Add inline test for xorm

ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/go.mod

@@ -1,9 +0,0 @@
-module xormtest
-
-go 1.14
-
-require (
-	github.com/go-xorm/xorm v0.7.9
-	github.com/kr/pretty v0.2.1 // indirect
-	xorm.io/xorm v1.0.7
-)

ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/vendor/modules.txt

@@ -1,9 +0,0 @@
-# github.com/go-xorm/xorm v0.7.9
-## explicit
-github.com/go-xorm/xorm
-# github.com/kr/pretty v0.2.1
-## explicit
-github.com/kr/pretty
-# xorm.io/xorm v1.0.7
-## explicit
-xorm.io/xorm

ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.expected

@@ -1,56 +0,0 @@
-| xorm.go:19:16:19:24 | untrusted |
-| xorm.go:20:22:20:30 | untrusted |
-| xorm.go:21:25:21:33 | untrusted |
-| xorm.go:22:14:22:22 | untrusted |
-| xorm.go:23:16:23:24 | untrusted |
-| xorm.go:24:16:24:24 | untrusted |
-| xorm.go:25:16:25:24 | untrusted |
-| xorm.go:26:13:26:21 | untrusted |
-| xorm.go:27:17:27:25 | untrusted |
-| xorm.go:28:18:28:26 | untrusted |
-| xorm.go:29:18:29:26 | untrusted |
-| xorm.go:30:17:30:25 | untrusted |
-| xorm.go:31:18:31:26 | untrusted |
-| xorm.go:34:16:34:24 | untrusted |
-| xorm.go:35:22:35:30 | untrusted |
-| xorm.go:36:25:36:33 | untrusted |
-| xorm.go:37:14:37:22 | untrusted |
-| xorm.go:38:16:38:24 | untrusted |
-| xorm.go:39:16:39:24 | untrusted |
-| xorm.go:40:16:40:24 | untrusted |
-| xorm.go:41:13:41:21 | untrusted |
-| xorm.go:42:17:42:25 | untrusted |
-| xorm.go:43:18:43:26 | untrusted |
-| xorm.go:44:18:44:26 | untrusted |
-| xorm.go:45:17:45:25 | untrusted |
-| xorm.go:46:18:46:26 | untrusted |
-| xorm.go:49:17:49:25 | untrusted |
-| xorm.go:50:23:50:31 | untrusted |
-| xorm.go:51:26:51:34 | untrusted |
-| xorm.go:52:15:52:23 | untrusted |
-| xorm.go:53:17:53:25 | untrusted |
-| xorm.go:54:17:54:25 | untrusted |
-| xorm.go:55:17:55:25 | untrusted |
-| xorm.go:56:14:56:22 | untrusted |
-| xorm.go:57:18:57:26 | untrusted |
-| xorm.go:58:19:58:27 | untrusted |
-| xorm.go:59:19:59:27 | untrusted |
-| xorm.go:60:18:60:26 | untrusted |
-| xorm.go:61:19:61:27 | untrusted |
-| xorm.go:62:15:62:23 | untrusted |
-| xorm.go:63:14:63:22 | untrusted |
-| xorm.go:66:17:66:25 | untrusted |
-| xorm.go:67:23:67:31 | untrusted |
-| xorm.go:68:26:68:34 | untrusted |
-| xorm.go:69:15:69:23 | untrusted |
-| xorm.go:70:17:70:25 | untrusted |
-| xorm.go:71:17:71:25 | untrusted |
-| xorm.go:72:17:72:25 | untrusted |
-| xorm.go:73:14:73:22 | untrusted |
-| xorm.go:74:18:74:26 | untrusted |
-| xorm.go:75:19:75:27 | untrusted |
-| xorm.go:76:19:76:27 | untrusted |
-| xorm.go:77:18:77:26 | untrusted |
-| xorm.go:78:19:78:27 | untrusted |
-| xorm.go:79:15:79:23 | untrusted |
-| xorm.go:80:14:80:22 | untrusted |

ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.go

@@ -1,81 +0,0 @@
-package xormtest
-
-//go:generate depstubber -vendor xorm.io/xorm Engine,Session
-//go:generate depstubber -vendor github.com/go-xorm/xorm Engine,Session
-
-import (
-	xorm1 "github.com/go-xorm/xorm"
-	xorm2 "xorm.io/xorm"
-)
-
-func getUntrustedString() string {
-	return "trouble"
-}
-
-func main() {
-	untrusted := getUntrustedString()
-
-	engine1 := xorm1.Engine{}
-	engine1.Query(untrusted)
-	engine1.QueryString(untrusted)
-	engine1.QueryInterface(untrusted)
-	engine1.SQL(untrusted)
-	engine1.Where(untrusted)
-	engine1.Alias(untrusted)
-	engine1.NotIn(untrusted)
-	engine1.In(untrusted)
-	engine1.Select(untrusted)
-	engine1.SetExpr(untrusted, nil)
-	engine1.OrderBy(untrusted)
-	engine1.Having(untrusted)
-	engine1.GroupBy(untrusted)
-
-	engine2 := xorm2.Engine{}
-	engine2.Query(untrusted)
-	engine2.QueryString(untrusted)
-	engine2.QueryInterface(untrusted)
-	engine2.SQL(untrusted)
-	engine2.Where(untrusted)
-	engine2.Alias(untrusted)
-	engine2.NotIn(untrusted)
-	engine2.In(untrusted)
-	engine2.Select(untrusted)
-	engine2.SetExpr(untrusted, nil)
-	engine2.OrderBy(untrusted)
-	engine2.Having(untrusted)
-	engine2.GroupBy(untrusted)
-
-	session1 := xorm1.Session{}
-	session1.Query(untrusted)
-	session1.QueryString(untrusted)
-	session1.QueryInterface(untrusted)
-	session1.SQL(untrusted)
-	session1.Where(untrusted)
-	session1.Alias(untrusted)
-	session1.NotIn(untrusted)
-	session1.In(untrusted)
-	session1.Select(untrusted)
-	session1.SetExpr(untrusted, nil)
-	session1.OrderBy(untrusted)
-	session1.Having(untrusted)
-	session1.GroupBy(untrusted)
-	session1.And(untrusted)
-	session1.Or(untrusted)
-
-	session2 := xorm2.Session{}
-	session2.Query(untrusted)
-	session2.QueryString(untrusted)
-	session2.QueryInterface(untrusted)
-	session2.SQL(untrusted)
-	session2.Where(untrusted)
-	session2.Alias(untrusted)
-	session2.NotIn(untrusted)
-	session2.In(untrusted)
-	session2.Select(untrusted)
-	session2.SetExpr(untrusted, nil)
-	session2.OrderBy(untrusted)
-	session2.Having(untrusted)
-	session2.GroupBy(untrusted)
-	session2.And(untrusted)
-	session2.Or(untrusted)
-}

ql/test/library-tests/semmle/go/frameworks/SQL/Xorm/xorm.ql

@@ -1,4 +0,0 @@
-import go
-
-from SQL::QueryString qs
-select qs

ql/test/library-tests/semmle/go/frameworks/SQL/go.mod

@@ -6,4 +6,9 @@ require (
 	github.com/Masterminds/squirrel v1.1.0
 	github.com/go-pg/pg v8.0.6+incompatible
 	github.com/go-pg/pg/v9 v9.1.3
+	github.com/go-sql-driver/mysql v1.6.0 // indirect
+	github.com/go-xorm/xorm v0.7.9
+	github.com/lib/pq v1.10.2 // indirect
+	github.com/mattn/go-sqlite3 v1.14.7 // indirect
+	xorm.io/xorm v1.1.0
 )

ql/test/library-tests/semmle/go/frameworks/SQL/vendor/xorm.io/xorm/stub.go

@@ -391,6 +391,8 @@ func (_ *Engine) SetTZLocation(_ *time.Location) {}
 
 func (_ *Engine) SetTableMapper(_ interface{}) {}
 
+func (_ *Engine) SetTagIdentifier(_ string) {}
+
 func (_ *Engine) ShowSQL(_ ...bool) {}
 
 func (_ *Engine) StoreEngine(_ string) *Session {
@@ -657,6 +659,10 @@ func (_ *Session) IsClosed() bool {
 	return false
 }
 
