From 8c608bad21264ed973b8eceb013b0d603e924aae Mon Sep 17 00:00:00 2001 From: snoopywu <3022235906@qq.com> Date: Thu, 6 May 2021 14:15:08 +0800 Subject: [PATCH 1/6] Add Xorm support --- ql/src/semmle/go/frameworks/SQL.qll | 33 + .../semmle/go/frameworks/SQL/Xorm/go.mod | 9 + .../vendor/github.com/go-xorm/xorm/stub.go | 917 ++++++++++++++++++ .../go/frameworks/SQL/Xorm/vendor/modules.txt | 9 + .../SQL/Xorm/vendor/xorm.io/xorm/stub.go | 818 ++++++++++++++++ .../go/frameworks/SQL/Xorm/xorm.expected | 56 ++ .../semmle/go/frameworks/SQL/Xorm/xorm.go | 81 ++ .../semmle/go/frameworks/SQL/Xorm/xorm.ql | 4 + 8 files changed, 1927 insertions(+) create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/go.mod create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/github.com/go-xorm/xorm/stub.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/modules.txt create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/xorm.io/xorm/stub.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.expected create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.ql diff --git a/ql/src/semmle/go/frameworks/SQL.qll b/ql/src/semmle/go/frameworks/SQL.qll index f626fe097ca..173be722649 100644 --- a/ql/src/semmle/go/frameworks/SQL.qll +++ b/ql/src/semmle/go/frameworks/SQL.qll @@ -224,3 +224,36 @@ module Gorm { result = package(["github.com/jinzhu/gorm", "github.com/go-gorm/gorm", "gorm.io/gorm"], "") } } + +/** + * Provides classes for working with the [XORM](https://xorm.io/) package. + */ +module Xorm { + /** Gets the package name for Xorm. */ + string packagePath() { result = package(["xorm.io/xorm", "github.com/go-xorm/xorm"], "") } + + /** A model for sinks of XORM. */ + private class XormSink extends SQL::QueryString::Range { + XormSink() { + exists(Method meth, string package, string type, string name, int n | + meth.hasQualifiedName(package, type, name) and + this = meth.getACall().getArgument(n) and + this.getType().getUnderlyingType() instanceof StringType and + package = Xorm::packagePath() and + type = ["Engine", "Session"] + | + name = + [ + "Query", "Exec", "QueryString", "QueryInterface", "SQL", "Where", "And", "Or", "Alias", + "NotIn", "In", "Select", "SetExpr", "OrderBy", "Having", "GroupBy" + ] and + n = 0 + or + name = ["SumInt", "Sum", "Sums", "SumsInt"] and n = 1 + or + name = "Join" and n = [0, 1, 2] + ) + } + } + } + \ No newline at end of file diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/go.mod b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/go.mod new file mode 100644 index 00000000000..21a8fb818b7 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/go.mod @@ -0,0 +1,9 @@ +module xormtest + +go 1.14 + +require ( + github.com/go-xorm/xorm v0.7.9 + github.com/kr/pretty v0.2.1 // indirect + xorm.io/xorm v1.0.7 +) diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/github.com/go-xorm/xorm/stub.go b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/github.com/go-xorm/xorm/stub.go new file mode 100644 index 00000000000..9853e015547 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/github.com/go-xorm/xorm/stub.go @@ -0,0 +1,917 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/go-xorm/xorm, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/go-xorm/xorm (exports: Engine,Session; functions: ) + +// Package xorm is a stub of github.com/go-xorm/xorm, generated by depstubber. +package xorm + +import ( + context "context" + sql "database/sql" + io "io" + reflect "reflect" + strings "strings" + time "time" +) + +type ContextCache interface { + Get(_ string) interface{} + Put(_ string, _ interface{}) +} + +type Engine struct { + ColumnMapper interface{} + TableMapper interface{} + TagIdentifier string + Tables map[reflect.Type]interface{} + Cacher interface{} + TZLocation *time.Location + DatabaseTZ *time.Location +} + +func (_ *Engine) After(_ func(interface{})) *Session { + return nil +} + +func (_ *Engine) Alias(_ string) *Session { + return nil +} + +func (_ *Engine) AllCols() *Session { + return nil +} + +func (_ *Engine) Asc(_ ...string) *Session { + return nil +} + +func (_ *Engine) AutoIncrStr() string { + return "" +} + +func (_ *Engine) Before(_ func(interface{})) *Session { + return nil +} + +func (_ *Engine) BufferSize(_ int) *Session { + return nil +} + +func (_ *Engine) Cascade(_ ...bool) *Session { + return nil +} + +func (_ *Engine) Charset(_ string) *Session { + return nil +} + +func (_ *Engine) ClearCache(_ ...interface{}) error { + return nil +} + +func (_ *Engine) ClearCacheBean(_ interface{}, _ string) error { + return nil +} + +func (_ *Engine) Clone() (*Engine, error) { + return nil, nil +} + +func (_ *Engine) Close() error { + return nil +} + +func (_ *Engine) Cols(_ ...string) *Session { + return nil +} + +func (_ *Engine) CondDeleted(_ string) interface{} { + return nil +} + +func (_ *Engine) Context(_ context.Context) *Session { + return nil +} + +func (_ *Engine) Count(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) CreateIndexes(_ interface{}) error { + return nil +} + +func (_ *Engine) CreateTables(_ ...interface{}) error { + return nil +} + +func (_ *Engine) CreateUniques(_ interface{}) error { + return nil +} + +func (_ *Engine) DB() interface{} { + return nil +} + +func (_ *Engine) DBMetas() ([]interface{}, error) { + return nil, nil +} + +func (_ *Engine) DataSourceName() string { + return "" +} + +func (_ *Engine) Decr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Delete(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) Desc(_ ...string) *Session { + return nil +} + +func (_ *Engine) Dialect() interface{} { + return nil +} + +func (_ *Engine) Distinct(_ ...string) *Session { + return nil +} + +func (_ *Engine) DriverName() string { + return "" +} + +func (_ *Engine) DropIndexes(_ interface{}) error { + return nil +} + +func (_ *Engine) DropTables(_ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpAll(_ io.Writer, _ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpAllToFile(_ string, _ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpTables(_ []interface{}, _ io.Writer, _ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpTablesToFile(_ []interface{}, _ string, _ ...interface{}) error { + return nil +} + +func (_ *Engine) Exec(_ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *Engine) Exist(_ ...interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) Find(_ interface{}, _ ...interface{}) error { + return nil +} + +func (_ *Engine) FindAndCount(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) Get(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) GetCacher(_ string) interface{} { + return nil +} + +func (_ *Engine) GetColumnMapper() interface{} { + return nil +} + +func (_ *Engine) GetDefaultCacher() interface{} { + return nil +} + +func (_ *Engine) GetTZDatabase() *time.Location { + return nil +} + +func (_ *Engine) GetTZLocation() *time.Location { + return nil +} + +func (_ *Engine) GetTableMapper() interface{} { + return nil +} + +func (_ *Engine) GobRegister(_ interface{}) *Engine { + return nil +} + +func (_ *Engine) GroupBy(_ string) *Session { + return nil +} + +func (_ *Engine) Having(_ string) *Session { + return nil +} + +func (_ *Engine) ID(_ interface{}) *Session { + return nil +} + +func (_ *Engine) IDOf(_ interface{}) interface{} { + return nil +} + +func (_ *Engine) IDOfV(_ reflect.Value) interface{} { + return nil +} + +func (_ *Engine) Id(_ interface{}) *Session { + return nil +} + +func (_ *Engine) IdOf(_ interface{}) interface{} { + return nil +} + +func (_ *Engine) IdOfV(_ reflect.Value) interface{} { + return nil +} + +func (_ *Engine) Import(_ io.Reader) ([]sql.Result, error) { + return nil, nil +} + +func (_ *Engine) ImportFile(_ string) ([]sql.Result, error) { + return nil, nil +} + +func (_ *Engine) In(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Incr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Insert(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) InsertOne(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) IsTableEmpty(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) IsTableExist(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) Iterate(_ interface{}, _ IterFunc) error { + return nil +} + +func (_ *Engine) Join(_ string, _ interface{}, _ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Limit(_ int, _ ...int) *Session { + return nil +} + +func (_ *Engine) Logger() interface{} { + return nil +} + +func (_ *Engine) MapCacher(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Engine) MustCols(_ ...string) *Session { + return nil +} + +func (_ *Engine) NewDB() (interface{}, error) { + return nil, nil +} + +func (_ *Engine) NewSession() *Session { + return nil +} + +func (_ *Engine) NoAutoCondition(_ ...bool) *Session { + return nil +} + +func (_ *Engine) NoAutoTime() *Session { + return nil +} + +func (_ *Engine) NoCache() *Session { + return nil +} + +func (_ *Engine) NoCascade() *Session { + return nil +} + +func (_ *Engine) NotIn(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Nullable(_ ...string) *Session { + return nil +} + +func (_ *Engine) Omit(_ ...string) *Session { + return nil +} + +func (_ *Engine) OrderBy(_ string) *Session { + return nil +} + +func (_ *Engine) Ping() error { + return nil +} + +func (_ *Engine) PingContext(_ context.Context) error { + return nil +} + +func (_ *Engine) Prepare() *Session { + return nil +} + +func (_ *Engine) Query(_ ...interface{}) ([]map[string][]byte, error) { + return nil, nil +} + +func (_ *Engine) QueryInterface(_ ...interface{}) ([]map[string]interface{}, error) { + return nil, nil +} + +func (_ *Engine) QueryString(_ ...interface{}) ([]map[string]string, error) { + return nil, nil +} + +func (_ *Engine) Quote(_ string) string { + return "" +} + +func (_ *Engine) QuoteTo(_ *strings.Builder, _ string) {} + +func (_ *Engine) Rows(_ interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *Engine) SQL(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) SQLType(_ interface{}) string { + return "" +} + +func (_ *Engine) Select(_ string) *Session { + return nil +} + +func (_ *Engine) SetCacher(_ string, _ interface{}) {} + +func (_ *Engine) SetColumnMapper(_ interface{}) {} + +func (_ *Engine) SetConnMaxLifetime(_ time.Duration) {} + +func (_ *Engine) SetDefaultCacher(_ interface{}) {} + +func (_ *Engine) SetDefaultContext(_ context.Context) {} + +func (_ *Engine) SetDisableGlobalCache(_ bool) {} + +func (_ *Engine) SetExpr(_ string, _ interface{}) *Session { + return nil +} + +func (_ *Engine) SetLogLevel(_ interface{}) {} + +func (_ *Engine) SetLogger(_ interface{}) {} + +func (_ *Engine) SetMapper(_ interface{}) {} + +func (_ *Engine) SetMaxIdleConns(_ int) {} + +func (_ *Engine) SetMaxOpenConns(_ int) {} + +func (_ *Engine) SetSchema(_ string) {} + +func (_ *Engine) SetTZDatabase(_ *time.Location) {} + +func (_ *Engine) SetTZLocation(_ *time.Location) {} + +func (_ *Engine) SetTableMapper(_ interface{}) {} + +func (_ *Engine) ShowExecTime(_ ...bool) {} + +func (_ *Engine) ShowSQL(_ ...bool) {} + +func (_ *Engine) Sql(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) SqlType(_ interface{}) string { + return "" +} + +func (_ *Engine) StoreEngine(_ string) *Session { + return nil +} + +func (_ *Engine) Sum(_ interface{}, _ string) (float64, error) { + return 0, nil +} + +func (_ *Engine) SumInt(_ interface{}, _ string) (int64, error) { + return 0, nil +} + +func (_ *Engine) Sums(_ interface{}, _ ...string) ([]float64, error) { + return nil, nil +} + +func (_ *Engine) SumsInt(_ interface{}, _ ...string) ([]int64, error) { + return nil, nil +} + +func (_ *Engine) SupportInsertMany() bool { + return false +} + +func (_ *Engine) Sync(_ ...interface{}) error { + return nil +} + +func (_ *Engine) Sync2(_ ...interface{}) error { + return nil +} + +func (_ *Engine) Table(_ interface{}) *Session { + return nil +} + +func (_ *Engine) TableInfo(_ interface{}) *Table { + return nil +} + +func (_ *Engine) TableName(_ interface{}, _ ...bool) string { + return "" +} + +func (_ *Engine) Transaction(_ func(*Session) (interface{}, error)) (interface{}, error) { + return nil, nil +} + +func (_ *Engine) UnMapType(_ reflect.Type) {} + +func (_ *Engine) Unscoped() *Session { + return nil +} + +func (_ *Engine) Update(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) UseBool(_ ...string) *Session { + return nil +} + +func (_ *Engine) Where(_ interface{}, _ ...interface{}) *Session { + return nil +} + +type IterFunc func(int, interface{}) error + +type Rows struct{} + +func (_ *Rows) Close() error { + return nil +} + +func (_ *Rows) Err() error { + return nil +} + +func (_ *Rows) Next() bool { + return false +} + +func (_ *Rows) Scan(_ interface{}) error { + return nil +} + +type Session struct{} + +func (_ *Session) After(_ func(interface{})) *Session { + return nil +} + +func (_ *Session) Alias(_ string) *Session { + return nil +} + +func (_ *Session) AllCols() *Session { + return nil +} + +func (_ *Session) And(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Asc(_ ...string) *Session { + return nil +} + +func (_ *Session) Before(_ func(interface{})) *Session { + return nil +} + +func (_ *Session) Begin() error { + return nil +} + +func (_ *Session) BufferSize(_ int) *Session { + return nil +} + +func (_ *Session) Cascade(_ ...bool) *Session { + return nil +} + +func (_ *Session) Charset(_ string) *Session { + return nil +} + +func (_ *Session) Clone() *Session { + return nil +} + +func (_ *Session) Close() {} + +func (_ *Session) Cols(_ ...string) *Session { + return nil +} + +func (_ *Session) Commit() error { + return nil +} + +func (_ *Session) Conds() interface{} { + return nil +} + +func (_ *Session) Context(_ context.Context) *Session { + return nil +} + +func (_ *Session) ContextCache(_ ContextCache) *Session { + return nil +} + +func (_ *Session) Count(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) CreateIndexes(_ interface{}) error { + return nil +} + +func (_ *Session) CreateTable(_ interface{}) error { + return nil +} + +func (_ *Session) CreateUniques(_ interface{}) error { + return nil +} + +func (_ *Session) DB() interface{} { + return nil +} + +func (_ *Session) Decr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Delete(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) Desc(_ ...string) *Session { + return nil +} + +func (_ *Session) Distinct(_ ...string) *Session { + return nil +} + +func (_ *Session) DropIndexes(_ interface{}) error { + return nil +} + +func (_ *Session) DropTable(_ interface{}) error { + return nil +} + +func (_ *Session) Exec(_ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *Session) Exist(_ ...interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) Find(_ interface{}, _ ...interface{}) error { + return nil +} + +func (_ *Session) FindAndCount(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) ForUpdate() *Session { + return nil +} + +func (_ *Session) Get(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) GroupBy(_ string) *Session { + return nil +} + +func (_ *Session) Having(_ string) *Session { + return nil +} + +func (_ *Session) ID(_ interface{}) *Session { + return nil +} + +func (_ *Session) Id(_ interface{}) *Session { + return nil +} + +func (_ *Session) In(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Incr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Init() {} + +func (_ *Session) Insert(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) InsertMulti(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) InsertOne(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) IsClosed() bool { + return false +} + +func (_ *Session) IsTableEmpty(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) IsTableExist(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) Iterate(_ interface{}, _ IterFunc) error { + return nil +} + +func (_ *Session) Join(_ string, _ interface{}, _ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) LastSQL() (string, []interface{}) { + return "", nil +} + +func (_ *Session) Limit(_ int, _ ...int) *Session { + return nil +} + +func (_ *Session) MustCols(_ ...string) *Session { + return nil +} + +func (_ *Session) NoAutoCondition(_ ...bool) *Session { + return nil +} + +func (_ *Session) NoAutoTime() *Session { + return nil +} + +func (_ *Session) NoCache() *Session { + return nil +} + +func (_ *Session) NoCascade() *Session { + return nil +} + +func (_ *Session) NotIn(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Nullable(_ ...string) *Session { + return nil +} + +func (_ *Session) Omit(_ ...string) *Session { + return nil +} + +func (_ *Session) Or(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) OrderBy(_ string) *Session { + return nil +} + +func (_ *Session) Ping() error { + return nil +} + +func (_ *Session) PingContext(_ context.Context) error { + return nil +} + +func (_ *Session) Prepare() *Session { + return nil +} + +func (_ *Session) Query(_ ...interface{}) ([]map[string][]byte, error) { + return nil, nil +} + +func (_ *Session) QueryInterface(_ ...interface{}) ([]map[string]interface{}, error) { + return nil, nil +} + +func (_ *Session) QuerySliceString(_ ...interface{}) ([][]string, error) { + return nil, nil +} + +func (_ *Session) QueryString(_ ...interface{}) ([]map[string]string, error) { + return nil, nil +} + +func (_ *Session) Rollback() error { + return nil +} + +func (_ *Session) Rows(_ interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *Session) SQL(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Select(_ string) *Session { + return nil +} + +func (_ *Session) SetExpr(_ string, _ interface{}) *Session { + return nil +} + +func (_ *Session) Sql(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) StoreEngine(_ string) *Session { + return nil +} + +func (_ *Session) Sum(_ interface{}, _ string) (float64, error) { + return 0, nil +} + +func (_ *Session) SumInt(_ interface{}, _ string) (int64, error) { + return 0, nil +} + +func (_ *Session) Sums(_ interface{}, _ ...string) ([]float64, error) { + return nil, nil +} + +func (_ *Session) SumsInt(_ interface{}, _ ...string) ([]int64, error) { + return nil, nil +} + +func (_ *Session) Sync2(_ ...interface{}) error { + return nil +} + +func (_ *Session) Table(_ interface{}) *Session { + return nil +} + +func (_ *Session) Unscoped() *Session { + return nil +} + +func (_ *Session) Update(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) UseBool(_ ...string) *Session { + return nil +} + +func (_ *Session) Where(_ interface{}, _ ...interface{}) *Session { + return nil +} + +type Table struct { + Table interface{} + Name string +} + +func (_ Table) AddColumn(_ interface{}) {} + +func (_ Table) AddIndex(_ interface{}) {} + +func (_ Table) AutoIncrColumn() interface{} { + return nil +} + +func (_ Table) ColumnType(_ string) reflect.Type { + return nil +} + +func (_ Table) Columns() []interface{} { + return nil +} + +func (_ Table) ColumnsSeq() []string { + return nil +} + +func (_ Table) DeletedColumn() interface{} { + return nil +} + +func (_ Table) GetColumn(_ string) interface{} { + return nil +} + +func (_ Table) GetColumnIdx(_ string, _ int) interface{} { + return nil +} + +func (_ Table) PKColumns() []interface{} { + return nil +} + +func (_ Table) UpdatedColumn() interface{} { + return nil +} + +func (_ Table) VersionColumn() interface{} { + return nil +} + +func (_ *Table) IsValid() bool { + return false +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/modules.txt b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/modules.txt new file mode 100644 index 00000000000..22e7df65a20 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/modules.txt @@ -0,0 +1,9 @@ +# github.com/go-xorm/xorm v0.7.9 +## explicit +github.com/go-xorm/xorm +# github.com/kr/pretty v0.2.1 +## explicit +github.com/kr/pretty +# xorm.io/xorm v1.0.7 +## explicit +xorm.io/xorm diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/xorm.io/xorm/stub.go b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/xorm.io/xorm/stub.go new file mode 100644 index 00000000000..60e3a03f3a1 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/xorm.io/xorm/stub.go @@ -0,0 +1,818 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for xorm.io/xorm, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: xorm.io/xorm (exports: Engine,Session; functions: ) + +// Package xorm is a stub of xorm.io/xorm, generated by depstubber. +package xorm + +import ( + context "context" + sql "database/sql" + io "io" + reflect "reflect" + strings "strings" + time "time" +) + +type Engine struct { + TZLocation *time.Location + DatabaseTZ *time.Location +} + +func (_ *Engine) AddHook(_ interface{}) {} + +func (_ *Engine) After(_ func(interface{})) *Session { + return nil +} + +func (_ *Engine) Alias(_ string) *Session { + return nil +} + +func (_ *Engine) AllCols() *Session { + return nil +} + +func (_ *Engine) Asc(_ ...string) *Session { + return nil +} + +func (_ *Engine) AutoIncrStr() string { + return "" +} + +func (_ *Engine) Before(_ func(interface{})) *Session { + return nil +} + +func (_ *Engine) BufferSize(_ int) *Session { + return nil +} + +func (_ *Engine) Cascade(_ ...bool) *Session { + return nil +} + +func (_ *Engine) Charset(_ string) *Session { + return nil +} + +func (_ *Engine) ClearCache(_ ...interface{}) error { + return nil +} + +func (_ *Engine) ClearCacheBean(_ interface{}, _ string) error { + return nil +} + +func (_ *Engine) Close() error { + return nil +} + +func (_ *Engine) Cols(_ ...string) *Session { + return nil +} + +func (_ *Engine) Context(_ context.Context) *Session { + return nil +} + +func (_ *Engine) Count(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) CreateIndexes(_ interface{}) error { + return nil +} + +func (_ *Engine) CreateTables(_ ...interface{}) error { + return nil +} + +func (_ *Engine) CreateUniques(_ interface{}) error { + return nil +} + +func (_ *Engine) DB() interface{} { + return nil +} + +func (_ *Engine) DBMetas() ([]interface{}, error) { + return nil, nil +} + +func (_ *Engine) DataSourceName() string { + return "" +} + +func (_ *Engine) Decr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Delete(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) Desc(_ ...string) *Session { + return nil +} + +func (_ *Engine) Dialect() interface{} { + return nil +} + +func (_ *Engine) Distinct(_ ...string) *Session { + return nil +} + +func (_ *Engine) DriverName() string { + return "" +} + +func (_ *Engine) DropIndexes(_ interface{}) error { + return nil +} + +func (_ *Engine) DropTables(_ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpAll(_ io.Writer, _ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpAllToFile(_ string, _ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpTables(_ []interface{}, _ io.Writer, _ ...interface{}) error { + return nil +} + +func (_ *Engine) DumpTablesToFile(_ []interface{}, _ string, _ ...interface{}) error { + return nil +} + +func (_ *Engine) EnableSessionID(_ bool) {} + +func (_ *Engine) Exec(_ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *Engine) Exist(_ ...interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) Find(_ interface{}, _ ...interface{}) error { + return nil +} + +func (_ *Engine) FindAndCount(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) Get(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) GetCacher(_ string) interface{} { + return nil +} + +func (_ *Engine) GetColumnMapper() interface{} { + return nil +} + +func (_ *Engine) GetDefaultCacher() interface{} { + return nil +} + +func (_ *Engine) GetTZDatabase() *time.Location { + return nil +} + +func (_ *Engine) GetTZLocation() *time.Location { + return nil +} + +func (_ *Engine) GetTableMapper() interface{} { + return nil +} + +func (_ *Engine) GroupBy(_ string) *Session { + return nil +} + +func (_ *Engine) Having(_ string) *Session { + return nil +} + +func (_ *Engine) ID(_ interface{}) *Session { + return nil +} + +func (_ *Engine) Import(_ io.Reader) ([]sql.Result, error) { + return nil, nil +} + +func (_ *Engine) ImportFile(_ string) ([]sql.Result, error) { + return nil, nil +} + +func (_ *Engine) In(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Incr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Insert(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) InsertOne(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) IsTableEmpty(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) IsTableExist(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Engine) Iterate(_ interface{}, _ IterFunc) error { + return nil +} + +func (_ *Engine) Join(_ string, _ interface{}, _ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Limit(_ int, _ ...int) *Session { + return nil +} + +func (_ *Engine) Logger() interface{} { + return nil +} + +func (_ *Engine) MapCacher(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Engine) MustCols(_ ...string) *Session { + return nil +} + +func (_ *Engine) NewDB() (interface{}, error) { + return nil, nil +} + +func (_ *Engine) NewSession() *Session { + return nil +} + +func (_ *Engine) NoAutoCondition(_ ...bool) *Session { + return nil +} + +func (_ *Engine) NoAutoTime() *Session { + return nil +} + +func (_ *Engine) NoCache() *Session { + return nil +} + +func (_ *Engine) NoCascade() *Session { + return nil +} + +func (_ *Engine) NotIn(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) Nullable(_ ...string) *Session { + return nil +} + +func (_ *Engine) Omit(_ ...string) *Session { + return nil +} + +func (_ *Engine) OrderBy(_ string) *Session { + return nil +} + +func (_ *Engine) Ping() error { + return nil +} + +func (_ *Engine) PingContext(_ context.Context) error { + return nil +} + +func (_ *Engine) Prepare() *Session { + return nil +} + +func (_ *Engine) Query(_ ...interface{}) ([]map[string][]byte, error) { + return nil, nil +} + +func (_ *Engine) QueryInterface(_ ...interface{}) ([]map[string]interface{}, error) { + return nil, nil +} + +func (_ *Engine) QueryString(_ ...interface{}) ([]map[string]string, error) { + return nil, nil +} + +func (_ *Engine) Quote(_ string) string { + return "" +} + +func (_ *Engine) QuoteTo(_ *strings.Builder, _ string) {} + +func (_ *Engine) Rows(_ interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *Engine) SQL(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Engine) SQLType(_ interface{}) string { + return "" +} + +func (_ *Engine) Select(_ string) *Session { + return nil +} + +func (_ *Engine) SetCacher(_ string, _ interface{}) {} + +func (_ *Engine) SetColumnMapper(_ interface{}) {} + +func (_ *Engine) SetConnMaxLifetime(_ time.Duration) {} + +func (_ *Engine) SetDefaultCacher(_ interface{}) {} + +func (_ *Engine) SetDefaultContext(_ context.Context) {} + +func (_ *Engine) SetDisableGlobalCache(_ bool) {} + +func (_ *Engine) SetExpr(_ string, _ interface{}) *Session { + return nil +} + +func (_ *Engine) SetLogLevel(_ interface{}) {} + +func (_ *Engine) SetLogger(_ interface{}) {} + +func (_ *Engine) SetMapper(_ interface{}) {} + +func (_ *Engine) SetMaxIdleConns(_ int) {} + +func (_ *Engine) SetMaxOpenConns(_ int) {} + +func (_ *Engine) SetQuotePolicy(_ interface{}) {} + +func (_ *Engine) SetSchema(_ string) {} + +func (_ *Engine) SetTZDatabase(_ *time.Location) {} + +func (_ *Engine) SetTZLocation(_ *time.Location) {} + +func (_ *Engine) SetTableMapper(_ interface{}) {} + +func (_ *Engine) ShowSQL(_ ...bool) {} + +func (_ *Engine) StoreEngine(_ string) *Session { + return nil +} + +func (_ *Engine) Sum(_ interface{}, _ string) (float64, error) { + return 0, nil +} + +func (_ *Engine) SumInt(_ interface{}, _ string) (int64, error) { + return 0, nil +} + +func (_ *Engine) Sums(_ interface{}, _ ...string) ([]float64, error) { + return nil, nil +} + +func (_ *Engine) SumsInt(_ interface{}, _ ...string) ([]int64, error) { + return nil, nil +} + +func (_ *Engine) Sync(_ ...interface{}) error { + return nil +} + +func (_ *Engine) Sync2(_ ...interface{}) error { + return nil +} + +func (_ *Engine) Table(_ interface{}) *Session { + return nil +} + +func (_ *Engine) TableInfo(_ interface{}) (interface{}, error) { + return nil, nil +} + +func (_ *Engine) TableName(_ interface{}, _ ...bool) string { + return "" +} + +func (_ *Engine) Transaction(_ func(*Session) (interface{}, error)) (interface{}, error) { + return nil, nil +} + +func (_ *Engine) UnMapType(_ reflect.Type) {} + +func (_ *Engine) Unscoped() *Session { + return nil +} + +func (_ *Engine) Update(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Engine) UseBool(_ ...string) *Session { + return nil +} + +func (_ *Engine) Where(_ interface{}, _ ...interface{}) *Session { + return nil +} + +type IterFunc func(int, interface{}) error + +type Rows struct{} + +func (_ *Rows) Close() error { + return nil +} + +func (_ *Rows) Err() error { + return nil +} + +func (_ *Rows) Next() bool { + return false +} + +func (_ *Rows) Scan(_ interface{}) error { + return nil +} + +type Session struct{} + +func (_ *Session) After(_ func(interface{})) *Session { + return nil +} + +func (_ *Session) Alias(_ string) *Session { + return nil +} + +func (_ *Session) AllCols() *Session { + return nil +} + +func (_ *Session) And(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Asc(_ ...string) *Session { + return nil +} + +func (_ *Session) Before(_ func(interface{})) *Session { + return nil +} + +func (_ *Session) Begin() error { + return nil +} + +func (_ *Session) BufferSize(_ int) *Session { + return nil +} + +func (_ *Session) Cascade(_ ...bool) *Session { + return nil +} + +func (_ *Session) Charset(_ string) *Session { + return nil +} + +func (_ *Session) Close() error { + return nil +} + +func (_ *Session) Cols(_ ...string) *Session { + return nil +} + +func (_ *Session) Commit() error { + return nil +} + +func (_ *Session) Conds() interface{} { + return nil +} + +func (_ *Session) Context(_ context.Context) *Session { + return nil +} + +func (_ *Session) ContextCache(_ interface{}) *Session { + return nil +} + +func (_ *Session) Count(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) CreateIndexes(_ interface{}) error { + return nil +} + +func (_ *Session) CreateTable(_ interface{}) error { + return nil +} + +func (_ *Session) CreateUniques(_ interface{}) error { + return nil +} + +func (_ *Session) DB() interface{} { + return nil +} + +func (_ *Session) Decr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Delete(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) Desc(_ ...string) *Session { + return nil +} + +func (_ *Session) Distinct(_ ...string) *Session { + return nil +} + +func (_ *Session) DropIndexes(_ interface{}) error { + return nil +} + +func (_ *Session) DropTable(_ interface{}) error { + return nil +} + +func (_ *Session) Engine() *Engine { + return nil +} + +func (_ *Session) Exec(_ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *Session) Exist(_ ...interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) Find(_ interface{}, _ ...interface{}) error { + return nil +} + +func (_ *Session) FindAndCount(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) ForUpdate() *Session { + return nil +} + +func (_ *Session) Get(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) GroupBy(_ string) *Session { + return nil +} + +func (_ *Session) Having(_ string) *Session { + return nil +} + +func (_ *Session) ID(_ interface{}) *Session { + return nil +} + +func (_ *Session) Import(_ io.Reader) ([]sql.Result, error) { + return nil, nil +} + +func (_ *Session) ImportFile(_ string) ([]sql.Result, error) { + return nil, nil +} + +func (_ *Session) In(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Incr(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Insert(_ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) InsertMulti(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) InsertOne(_ interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) IsClosed() bool { + return false +} + +func (_ *Session) IsTableEmpty(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) IsTableExist(_ interface{}) (bool, error) { + return false, nil +} + +func (_ *Session) Iterate(_ interface{}, _ IterFunc) error { + return nil +} + +func (_ *Session) Join(_ string, _ interface{}, _ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) LastSQL() (string, []interface{}) { + return "", nil +} + +func (_ *Session) Limit(_ int, _ ...int) *Session { + return nil +} + +func (_ *Session) MustCols(_ ...string) *Session { + return nil +} + +func (_ *Session) MustLogSQL(_ ...bool) *Session { + return nil +} + +func (_ *Session) NoAutoCondition(_ ...bool) *Session { + return nil +} + +func (_ *Session) NoAutoTime() *Session { + return nil +} + +func (_ *Session) NoCache() *Session { + return nil +} + +func (_ *Session) NoCascade() *Session { + return nil +} + +func (_ *Session) NotIn(_ string, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Nullable(_ ...string) *Session { + return nil +} + +func (_ *Session) Omit(_ ...string) *Session { + return nil +} + +func (_ *Session) Or(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) OrderBy(_ string) *Session { + return nil +} + +func (_ *Session) Ping() error { + return nil +} + +func (_ *Session) PingContext(_ context.Context) error { + return nil +} + +func (_ *Session) Prepare() *Session { + return nil +} + +func (_ *Session) Query(_ ...interface{}) ([]map[string][]byte, error) { + return nil, nil +} + +func (_ *Session) QueryInterface(_ ...interface{}) ([]map[string]interface{}, error) { + return nil, nil +} + +func (_ *Session) QuerySliceString(_ ...interface{}) ([][]string, error) { + return nil, nil +} + +func (_ *Session) QueryString(_ ...interface{}) ([]map[string]string, error) { + return nil, nil +} + +func (_ *Session) Rollback() error { + return nil +} + +func (_ *Session) Rows(_ interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *Session) SQL(_ interface{}, _ ...interface{}) *Session { + return nil +} + +func (_ *Session) Select(_ string) *Session { + return nil +} + +func (_ *Session) SetExpr(_ string, _ interface{}) *Session { + return nil +} + +func (_ *Session) StoreEngine(_ string) *Session { + return nil +} + +func (_ *Session) Sum(_ interface{}, _ string) (float64, error) { + return 0, nil +} + +func (_ *Session) SumInt(_ interface{}, _ string) (int64, error) { + return 0, nil +} + +func (_ *Session) Sums(_ interface{}, _ ...string) ([]float64, error) { + return nil, nil +} + +func (_ *Session) SumsInt(_ interface{}, _ ...string) ([]int64, error) { + return nil, nil +} + +func (_ *Session) Sync2(_ ...interface{}) error { + return nil +} + +func (_ *Session) Table(_ interface{}) *Session { + return nil +} + +func (_ *Session) Unscoped() *Session { + return nil +} + +func (_ *Session) Update(_ interface{}, _ ...interface{}) (int64, error) { + return 0, nil +} + +func (_ *Session) UseBool(_ ...string) *Session { + return nil +} + +func (_ *Session) Where(_ interface{}, _ ...interface{}) *Session { + return nil +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.expected b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.expected new file mode 100644 index 00000000000..95f33274f40 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.expected @@ -0,0 +1,56 @@ +| xorm.go:19:16:19:24 | untrusted | +| xorm.go:20:22:20:30 | untrusted | +| xorm.go:21:25:21:33 | untrusted | +| xorm.go:22:14:22:22 | untrusted | +| xorm.go:23:16:23:24 | untrusted | +| xorm.go:24:16:24:24 | untrusted | +| xorm.go:25:16:25:24 | untrusted | +| xorm.go:26:13:26:21 | untrusted | +| xorm.go:27:17:27:25 | untrusted | +| xorm.go:28:18:28:26 | untrusted | +| xorm.go:29:18:29:26 | untrusted | +| xorm.go:30:17:30:25 | untrusted | +| xorm.go:31:18:31:26 | untrusted | +| xorm.go:34:16:34:24 | untrusted | +| xorm.go:35:22:35:30 | untrusted | +| xorm.go:36:25:36:33 | untrusted | +| xorm.go:37:14:37:22 | untrusted | +| xorm.go:38:16:38:24 | untrusted | +| xorm.go:39:16:39:24 | untrusted | +| xorm.go:40:16:40:24 | untrusted | +| xorm.go:41:13:41:21 | untrusted | +| xorm.go:42:17:42:25 | untrusted | +| xorm.go:43:18:43:26 | untrusted | +| xorm.go:44:18:44:26 | untrusted | +| xorm.go:45:17:45:25 | untrusted | +| xorm.go:46:18:46:26 | untrusted | +| xorm.go:49:17:49:25 | untrusted | +| xorm.go:50:23:50:31 | untrusted | +| xorm.go:51:26:51:34 | untrusted | +| xorm.go:52:15:52:23 | untrusted | +| xorm.go:53:17:53:25 | untrusted | +| xorm.go:54:17:54:25 | untrusted | +| xorm.go:55:17:55:25 | untrusted | +| xorm.go:56:14:56:22 | untrusted | +| xorm.go:57:18:57:26 | untrusted | +| xorm.go:58:19:58:27 | untrusted | +| xorm.go:59:19:59:27 | untrusted | +| xorm.go:60:18:60:26 | untrusted | +| xorm.go:61:19:61:27 | untrusted | +| xorm.go:62:15:62:23 | untrusted | +| xorm.go:63:14:63:22 | untrusted | +| xorm.go:66:17:66:25 | untrusted | +| xorm.go:67:23:67:31 | untrusted | +| xorm.go:68:26:68:34 | untrusted | +| xorm.go:69:15:69:23 | untrusted | +| xorm.go:70:17:70:25 | untrusted | +| xorm.go:71:17:71:25 | untrusted | +| xorm.go:72:17:72:25 | untrusted | +| xorm.go:73:14:73:22 | untrusted | +| xorm.go:74:18:74:26 | untrusted | +| xorm.go:75:19:75:27 | untrusted | +| xorm.go:76:19:76:27 | untrusted | +| xorm.go:77:18:77:26 | untrusted | +| xorm.go:78:19:78:27 | untrusted | +| xorm.go:79:15:79:23 | untrusted | +| xorm.go:80:14:80:22 | untrusted | diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.go b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.go new file mode 100644 index 00000000000..2f3f2d01630 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.go @@ -0,0 +1,81 @@ +package xormtest + +//go:generate depstubber -vendor xorm.io/xorm Engine,Session +//go:generate depstubber -vendor github.com/go-xorm/xorm Engine,Session + +import ( + xorm1 "github.com/go-xorm/xorm" + xorm2 "xorm.io/xorm" +) + +func getUntrustedString() string { + return "trouble" +} + +func main() { + untrusted := getUntrustedString() + + engine1 := xorm1.Engine{} + engine1.Query(untrusted) + engine1.QueryString(untrusted) + engine1.QueryInterface(untrusted) + engine1.SQL(untrusted) + engine1.Where(untrusted) + engine1.Alias(untrusted) + engine1.NotIn(untrusted) + engine1.In(untrusted) + engine1.Select(untrusted) + engine1.SetExpr(untrusted, nil) + engine1.OrderBy(untrusted) + engine1.Having(untrusted) + engine1.GroupBy(untrusted) + + engine2 := xorm2.Engine{} + engine2.Query(untrusted) + engine2.QueryString(untrusted) + engine2.QueryInterface(untrusted) + engine2.SQL(untrusted) + engine2.Where(untrusted) + engine2.Alias(untrusted) + engine2.NotIn(untrusted) + engine2.In(untrusted) + engine2.Select(untrusted) + engine2.SetExpr(untrusted, nil) + engine2.OrderBy(untrusted) + engine2.Having(untrusted) + engine2.GroupBy(untrusted) + + session1 := xorm1.Session{} + session1.Query(untrusted) + session1.QueryString(untrusted) + session1.QueryInterface(untrusted) + session1.SQL(untrusted) + session1.Where(untrusted) + session1.Alias(untrusted) + session1.NotIn(untrusted) + session1.In(untrusted) + session1.Select(untrusted) + session1.SetExpr(untrusted, nil) + session1.OrderBy(untrusted) + session1.Having(untrusted) + session1.GroupBy(untrusted) + session1.And(untrusted) + session1.Or(untrusted) + + session2 := xorm2.Session{} + session2.Query(untrusted) + session2.QueryString(untrusted) + session2.QueryInterface(untrusted) + session2.SQL(untrusted) + session2.Where(untrusted) + session2.Alias(untrusted) + session2.NotIn(untrusted) + session2.In(untrusted) + session2.Select(untrusted) + session2.SetExpr(untrusted, nil) + session2.OrderBy(untrusted) + session2.Having(untrusted) + session2.GroupBy(untrusted) + session2.And(untrusted) + session2.Or(untrusted) +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.ql b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.ql new file mode 100644 index 00000000000..7b56fd97441 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.ql @@ -0,0 +1,4 @@ +import go + +from SQL::QueryString qs +select qs From 0174270a0358e14019372a28a4c25b382859ddc9 Mon Sep 17 00:00:00 2001 From: snoopywu <3022235906@qq.com> Date: Thu, 6 May 2021 14:32:40 +0800 Subject: [PATCH 2/6] Add change note --- change-notes/2021-05-06-xorm.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 change-notes/2021-05-06-xorm.md diff --git a/change-notes/2021-05-06-xorm.md b/change-notes/2021-05-06-xorm.md new file mode 100644 index 00000000000..0398530b950 --- /dev/null +++ b/change-notes/2021-05-06-xorm.md @@ -0,0 +1,2 @@ +lgtm,codescanning +* Added support for the `xorm.io/xorm` package From 4975dccd34f51b48db23afb11ca7aa654d581eb2 Mon Sep 17 00:00:00 2001 From: snoopywu <3022235906@qq.com> Date: Thu, 6 May 2021 14:44:45 +0800 Subject: [PATCH 3/6] Format SQL.qll --- ql/src/semmle/go/frameworks/SQL.qll | 51 ++++++++++++++--------------- 1 file changed, 25 insertions(+), 26 deletions(-) diff --git a/ql/src/semmle/go/frameworks/SQL.qll b/ql/src/semmle/go/frameworks/SQL.qll index 173be722649..eb715ffdf3d 100644 --- a/ql/src/semmle/go/frameworks/SQL.qll +++ b/ql/src/semmle/go/frameworks/SQL.qll @@ -229,31 +229,30 @@ module Gorm { * Provides classes for working with the [XORM](https://xorm.io/) package. */ module Xorm { - /** Gets the package name for Xorm. */ - string packagePath() { result = package(["xorm.io/xorm", "github.com/go-xorm/xorm"], "") } - - /** A model for sinks of XORM. */ - private class XormSink extends SQL::QueryString::Range { - XormSink() { - exists(Method meth, string package, string type, string name, int n | - meth.hasQualifiedName(package, type, name) and - this = meth.getACall().getArgument(n) and - this.getType().getUnderlyingType() instanceof StringType and - package = Xorm::packagePath() and - type = ["Engine", "Session"] - | - name = - [ - "Query", "Exec", "QueryString", "QueryInterface", "SQL", "Where", "And", "Or", "Alias", - "NotIn", "In", "Select", "SetExpr", "OrderBy", "Having", "GroupBy" - ] and - n = 0 - or - name = ["SumInt", "Sum", "Sums", "SumsInt"] and n = 1 - or - name = "Join" and n = [0, 1, 2] - ) - } + /** Gets the package name for Xorm. */ + string packagePath() { result = package(["xorm.io/xorm", "github.com/go-xorm/xorm"], "") } + + /** A model for sinks of XORM. */ + private class XormSink extends SQL::QueryString::Range { + XormSink() { + exists(Method meth, string package, string type, string name, int n | + meth.hasQualifiedName(package, type, name) and + this = meth.getACall().getArgument(n) and + this.getType().getUnderlyingType() instanceof StringType and + package = Xorm::packagePath() and + type = ["Engine", "Session"] + | + name = + [ + "Query", "Exec", "QueryString", "QueryInterface", "SQL", "Where", "And", "Or", "Alias", + "NotIn", "In", "Select", "SetExpr", "OrderBy", "Having", "GroupBy" + ] and + n = 0 + or + name = ["SumInt", "Sum", "Sums", "SumsInt"] and n = 1 + or + name = "Join" and n = [0, 1, 2] + ) } } - \ No newline at end of file +} From 7fc045e7494401f16458b53553e95c47aef924b7 Mon Sep 17 00:00:00 2001 From: sn00py <3022235906@qq.com> Date: Sun, 27 Jun 2021 17:15:11 +0800 Subject: [PATCH 4/6] Add inline test for xorm --- .../semmle/go/frameworks/SQL/Xorm/go.mod | 9 --- .../go/frameworks/SQL/Xorm/vendor/modules.txt | 9 --- .../go/frameworks/SQL/Xorm/xorm.expected | 56 ------------- .../semmle/go/frameworks/SQL/Xorm/xorm.go | 81 ------------------- .../semmle/go/frameworks/SQL/Xorm/xorm.ql | 4 - .../semmle/go/frameworks/SQL/go.mod | 5 ++ .../vendor/github.com/go-xorm/xorm/stub.go | 0 .../{Xorm => }/vendor/xorm.io/xorm/stub.go | 6 ++ .../semmle/go/frameworks/SQL/xorm.go | 77 ++++++++++++++++++ 9 files changed, 88 insertions(+), 159 deletions(-) delete mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/go.mod delete mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/modules.txt delete mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.expected delete mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.go delete mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.ql rename ql/test/library-tests/semmle/go/frameworks/SQL/{Xorm => }/vendor/github.com/go-xorm/xorm/stub.go (100%) rename ql/test/library-tests/semmle/go/frameworks/SQL/{Xorm => }/vendor/xorm.io/xorm/stub.go (99%) create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/go.mod b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/go.mod deleted file mode 100644 index 21a8fb818b7..00000000000 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/go.mod +++ /dev/null @@ -1,9 +0,0 @@ -module xormtest - -go 1.14 - -require ( - github.com/go-xorm/xorm v0.7.9 - github.com/kr/pretty v0.2.1 // indirect - xorm.io/xorm v1.0.7 -) diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/modules.txt b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/modules.txt deleted file mode 100644 index 22e7df65a20..00000000000 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/modules.txt +++ /dev/null @@ -1,9 +0,0 @@ -# github.com/go-xorm/xorm v0.7.9 -## explicit -github.com/go-xorm/xorm -# github.com/kr/pretty v0.2.1 -## explicit -github.com/kr/pretty -# xorm.io/xorm v1.0.7 -## explicit -xorm.io/xorm diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.expected b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.expected deleted file mode 100644 index 95f33274f40..00000000000 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.expected +++ /dev/null @@ -1,56 +0,0 @@ -| xorm.go:19:16:19:24 | untrusted | -| xorm.go:20:22:20:30 | untrusted | -| xorm.go:21:25:21:33 | untrusted | -| xorm.go:22:14:22:22 | untrusted | -| xorm.go:23:16:23:24 | untrusted | -| xorm.go:24:16:24:24 | untrusted | -| xorm.go:25:16:25:24 | untrusted | -| xorm.go:26:13:26:21 | untrusted | -| xorm.go:27:17:27:25 | untrusted | -| xorm.go:28:18:28:26 | untrusted | -| xorm.go:29:18:29:26 | untrusted | -| xorm.go:30:17:30:25 | untrusted | -| xorm.go:31:18:31:26 | untrusted | -| xorm.go:34:16:34:24 | untrusted | -| xorm.go:35:22:35:30 | untrusted | -| xorm.go:36:25:36:33 | untrusted | -| xorm.go:37:14:37:22 | untrusted | -| xorm.go:38:16:38:24 | untrusted | -| xorm.go:39:16:39:24 | untrusted | -| xorm.go:40:16:40:24 | untrusted | -| xorm.go:41:13:41:21 | untrusted | -| xorm.go:42:17:42:25 | untrusted | -| xorm.go:43:18:43:26 | untrusted | -| xorm.go:44:18:44:26 | untrusted | -| xorm.go:45:17:45:25 | untrusted | -| xorm.go:46:18:46:26 | untrusted | -| xorm.go:49:17:49:25 | untrusted | -| xorm.go:50:23:50:31 | untrusted | -| xorm.go:51:26:51:34 | untrusted | -| xorm.go:52:15:52:23 | untrusted | -| xorm.go:53:17:53:25 | untrusted | -| xorm.go:54:17:54:25 | untrusted | -| xorm.go:55:17:55:25 | untrusted | -| xorm.go:56:14:56:22 | untrusted | -| xorm.go:57:18:57:26 | untrusted | -| xorm.go:58:19:58:27 | untrusted | -| xorm.go:59:19:59:27 | untrusted | -| xorm.go:60:18:60:26 | untrusted | -| xorm.go:61:19:61:27 | untrusted | -| xorm.go:62:15:62:23 | untrusted | -| xorm.go:63:14:63:22 | untrusted | -| xorm.go:66:17:66:25 | untrusted | -| xorm.go:67:23:67:31 | untrusted | -| xorm.go:68:26:68:34 | untrusted | -| xorm.go:69:15:69:23 | untrusted | -| xorm.go:70:17:70:25 | untrusted | -| xorm.go:71:17:71:25 | untrusted | -| xorm.go:72:17:72:25 | untrusted | -| xorm.go:73:14:73:22 | untrusted | -| xorm.go:74:18:74:26 | untrusted | -| xorm.go:75:19:75:27 | untrusted | -| xorm.go:76:19:76:27 | untrusted | -| xorm.go:77:18:77:26 | untrusted | -| xorm.go:78:19:78:27 | untrusted | -| xorm.go:79:15:79:23 | untrusted | -| xorm.go:80:14:80:22 | untrusted | diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.go b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.go deleted file mode 100644 index 2f3f2d01630..00000000000 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.go +++ /dev/null @@ -1,81 +0,0 @@ -package xormtest - -//go:generate depstubber -vendor xorm.io/xorm Engine,Session -//go:generate depstubber -vendor github.com/go-xorm/xorm Engine,Session - -import ( - xorm1 "github.com/go-xorm/xorm" - xorm2 "xorm.io/xorm" -) - -func getUntrustedString() string { - return "trouble" -} - -func main() { - untrusted := getUntrustedString() - - engine1 := xorm1.Engine{} - engine1.Query(untrusted) - engine1.QueryString(untrusted) - engine1.QueryInterface(untrusted) - engine1.SQL(untrusted) - engine1.Where(untrusted) - engine1.Alias(untrusted) - engine1.NotIn(untrusted) - engine1.In(untrusted) - engine1.Select(untrusted) - engine1.SetExpr(untrusted, nil) - engine1.OrderBy(untrusted) - engine1.Having(untrusted) - engine1.GroupBy(untrusted) - - engine2 := xorm2.Engine{} - engine2.Query(untrusted) - engine2.QueryString(untrusted) - engine2.QueryInterface(untrusted) - engine2.SQL(untrusted) - engine2.Where(untrusted) - engine2.Alias(untrusted) - engine2.NotIn(untrusted) - engine2.In(untrusted) - engine2.Select(untrusted) - engine2.SetExpr(untrusted, nil) - engine2.OrderBy(untrusted) - engine2.Having(untrusted) - engine2.GroupBy(untrusted) - - session1 := xorm1.Session{} - session1.Query(untrusted) - session1.QueryString(untrusted) - session1.QueryInterface(untrusted) - session1.SQL(untrusted) - session1.Where(untrusted) - session1.Alias(untrusted) - session1.NotIn(untrusted) - session1.In(untrusted) - session1.Select(untrusted) - session1.SetExpr(untrusted, nil) - session1.OrderBy(untrusted) - session1.Having(untrusted) - session1.GroupBy(untrusted) - session1.And(untrusted) - session1.Or(untrusted) - - session2 := xorm2.Session{} - session2.Query(untrusted) - session2.QueryString(untrusted) - session2.QueryInterface(untrusted) - session2.SQL(untrusted) - session2.Where(untrusted) - session2.Alias(untrusted) - session2.NotIn(untrusted) - session2.In(untrusted) - session2.Select(untrusted) - session2.SetExpr(untrusted, nil) - session2.OrderBy(untrusted) - session2.Having(untrusted) - session2.GroupBy(untrusted) - session2.And(untrusted) - session2.Or(untrusted) -} diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.ql b/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.ql