (_ *Engine) Join(_ string, _ interface{}, _ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Limit(_ int, _ ...int) *Session { + return nil +} + +func (_ *Engine) Logger() interface{} { + return nil +} + +func (_ *Engine) MapCacher(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Engine) MustCols(_ ...string) *Session { + return nil +} + +func (_ *Engine) NewDB() (interface{}, error) { + return nil, nil +} + +func (_ *Engine) NewSession() *Session { + return nil +} + +func (_ *Engine) NoAutoCondition(_ ...bool) *Session { + return nil +} + +func (_ *Engine) NoAutoTime() *Session { + return nil +} + +func (_ *Engine) NoCache() *Session { + return nil +} + +func (_ *Engine) NoCascade() *Session { + return nil +} + +func (_ *Engine) NotIn(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Nullable(_ ...string) *Session { + return nil +} + +func (_ *Engine) Omit(_ ...string) *Session { + return nil +} + +func (_ *Engine) OrderBy(_ string) *Session { + return nil +} + +func (_ *Engine) Ping() error { + return nil +} + +func (_ *Engine) PingContext(_ context.Context) error { + return nil +} + +func (_ *Engine) Prepare() *Session { + return nil +} + +func (_ *Engine) Query(_ ...interface{}) ([]map[string][]byte, error) { + return nil, nil +} + +func (_ *Engine) QueryInterface(_ ...interface{}) ([]map[string]interface{}, error) { + return nil, nil +} + +func (_ *Engine) QueryString(_ ...interface{}) ([]map[string]string, error) { + return nil, nil +} + +func (_ *Engine) Quote(_ string) string { + return "" +} + +func (_ *Engine) QuoteTo(_ *strings.Builder, _ string) {} + +func (_ *Engine) Rows(_ interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *Engine) SQL(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) SQLType(_ interface{}) string { + return "" +} + +func (_ *Engine) Select(_ string) *Session { + return nil +} + +func (_ *Engine) SetCacher(_ string, _ interface{}) {} + +func (_ *Engine) SetColumnMapper(_ interface{}) {} + +func (_ *Engine) SetConnMaxLifetime(_ time.Duration) {} + +func (_ *Engine) SetDefaultCacher(_ interface{}) {} + +func (_ *Engine) SetDefaultContext(_ context.Context) {} + +func (_ *Engine) SetDisableGlobalCache(_ bool) {} + +func (_ *Engine) SetExpr(_ string, _ interface{}) *Session { + return nil +} + +func (_ *Engine) SetLogLevel(_ interface{}) {} + +func (_ *Engine) SetLogger(_ interface{}) {} + +func (_ *Engine) SetMapper(_ interface{}) {} + +func (_ *Engine) SetMaxIdleConns(_ int) {} + +func (_ *Engine) SetMaxOpenConns(_ int) {} + +func (_ *Engine) SetQuotePolicy(_ interface{}) {} + +func (_ *Engine) SetSchema(_ string) {} + +func (_ *Engine) SetTZDatabase(_ *time.Location) {} + +func (_ *Engine) SetTZLocation(_ *time.Location) {} + +func (_ *Engine) SetTableMapper(_ interface{}) {} + +func (_ *Engine) SetTagIdentifier(_ string) {} + +func (_ *Engine) ShowSQL(_ ...bool) {} + +func (_ *Engine) StoreEngine(_ string) *Session { + return nil +} + +func (_ *Engine) Sum(_ interface{}, _ string) (float64, error) { + return 0, nil +} + +func (_ *Engine) SumInt(_ interface{}, _ string) (int64, error) { + return 0, nil +} + +func (_ *Engine) Sums(_ interface{}, _ ...string) ([]float64, error) { + return nil, nil +} + +func (_ *Engine) SumsInt(_ interface{}, _ ...string) ([]int64, error) { + return nil, nil +} + +func (_ *Engine) Sync(_ ...interface{}) error { + return nil +} + +func (_ *Engine) Sync2(_ ...interface{}) error { + return nil +} + +func (_ *Engine) Table(_ interface{}) *Session { + return nil +} + +func (_ *Engine) TableInfo(_ interface{}) (interface{}, error) { + return nil, nil +} + +func (_ *Engine) TableName(_ interface{}, _ ...bool) string { + return "" +} + +func (_ *Engine) Transaction(_ func(*Session) (interface{}, error)) (interface{}, error) { + return nil, nil +} + +func (_ *Engine) UnMapType(_ reflect.Type) {} + +func (_ *Engine) Unscoped() *Session { + return nil +} + +func (_ *Engine) Update(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) UseBool(_ ...string) *Session { + return nil +} + +func (_ *Engine) Where(_ interface{}, _ ...interface{}) *Session { + return nil +} + +type IterFunc func(int, interface{}) error + +type Rows struct{} + +func (_ *Rows) Close() error { + return nil +} + +func (_ *Rows) Err() error { + return nil +} + +func (_ *Rows) Next() bool { + return false +} + +func (_ *Rows) Scan(_ interface{}) error { + return nil +} + +type Session struct{} + +func (_ *Session) After(_ func(interface{})) *Session { + return nil +} + +func (_ *Session) Alias(_ string) *Session { + return nil +} + +func (_ *Session) AllCols() *Session { + return nil +} + +func (_ *Session) And(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Asc(_ ...string) *Session { + return nil +} + +func (_ *Session) Before(_ func(interface{})) *Session { + return nil +} + +func (_ *Session) Begin() error { + return nil +} + +func (_ *Session) BufferSize(_ int) *Session { + return nil +} + +func (_ *Session) Cascade(_ ...bool) *Session { + return nil +} + +func (_ *Session) Charset(_ string) *Session { + return nil +} + +func (_ *Session) Close() error { + return nil +} + +func (_ *Session) Cols(_ ...string) *Session { + return nil +} + +func (_ *Session) Commit() error { + return nil +} + +func (_ *Session) Conds() interface{} { + return nil +} + +func (_ *Session) Context(_ context.Context) *Session { + return nil +} + +func (_ *Session) ContextCache(_ interface{}) *Session { + return nil +} + +func (_ *Session) Count(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) CreateIndexes(_ interface{}) error { + return nil +} + +func (_ *Session) CreateTable(_ interface{}) error { + return nil +} + +func (_ *Session) CreateUniques(_ interface{}) error { + return nil +} + +func (_ *Session) DB() interface{} { + return nil +} + +func (_ *Session) Decr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Delete(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) Desc(_ ...string) *Session { + return nil +} + +func (_ *Session) Distinct(_ ...string) *Session { + return nil +} + +func (_ *Session) DropIndexes(_ interface{}) error { + return nil +} + +func (_ *Session) DropTable(_ interface{}) error { + return nil +} + +func (_ *Session) Engine() *Engine { + return nil +} + +func (_ *Session) Exec(_ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *Session) Exist(_ ...interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) Find(_ interface{}, _ ...interface{}) error { + return nil +} + +func (_ *Session) FindAndCount(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) ForUpdate() *Session { + return nil +} + +func (_ *Session) Get(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) GroupBy(_ string) *Session { + return nil +} + +func (_ *Session) Having(_ string) *Session { + return nil +} + +func (_ *Session) ID(_ interface{}) *Session { + return nil +} + +func (_ *Session) Import(_ io.Reader) ([]sql.Result, error) { + return nil, nil +} + +func (_ *Session) ImportFile(_ string) ([]sql.Result, error) { + return nil, nil +} + +func (_ *Session) In(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Incr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Insert(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) InsertMulti(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) InsertOne(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) IsClosed() bool { + return false +} + +func (_ *Session) IsInTx() bool { + return false +} + +func (_ *Session) IsTableEmpty(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) IsTableExist(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) Iterate(_ interface{}, _ IterFunc) error { + return nil +} + +func (_ *Session) Join(_ string, _ interface{}, _ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) LastSQL() (string, []interface{}) { + return "", nil +} + +func (_ *Session) Limit(_ int, _ ...int) *Session { + return nil +} + +func (_ *Session) MustCols(_ ...string) *Session { + return nil +} + +func (_ *Session) MustLogSQL(_ ...bool) *Session { + return nil +} + +func (_ *Session) NoAutoCondition(_ ...bool) *Session { + return nil +} + +func (_ *Session) NoAutoTime() *Session { + return nil +} + +func (_ *Session) NoCache() *Session { + return nil +} + +func (_ *Session) NoCascade() *Session { + return nil +} + +func (_ *Session) NotIn(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Nullable(_ ...string) *Session { + return nil +} + +func (_ *Session) Omit(_ ...string) *Session { + return nil +} + +func (_ *Session) Or(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) OrderBy(_ string) *Session { + return nil +} + +func (_ *Session) Ping() error { + return nil +} + +func (_ *Session) PingContext(_ context.Context) error { + return nil +} + +func (_ *Session) Prepare() *Session { + return nil +} + +func (_ *Session) Query(_ ...interface{}) ([]map[string][]byte, error) { + return nil, nil +} + +func (_ *Session) QueryInterface(_ ...interface{}) ([]map[string]interface{}, error) { + return nil, nil +} + +func (_ *Session) QuerySliceString(_ ...interface{}) ([][]string, error) { + return nil, nil +} + +func (_ *Session) QueryString(_ ...interface{}) ([]map[string]string, error) { + return nil, nil +} + +func (_ *Session) Rollback() error { + return nil +} + +func (_ *Session) Rows(_ interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *Session) SQL(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Select(_ string) *Session { + return nil +} + +func (_ *Session) SetExpr(_ string, _ interface{}) *Session { + return nil +} + +func (_ *Session) StoreEngine(_ string) *Session { + return nil +} + +func (_ *Session) Sum(_ interface{}, _ string) (float64, error) { + return 0, nil +} + +func (_ *Session) SumInt(_ interface{}, _ string) (int64, error) { + return 0, nil +} + +func (_ *Session) Sums(_ interface{}, _ ...string) ([]float64, error) { + return nil, nil +} + +func (_ *Session) SumsInt(_ interface{}, _ ...string) ([]int64, error) { + return nil, nil +} + +func (_ *Session) Sync2(_ ...interface{}) error { + return nil +} + +func (_ *Session) Table(_ interface{}) *Session { + return nil +} + +func (_ *Session) Unscoped() *Session { + return nil +} + +func (_ *Session) Update(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) UseBool(_ ...string) *Session { + return nil +} + +func (_ *Session) Where(_ interface{}, _ ...interface{}) *Session { + return nil +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go b/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go new file mode 100644 index 00000000000..3aa8857a61b --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go @@ -0,0 +1,77 @@ +package main + +//go:generate depstubber -vendor xorm.io/xorm Engine,Session +//go:generate depstubber -vendor github.com/go-xorm/xorm Engine,Session + +import ( + xorm1 "github.com/go-xorm/xorm" + xorm2 "xorm.io/xorm" +) + +func xormtest() { + query := "UntrustedString" + + engine1 := xorm1.Engine{} + engine1.Query(query) // $querystring=query + engine1.QueryString(query) // $querystring=query + engine1.QueryInterface(query) // $querystring=query + engine1.SQL(query) // $querystring=query + engine1.Where(query) // $querystring=query + engine1.Alias(query) // $querystring=query + engine1.NotIn(query) // $querystring=query + engine1.In(query) // $querystring=query + engine1.Select(query) // $querystring=query + engine1.SetExpr(query, nil) // $querystring=query + engine1.OrderBy(query) // $querystring=query + engine1.Having(query) // $querystring=query + engine1.GroupBy(query) // $querystring=query + + engine2 := xorm2.Engine{} + engine2.Query(query) // $querystring=query + engine2.QueryString(query) // $querystring=query + engine2.QueryInterface(query) // $querystring=query + engine2.SQL(query) // $querystring=query + engine2.Where(query) // $querystring=query + engine2.Alias(query) // $querystring=query + engine2.NotIn(query) // $querystring=query + engine2.In(query) // $querystring=query + engine2.Select(query) // $querystring=query + engine2.SetExpr(query, nil) // $querystring=query + engine2.OrderBy(query) // $querystring=query + engine2.Having(query) // $querystring=query + engine2.GroupBy(query) // $querystring=query + + session1 := xorm1.Session{} + session1.Query(query) // $querystring=query + session1.QueryString(query) // $querystring=query + session1.QueryInterface(query) // $querystring=query + session1.SQL(query) // $querystring=query + session1.Where(query) // $querystring=query + session1.Alias(query) // $querystring=query + session1.NotIn(query) // $querystring=query + session1.In(query) // $querystring=query + session1.Select(query) // $querystring=query + session1.SetExpr(query, nil) // $querystring=query + session1.OrderBy(query) // $querystring=query + session1.Having(query) // $querystring=query + session1.GroupBy(query) // $querystring=query + session1.And(query) // $querystring=query + session1.Or(query) // $querystring=query + + session2 := xorm2.Session{} + session2.Query(query) // $querystring=query + session2.QueryString(query) // $querystring=query + session2.QueryInterface(query) // $querystring=query + session2.SQL(query) // $querystring=query + session2.Where(query) // $querystring=query + session2.Alias(query) // $querystring=query + session2.NotIn(query) // $querystring=query + session2.In(query) // $querystring=query + session2.Select(query) // $querystring=query + session2.SetExpr(query, nil) // $querystring=query + session2.OrderBy(query) // $querystring=query + session2.Having(query) // $querystring=query + session2.GroupBy(query) // $querystring=query + session2.And(query) // $querystring=query + session2.Or(query) // $querystring=query +}