Revert "Convert Bun sql-injection sinks to MaD"

This reverts commit 3eb5b2669b.
2026-04-19 05:54:00 +02:00 · 2024-08-24 17:43:00 +01:00
parent ec59492866
commit 59bb142e8b
5 changed files with 61 additions and 155 deletions
--- a/go/ql/lib/ext/github.com.uptrace.bun.model.yml
+++ b/go/ql/lib/ext/github.com.uptrace.bun.model.yml
@@ -1,68 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/go-all
-      extensible: sinkModel
-    data:
-      - ["github.com/uptrace/bun", "", True, "NewRawQuery", "", "", "Argument[1]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "AddColumnQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "AddColumnQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "AddColumnQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "Conn", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "Conn", True, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "Conn", True, "NewRaw", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "Conn", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "Conn", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "Conn", True, "QueryRow", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "Conn", True, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "Conn", True, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "Conn", True, "QueryRowContext", "", "", "Argument[1]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "Conn", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "CreateTableQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "CreateTableQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "CreateTableQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DB", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DB", True, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DB", True, "NewRaw", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DB", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DB", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DB", True, "QueryRow", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DB", True, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DB", True, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DB", True, "QueryRowContext", "", "", "Argument[1]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DB", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DeleteQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DeleteQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DeleteQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DropColumnQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DropColumnQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DropColumnQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DropTableQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "DropTableQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "InsertQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "InsertQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "InsertQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "InsertQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "InsertQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "MergeQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "MergeQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "RawQuery", True, "NewRaw", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "SelectQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "SelectQuery", True, "DistinctOn", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "SelectQuery", True, "For", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "SelectQuery", True, "GroupExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "SelectQuery", True, "Having", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "SelectQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "SelectQuery", True, "OrderExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "SelectQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "SelectQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "SelectQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "TruncateTableQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "UpdateQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "UpdateQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "UpdateQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["github.com/uptrace/bun", "UpdateQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
--- a/go/ql/lib/semmle/go/frameworks/SQL.qll
+++ b/go/ql/lib/semmle/go/frameworks/SQL.qll
@@ -167,8 +167,45 @@ module Xorm {
 }

 /**
- * DEPRECATED
- *
 * Provides classes for working with the [Bun](https://bun.uptrace.dev/) package.
 */
-deprecated module Bun { }
+module Bun {
+  /** Gets the package name for Bun package. */
+  private string packagePath() { result = package("github.com/uptrace/bun", "") }
+
+  /** A model for sinks of Bun. */
+  private class BunSink extends SQL::QueryString::Range {
+    BunSink() {
+      exists(Function f, string m, int arg | this = f.getACall().getArgument(arg) |
+        f.hasQualifiedName(packagePath(), m) and
+        m = "NewRawQuery" and
+        arg = 1
+      )
+      or
+      exists(Method f, string tp, string m, int arg | this = f.getACall().getArgument(arg) |
+        f.hasQualifiedName(packagePath(), tp, m) and
+        (
+          tp = ["DB", "Conn"] and
+          m = ["ExecContext", "PrepareContext", "QueryContext", "QueryRowContext"] and
+          arg = 1
+          or
+          tp = ["DB", "Conn"] and
+          m = ["Exec", "NewRaw", "Prepare", "Query", "QueryRow", "Raw"] and
+          arg = 0
+          or
+          tp.matches("%Query") and
+          m =
+            [
+              "ColumnExpr", "DistinctOn", "For", "GroupExpr", "Having", "ModelTableExpr",
+              "OrderExpr", "TableExpr", "Where", "WhereOr"
+            ] and
+          arg = 0
+          or
+          tp = "RawQuery" and
+          m = "NewRaw" and
+          arg = 0
+        )
+      )
+    }
+  }
+}
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/QueryString.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/QueryString.expected
@@ -1,3 +0,0 @@
-failures
-invalidModelRow
-testFailures
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/QueryString.ql
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/QueryString.ql
@@ -1,60 +0,0 @@
-import go
-import semmle.go.dataflow.ExternalFlow
-import ModelValidation
-import TestUtilities.InlineExpectationsTest
-
-module SqlTest implements TestSig {
-  string getARelevantTag() { result = "query" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "query" and
-    exists(SQL::Query q, SQL::QueryString qs | qs = q.getAQueryString() |
-      q.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
-      element = q.toString() and
-      value = qs.toString()
-    )
-  }
-}
-
-module QueryString implements TestSig {
-  string getARelevantTag() { result = "querystring" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "querystring" and
-    element = "" and
-    exists(SQL::QueryString qs | not exists(SQL::Query q | qs = q.getAQueryString()) |
-      qs.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
-      value = qs.toString()
-    )
-  }
-}
-
-module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLit }
-
-  predicate isSink(DataFlow::Node n) {
-    n = any(DataFlow::CallNode cn | cn.getTarget().getName() = "sink").getAnArgument()
-  }
-}
-
-module Flow = TaintTracking::Global<Config>;
-
-module TaintFlow implements TestSig {
-  string getARelevantTag() { result = "flowfrom" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "flowfrom" and
-    element = "" and
-    exists(DataFlow::Node fromNode, DataFlow::Node toNode |
-      toNode
-          .hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-            location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
-      Flow::flow(fromNode, toNode) and
-      value = fromNode.asExpr().(StringLit).getValue()
-    )
-  }
-}
-
-import MakeTest<MergeTests3<SqlTest, QueryString, TaintFlow>>
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/bun.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/bun.go
@@ -22,28 +22,28 @@ func main() {
 		panic(err)
 	}
 	db := bun.NewDB(sqlite, sqlitedialect.New())
-	bun.NewRawQuery(db, untrusted) // $ querystring=untrusted
+	bun.NewRawQuery(db, untrusted)