deleted file mode 100644 index 7b56fd97441..00000000000 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.ql +++ /dev/null @@ -1,4 +0,0 @@ -import go - -from SQL::QueryString qs -select qs diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod b/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod index 23bb420b262..69db5c96c41 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod @@ -6,4 +6,9 @@ require ( github.com/Masterminds/squirrel v1.1.0 github.com/go-pg/pg v8.0.6+incompatible github.com/go-pg/pg/v9 v9.1.3 + github.com/go-sql-driver/mysql v1.6.0 // indirect + github.com/go-xorm/xorm v0.7.9 + github.com/lib/pq v1.10.2 // indirect + github.com/mattn/go-sqlite3 v1.14.7 // indirect + xorm.io/xorm v1.1.0 ) diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/github.com/go-xorm/xorm/stub.go b/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/go-xorm/xorm/stub.go similarity index 100% rename from ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/github.com/go-xorm/xorm/stub.go rename to ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/go-xorm/xorm/stub.go diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/xorm.io/xorm/stub.go b/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/stub.go similarity index 99% rename from ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/xorm.io/xorm/stub.go rename to ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/stub.go index 60e3a03f3a1..ccadc994d34 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/xorm.io/xorm/stub.go +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/stub.go @@ -391,6 +391,8 @@ func (_ *Engine) SetTZLocation(_ *time.Location) {} func (_ *Engine) SetTableMapper(_ interface{}) {} +func (_ *Engine) SetTagIdentifier(_ string) {} + func (_ *Engine) ShowSQL(_ ...bool) {} func (_ *Engine) StoreEngine(_ string) *Session { @@ -657,6 +659,10 @@ func (_ *Session) IsClosed() bool { return false } +func (_ *Session) IsInTx() bool { + return false +} + func (_ *Session) IsTableEmpty(_ interface{}) (bool, error) { return false, nil } diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go b/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go new file mode 100644 index 00000000000..3aa8857a61b --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go @@ -0,0 +1,77 @@ +package main + +//go:generate depstubber -vendor xorm.io/xorm Engine,Session +//go:generate depstubber -vendor github.com/go-xorm/xorm Engine,Session + +import ( + xorm1 "github.com/go-xorm/xorm" + xorm2 "xorm.io/xorm" +) + +func xormtest() { + query := "UntrustedString" + + engine1 := xorm1.Engine{} + engine1.Query(query) // $querystring=query + engine1.QueryString(query) // $querystring=query + engine1.QueryInterface(query) // $querystring=query + engine1.SQL(query) // $querystring=query + engine1.Where(query) // $querystring=query + engine1.Alias(query) // $querystring=query + engine1.NotIn(query) // $querystring=query + engine1.In(query) // $querystring=query + engine1.Select(query) // $querystring=query + engine1.SetExpr(query, nil) // $querystring=query + engine1.OrderBy(query) // $querystring=query + engine1.Having(query) // $querystring=query + engine1.GroupBy(query) // $querystring=query + + engine2 := xorm2.Engine{} + engine2.Query(query) // $querystring=query + engine2.QueryString(query) // $querystring=query + engine2.QueryInterface(query) // $querystring=query + engine2.SQL(query) // $querystring=query + engine2.Where(query) // $querystring=query + engine2.Alias(query) // $querystring=query + engine2.NotIn(query) // $querystring=query + engine2.In(query) // $querystring=query + engine2.Select(query) // $querystring=query + engine2.SetExpr(query, nil) // $querystring=query + engine2.OrderBy(query) // $querystring=query + engine2.Having(query) // $querystring=query + engine2.GroupBy(query) // $querystring=query + + session1 := xorm1.Session{} + session1.Query(query) // $querystring=query + session1.QueryString(query) // $querystring=query + session1.QueryInterface(query) // $querystring=query + session1.SQL(query) // $querystring=query + session1.Where(query) // $querystring=query + session1.Alias(query) // $querystring=query + session1.NotIn(query) // $querystring=query + session1.In(query) // $querystring=query + session1.Select(query) // $querystring=query + session1.SetExpr(query, nil) // $querystring=query + session1.OrderBy(query) // $querystring=query + session1.Having(query) // $querystring=query + session1.GroupBy(query) // $querystring=query + session1.And(query) // $querystring=query + session1.Or(query) // $querystring=query + + session2 := xorm2.Session{} + session2.Query(query) // $querystring=query + session2.QueryString(query) // $querystring=query + session2.QueryInterface(query) // $querystring=query + session2.SQL(query) // $querystring=query + session2.Where(query) // $querystring=query + session2.Alias(query) // $querystring=query + session2.NotIn(query) // $querystring=query + session2.In(query) // $querystring=query + session2.Select(query) // $querystring=query + session2.SetExpr(query, nil) // $querystring=query + session2.OrderBy(query) // $querystring=query + session2.Having(query) // $querystring=query + session2.GroupBy(query) // $querystring=query + session2.And(query) // $querystring=query + session2.Or(query) // $querystring=query +} From 474287dc9f29f85c3a437ae683ade1fbe7aaa357 Mon Sep 17 00:00:00 2001 From: sn00py <3022235906@qq.com> Date: Sun, 27 Jun 2021 17:31:44 +0800 Subject: [PATCH 5/6] Update SQL.qll remove package --- ql/src/semmle/go/frameworks/SQL.qll | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/ql/src/semmle/go/frameworks/SQL.qll b/ql/src/semmle/go/frameworks/SQL.qll index eb715ffdf3d..b8c51750b8f 100644 --- a/ql/src/semmle/go/frameworks/SQL.qll +++ b/ql/src/semmle/go/frameworks/SQL.qll @@ -235,11 +235,9 @@ module Xorm { /** A model for sinks of XORM. */ private class XormSink extends SQL::QueryString::Range { XormSink() { - exists(Method meth, string package, string type, string name, int n | - meth.hasQualifiedName(package, type, name) and + exists(Method meth, string type, string name, int n | + meth.hasQualifiedName(Xorm::packagePath(), type, name) and this = meth.getACall().getArgument(n) and - this.getType().getUnderlyingType() instanceof StringType and - package = Xorm::packagePath() and type = ["Engine", "Session"] | name = From dc00a17fd29da80c0cb508093dc252b7c8294665 Mon Sep 17 00:00:00 2001 From: Sauyon Lee Date: Wed, 11 Aug 2021 23:38:35 -0700 Subject: [PATCH 6/6] Add Xorm license --- .../SQL/vendor/xorm.io/xorm/LICENSE | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/LICENSE diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/LICENSE b/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/LICENSE new file mode 100644 index 00000000000..84d2ae5386d --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/LICENSE @@ -0,0 +1,27 @@ +Copyright (c) 2013 - 2015 The Xorm Authors +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +* Neither the name of the {organization} nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.