Merge pull request #430 from smowton/smowton/feature/model-beego-orm

Model the Beego ORM subpackage

change-notes/2020-12-15-beego-orm.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the ORM subpackage of the Beego web framework

ql/src/go.qll

@@ -30,6 +30,7 @@ import semmle.go.dataflow.SSA
 import semmle.go.dataflow.TaintTracking
 import semmle.go.dataflow.TaintTracking2
 import semmle.go.frameworks.Beego
+import semmle.go.frameworks.BeegoOrm
 import semmle.go.frameworks.Chi
 import semmle.go.frameworks.Echo
 import semmle.go.frameworks.Email

ql/src/semmle/go/frameworks/BeegoOrm.qll

@@ -0,0 +1,100 @@
+/**
+ * Provides classes for working with untrusted flow sources, sinks and taint propagators
+ * from the `github.com/astaxie/beego/orm` subpackage.
+ */
+
+import go
+private import semmle.go.security.StoredXssCustomizations
+
+module BeegoOrm {
+  /** Gets the package name. */
+  bindingset[result]
+  string packagePath() { result = package("github.com/astaxie/beego", "orm") }
+
+  private class DbSink extends SQL::QueryString::Range {
+    DbSink() {
+      exists(Method m, string methodName, int argNum |
+        m.hasQualifiedName(packagePath(), "DB", methodName) and
+        methodName in [
+            "Exec", "ExecContext", "Prepare", "PrepareContext", "Query", "QueryContext", "QueryRow",
+            "QueryRowContext"
+          ] and
+        if methodName.matches("%Context") then argNum = 1 else argNum = 0
+      |
+        this = m.getACall().getArgument(argNum)
+      )
+    }
+  }
+
+  private class QueryBuilderSink extends SQL::QueryString::Range {
+    // Note this class doesn't do any escaping, unlike the true ORM part of the package
+    QueryBuilderSink() {
+      exists(Method impl | impl.implements(packagePath(), "QueryBuilder", _) |
+        this = impl.getACall().getAnArgument()
+      ) and
+      this.getType().getUnderlyingType() instanceof StringType
+    }
+  }
+
+  private class OrmerRawSink extends SQL::QueryString::Range {
+    OrmerRawSink() {
+      exists(Method impl | impl.implements(packagePath(), "Ormer", "Raw") |
+        this = impl.getACall().getArgument(0)
+      )
+    }
+  }
+
+  private class QuerySeterFilterRawSink extends SQL::QueryString::Range {
+    QuerySeterFilterRawSink() {
+      exists(Method impl | impl.implements(packagePath(), "QuerySeter", "FilterRaw") |
+        this = impl.getACall().getArgument(1)
+      )
+    }
+  }
+
+  private class ConditionRawSink extends SQL::QueryString::Range {
+    ConditionRawSink() {
+      exists(Method impl | impl.implements(packagePath(), "Condition", "Raw") |
+        this = impl.getACall().getArgument(1)
+      )
+    }
+  }
+
+  private class OrmerSource extends StoredXss::Source {
+    OrmerSource() {
+      exists(Method impl |
+        impl.implements(packagePath(), "Ormer", ["Read", "ReadForUpdate", "ReadOrCreate"])
+      |
+        this = FunctionOutput::parameter(0).getExitNode(impl.getACall())
+      )
+    }
+  }
+
+  private class StringFieldSource extends StoredXss::Source {
+    StringFieldSource() {
+      exists(Method m |
+        m
+            .hasQualifiedName(packagePath(), ["JSONField", "JsonbField", "TextField"],
+              ["RawValue", "String", "Value"])
+      |
+        this = m.getACall().getResult()
+      )
+    }
+  }
+
+  private class SeterSource extends StoredXss::Source {
+    SeterSource() {
+      exists(Method impl |
+        // All and One are exclusive to QuerySeter, QueryRow[s] are exclusive to RawSeter, the rest are common.
+        impl
+            .implements(packagePath(), ["QuerySeter", "RawSeter"],
+              [
+                "All", "One", "Values", "ValuesList", "ValuesFlat", "RowsToMap", "RowsToStruct",
+                "QueryRow", "QueryRows"
+              ])
+      |
+        this = FunctionOutput::parameter(0).getExitNode(impl.getACall())
+      )
+    }
+  }
+}

ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.expected

@@ -0,0 +1,104 @@
+edges
+| test.go:10:15:10:41 | call to UserAgent : string | test.go:12:11:12:19 | untrusted |
+| test.go:10:15:10:41 | call to UserAgent : string | test.go:13:23:13:31 | untrusted |
+| test.go:10:15:10:41 | call to UserAgent : string | test.go:14:14:14:22 | untrusted |
+| test.go:10:15:10:41 | call to UserAgent : string | test.go:15:26:15:34 | untrusted |
+| test.go:10:15:10:41 | call to UserAgent : string | test.go:16:12:16:20 | untrusted |
+| test.go:10:15:10:41 | call to UserAgent : string | test.go:17:24:17:32 | untrusted |
+| test.go:10:15:10:41 | call to UserAgent : string | test.go:18:15:18:23 | untrusted |
+| test.go:10:15:10:41 | call to UserAgent : string | test.go:19:27:19:35 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:26:12:26:20 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:27:10:27:18 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:28:15:28:23 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:29:14:29:22 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:30:15:30:23 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:31:8:31:16 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:32:11:32:19 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:33:9:33:17 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:34:8:34:16 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:35:8:35:16 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:36:13:36:21 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:37:13:37:21 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:38:12:38:20 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:39:12:39:20 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:40:9:40:17 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:41:12:41:20 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:42:16:42:24 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:42:27:42:35 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:43:12:43:20 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:44:14:44:22 | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | test.go:44:25:44:33 | untrusted |
+| test.go:48:15:48:41 | call to UserAgent : string | test.go:49:12:49:20 | untrusted |
+| test.go:54:15:54:41 | call to UserAgent : string | test.go:56:31:56:39 | untrusted |
+| test.go:60:15:60:41 | call to UserAgent : string | test.go:62:19:62:27 | untrusted |
+nodes
+| test.go:10:15:10:41 | call to UserAgent : string | semmle.label | call to UserAgent : string |
+| test.go:12:11:12:19 | untrusted | semmle.label | untrusted |
+| test.go:13:23:13:31 | untrusted | semmle.label | untrusted |
+| test.go:14:14:14:22 | untrusted | semmle.label | untrusted |
+| test.go:15:26:15:34 | untrusted | semmle.label | untrusted |
+| test.go:16:12:16:20 | untrusted | semmle.label | untrusted |
+| test.go:17:24:17:32 | untrusted | semmle.label | untrusted |
+| test.go:18:15:18:23 | untrusted | semmle.label | untrusted |
+| test.go:19:27:19:35 | untrusted | semmle.label | untrusted |
+| test.go:24:15:24:41 | call to UserAgent : string | semmle.label | call to UserAgent : string |
+| test.go:26:12:26:20 | untrusted | semmle.label | untrusted |
+| test.go:27:10:27:18 | untrusted | semmle.label | untrusted |
+| test.go:28:15:28:23 | untrusted | semmle.label | untrusted |
+| test.go:29:14:29:22 | untrusted | semmle.label | untrusted |
+| test.go:30:15:30:23 | untrusted | semmle.label | untrusted |
+| test.go:31:8:31:16 | untrusted | semmle.label | untrusted |
+| test.go:32:11:32:19 | untrusted | semmle.label | untrusted |
+| test.go:33:9:33:17 | untrusted | semmle.label | untrusted |
+| test.go:34:8:34:16 | untrusted | semmle.label | untrusted |
+| test.go:35:8:35:16 | untrusted | semmle.label | untrusted |
+| test.go:36:13:36:21 | untrusted | semmle.label | untrusted |
+| test.go:37:13:37:21 | untrusted | semmle.label | untrusted |
+| test.go:38:12:38:20 | untrusted | semmle.label | untrusted |
+| test.go:39:12:39:20 | untrusted | semmle.label | untrusted |
+| test.go:40:9:40:17 | untrusted | semmle.label | untrusted |
+| test.go:41:12:41:20 | untrusted | semmle.label | untrusted |
+| test.go:42:16:42:24 | untrusted | semmle.label | untrusted |
+| test.go:42:27:42:35 | untrusted | semmle.label | untrusted |
+| test.go:43:12:43:20 | untrusted | semmle.label | untrusted |
+| test.go:44:14:44:22 | untrusted | semmle.label | untrusted |
+| test.go:44:25:44:33 | untrusted | semmle.label | untrusted |
+| test.go:48:15:48:41 | call to UserAgent : string | semmle.label | call to UserAgent : string |
+| test.go:49:12:49:20 | untrusted | semmle.label | untrusted |
+| test.go:54:15:54:41 | call to UserAgent : string | semmle.label | call to UserAgent : string |
+| test.go:56:31:56:39 | untrusted | semmle.label | untrusted |