-	db.ExecContext(ctx, untrusted)     // $ querystring=untrusted
-	db.PrepareContext(ctx, untrusted)  // $ querystring=untrusted
-	db.QueryContext(ctx, untrusted)    // $ querystring=untrusted
-	db.QueryRowContext(ctx, untrusted) // $ querystring=untrusted
+	db.ExecContext(ctx, untrusted)
+	db.PrepareContext(ctx, untrusted)
+	db.QueryContext(ctx, untrusted)
+	db.QueryRowContext(ctx, untrusted)

-	db.Exec(untrusted)     // $ querystring=untrusted
-	db.NewRaw(untrusted)   // $ querystring=untrusted
-	db.Prepare(untrusted)  // $ querystring=untrusted
-	db.Query(untrusted)    // $ querystring=untrusted
-	db.QueryRow(untrusted) // $ querystring=untrusted
-	db.Raw(untrusted)      // $ querystring=untrusted
+	db.Exec(untrusted)
+	db.NewRaw(untrusted)
+	db.Prepare(untrusted)
+	db.Query(untrusted)
+	db.QueryRow(untrusted)
+	db.Raw(untrusted)

-	db.NewSelect().ColumnExpr(untrusted)     // $ querystring=untrusted
-	db.NewSelect().DistinctOn(untrusted)     // $ querystring=untrusted
-	db.NewSelect().For(untrusted)            // $ querystring=untrusted
-	db.NewSelect().GroupExpr(untrusted)      // $ querystring=untrusted
-	db.NewSelect().Having(untrusted)         // $ querystring=untrusted
-	db.NewSelect().ModelTableExpr(untrusted) // $ querystring=untrusted
-	db.NewSelect().OrderExpr(untrusted)      // $ querystring=untrusted
-	db.NewSelect().TableExpr(untrusted)      // $ querystring=untrusted
-	db.NewSelect().Where(untrusted)          // $ querystring=untrusted
-	db.NewSelect().WhereOr(untrusted)        // $ querystring=untrusted
+	db.NewSelect().ColumnExpr(untrusted)
+	db.NewSelect().DistinctOn(untrusted)
+	db.NewSelect().For(untrusted)
+	db.NewSelect().GroupExpr(untrusted)
+	db.NewSelect().Having(untrusted)
+	db.NewSelect().ModelTableExpr(untrusted)
+	db.NewSelect().OrderExpr(untrusted)
+	db.NewSelect().TableExpr(untrusted)
+	db.NewSelect().Where(untrusted)
+	db.NewSelect().WhereOr(untrusted)
 }