+func (_ *Session) IsInTx() bool {
+	return false
+}
+
 func (_ *Session) IsTableEmpty(_ interface{}) (bool, error) {
 	return false, nil
 }

ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go

@@ -0,0 +1,77 @@
+package main
+
+//go:generate depstubber -vendor xorm.io/xorm Engine,Session
+//go:generate depstubber -vendor github.com/go-xorm/xorm Engine,Session
+
+import (
+	xorm1 "github.com/go-xorm/xorm"
+	xorm2 "xorm.io/xorm"
+)
+
+func xormtest() {
+	query := "UntrustedString"
+
+	engine1 := xorm1.Engine{}
+	engine1.Query(query)          // $querystring=query
+	engine1.QueryString(query)    // $querystring=query
+	engine1.QueryInterface(query) // $querystring=query
+	engine1.SQL(query)            // $querystring=query
+	engine1.Where(query)          // $querystring=query
+	engine1.Alias(query)          // $querystring=query
+	engine1.NotIn(query)          // $querystring=query
+	engine1.In(query)             // $querystring=query
+	engine1.Select(query)         // $querystring=query
+	engine1.SetExpr(query, nil)   // $querystring=query
+	engine1.OrderBy(query)        // $querystring=query
+	engine1.Having(query)         // $querystring=query
+	engine1.GroupBy(query)        // $querystring=query
+
+	engine2 := xorm2.Engine{}
+	engine2.Query(query)          // $querystring=query
+	engine2.QueryString(query)    // $querystring=query
+	engine2.QueryInterface(query) // $querystring=query
+	engine2.SQL(query)            // $querystring=query
+	engine2.Where(query)          // $querystring=query
+	engine2.Alias(query)          // $querystring=query
+	engine2.NotIn(query)          // $querystring=query
+	engine2.In(query)             // $querystring=query
+	engine2.Select(query)         // $querystring=query
+	engine2.SetExpr(query, nil)   // $querystring=query
+	engine2.OrderBy(query)        // $querystring=query
+	engine2.Having(query)         // $querystring=query
+	engine2.GroupBy(query)        // $querystring=query
+
+	session1 := xorm1.Session{}
+	session1.Query(query)          // $querystring=query
+	session1.QueryString(query)    // $querystring=query
+	session1.QueryInterface(query) // $querystring=query
+	session1.SQL(query)            // $querystring=query
+	session1.Where(query)          // $querystring=query
+	session1.Alias(query)          // $querystring=query
+	session1.NotIn(query)          // $querystring=query
+	session1.In(query)             // $querystring=query
+	session1.Select(query)         // $querystring=query
+	session1.SetExpr(query, nil)   // $querystring=query
+	session1.OrderBy(query)        // $querystring=query
+	session1.Having(query)         // $querystring=query
+	session1.GroupBy(query)        // $querystring=query
+	session1.And(query)            // $querystring=query
+	session1.Or(query)             // $querystring=query
+
+	session2 := xorm2.Session{}
+	session2.Query(query)          // $querystring=query
+	session2.QueryString(query)    // $querystring=query
+	session2.QueryInterface(query) // $querystring=query
+	session2.SQL(query)            // $querystring=query
+	session2.Where(query)          // $querystring=query
+	session2.Alias(query)          // $querystring=query
+	session2.NotIn(query)          // $querystring=query
+	session2.In(query)             // $querystring=query
+	session2.Select(query)         // $querystring=query
+	session2.SetExpr(query, nil)   // $querystring=query
+	session2.OrderBy(query)        // $querystring=query
+	session2.Having(query)         // $querystring=query
+	session2.GroupBy(query)        // $querystring=query
+	session2.And(query)            // $querystring=query
+	session2.Or(query)             // $querystring=query
+}