+| test.go:60:15:60:41 | call to UserAgent : string | semmle.label | call to UserAgent : string |
+| test.go:62:19:62:27 | untrusted | semmle.label | untrusted |
+#select
+| test.go:12:11:12:19 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:12:11:12:19 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value |
+| test.go:13:23:13:31 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:13:23:13:31 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value |
+| test.go:14:14:14:22 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:14:14:14:22 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value |
+| test.go:15:26:15:34 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:15:26:15:34 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value |
+| test.go:16:12:16:20 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:16:12:16:20 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value |
+| test.go:17:24:17:32 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:17:24:17:32 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value |
+| test.go:18:15:18:23 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:18:15:18:23 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value |
+| test.go:19:27:19:35 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:19:27:19:35 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value |
+| test.go:26:12:26:20 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:26:12:26:20 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:27:10:27:18 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:27:10:27:18 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:28:15:28:23 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:28:15:28:23 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:29:14:29:22 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:29:14:29:22 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:30:15:30:23 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:30:15:30:23 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:31:8:31:16 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:31:8:31:16 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:32:11:32:19 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:32:11:32:19 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:33:9:33:17 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:33:9:33:17 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:34:8:34:16 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:34:8:34:16 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:35:8:35:16 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:35:8:35:16 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:36:13:36:21 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:36:13:36:21 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:37:13:37:21 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:37:13:37:21 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:38:12:38:20 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:38:12:38:20 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:39:12:39:20 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:39:12:39:20 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:40:9:40:17 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:40:9:40:17 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:41:12:41:20 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:41:12:41:20 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:42:16:42:24 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:42:16:42:24 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:42:27:42:35 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:42:27:42:35 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:43:12:43:20 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:43:12:43:20 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:44:14:44:22 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:44:14:44:22 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:44:25:44:33 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:44:25:44:33 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value |
+| test.go:49:12:49:20 | untrusted | test.go:48:15:48:41 | call to UserAgent : string | test.go:49:12:49:20 | untrusted | This query depends on $@. | test.go:48:15:48:41 | call to UserAgent | a user-provided value |
+| test.go:56:31:56:39 | untrusted | test.go:54:15:54:41 | call to UserAgent : string | test.go:56:31:56:39 | untrusted | This query depends on $@. | test.go:54:15:54:41 | call to UserAgent | a user-provided value |
+| test.go:62:19:62:27 | untrusted | test.go:60:15:60:41 | call to UserAgent : string | test.go:62:19:62:27 | untrusted | This query depends on $@. | test.go:60:15:60:41 | call to UserAgent | a user-provided value |

ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.qlref

@@ -0,0 +1 @@
+Security/CWE-089/SqlInjection.ql

ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected

@@ -0,0 +1,114 @@
+edges
+| test.go:77:13:77:16 | &... : pointer type | test.go:78:13:78:29 | type conversion |
+| test.go:77:13:77:16 | &... : pointer type | test.go:79:13:79:43 | type conversion |
+| test.go:82:22:82:26 | &... : pointer type | test.go:83:13:83:30 | type conversion |
+| test.go:86:21:86:25 | &... : pointer type | test.go:87:13:87:30 | type conversion |
+| test.go:92:20:92:36 | call to Value : string | test.go:92:13:92:37 | type conversion |
+| test.go:93:20:93:39 | call to RawValue : interface type | test.go:93:13:93:49 | type conversion |
+| test.go:94:20:94:37 | call to String : string | test.go:94:13:94:38 | type conversion |
+| test.go:95:20:95:36 | call to Value : string | test.go:95:13:95:37 | type conversion |
+| test.go:96:20:96:39 | call to RawValue : interface type | test.go:96:13:96:49 | type conversion |
+| test.go:97:20:97:37 | call to String : string | test.go:97:13:97:38 | type conversion |
+| test.go:98:20:98:37 | call to Value : string | test.go:98:13:98:38 | type conversion |
+| test.go:99:20:99:40 | call to RawValue : interface type | test.go:99:13:99:50 | type conversion |
+| test.go:100:20:100:38 | call to String : string | test.go:100:13:100:39 | type conversion |
+| test.go:106:9:106:13 | &... : pointer type | test.go:107:13:107:33 | type conversion |
+| test.go:106:9:106:13 | &... : pointer type | test.go:107:20:107:26 | implicit dereference : MyStruct |
+| test.go:107:20:107:26 | implicit dereference : MyStruct | test.go:107:13:107:33 | type conversion |
+| test.go:107:20:107:26 | implicit dereference : MyStruct | test.go:107:20:107:26 | implicit dereference : MyStruct |
+| test.go:110:9:110:12 | &... : pointer type | test.go:111:13:111:29 | type conversion |
+| test.go:114:12:114:19 | &... : pointer type | test.go:115:13:115:48 | type conversion |
+| test.go:118:16:118:24 | &... : pointer type | test.go:119:13:119:43 | type conversion |
+| test.go:122:16:122:23 | &... : pointer type | test.go:123:13:123:39 | type conversion |
+| test.go:126:15:126:24 | &... : pointer type | test.go:127:13:127:47 | type conversion |
+| test.go:130:18:130:30 | &... : pointer type | test.go:131:13:131:38 | type conversion |
+| test.go:137:12:137:19 | &... : pointer type | test.go:138:13:138:48 | type conversion |
+| test.go:141:16:141:24 | &... : pointer type | test.go:142:13:142:43 | type conversion |
+| test.go:145:16:145:23 | &... : pointer type | test.go:146:13:146:39 | type conversion |
+| test.go:149:15:149:24 | &... : pointer type | test.go:150:13:150:47 | type conversion |
+| test.go:153:18:153:30 | &... : pointer type | test.go:154:13:154:38 | type conversion |
+| test.go:157:14:157:22 | &... : pointer type | test.go:158:13:158:28 | type conversion |
+| test.go:161:15:161:24 | &... : pointer type | test.go:162:13:162:32 | type conversion |
+nodes
+| test.go:77:13:77:16 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:78:13:78:29 | type conversion | semmle.label | type conversion |
+| test.go:79:13:79:43 | type conversion | semmle.label | type conversion |
+| test.go:82:22:82:26 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:83:13:83:30 | type conversion | semmle.label | type conversion |
+| test.go:86:21:86:25 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:87:13:87:30 | type conversion | semmle.label | type conversion |
+| test.go:92:13:92:37 | type conversion | semmle.label | type conversion |
+| test.go:92:20:92:36 | call to Value : string | semmle.label | call to Value : string |
+| test.go:93:13:93:49 | type conversion | semmle.label | type conversion |
+| test.go:93:20:93:39 | call to RawValue : interface type | semmle.label | call to RawValue : interface type |
+| test.go:94:13:94:38 | type conversion | semmle.label | type conversion |
+| test.go:94:20:94:37 | call to String : string | semmle.label | call to String : string |
+| test.go:95:13:95:37 | type conversion | semmle.label | type conversion |
+| test.go:95:20:95:36 | call to Value : string | semmle.label | call to Value : string |
+| test.go:96:13:96:49 | type conversion | semmle.label | type conversion |
+| test.go:96:20:96:39 | call to RawValue : interface type | semmle.label | call to RawValue : interface type |
+| test.go:97:13:97:38 | type conversion | semmle.label | type conversion |
+| test.go:97:20:97:37 | call to String : string | semmle.label | call to String : string |
+| test.go:98:13:98:38 | type conversion | semmle.label | type conversion |
+| test.go:98:20:98:37 | call to Value : string | semmle.label | call to Value : string |
+| test.go:99:13:99:50 | type conversion | semmle.label | type conversion |
+| test.go:99:20:99:40 | call to RawValue : interface type | semmle.label | call to RawValue : interface type |
+| test.go:100:13:100:39 | type conversion | semmle.label | type conversion |
+| test.go:100:20:100:38 | call to String : string | semmle.label | call to String : string |
+| test.go:106:9:106:13 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:107:13:107:33 | type conversion | semmle.label | type conversion |
+| test.go:107:20:107:26 | implicit dereference : MyStruct | semmle.label | implicit dereference : MyStruct |
+| test.go:110:9:110:12 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:111:13:111:29 | type conversion | semmle.label | type conversion |
+| test.go:114:12:114:19 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:115:13:115:48 | type conversion | semmle.label | type conversion |
+| test.go:118:16:118:24 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:119:13:119:43 | type conversion | semmle.label | type conversion |
+| test.go:122:16:122:23 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:123:13:123:39 | type conversion | semmle.label | type conversion |
+| test.go:126:15:126:24 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:127:13:127:47 | type conversion | semmle.label | type conversion |
+| test.go:130:18:130:30 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:131:13:131:38 | type conversion | semmle.label | type conversion |
+| test.go:137:12:137:19 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:138:13:138:48 | type conversion | semmle.label | type conversion |
+| test.go:141:16:141:24 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:142:13:142:43 | type conversion | semmle.label | type conversion |
+| test.go:145:16:145:23 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:146:13:146:39 | type conversion | semmle.label | type conversion |
+| test.go:149:15:149:24 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:150:13:150:47 | type conversion | semmle.label | type conversion |
+| test.go:153:18:153:30 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:154:13:154:38 | type conversion | semmle.label | type conversion |
+| test.go:157:14:157:22 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:158:13:158:28 | type conversion | semmle.label | type conversion |
+| test.go:161:15:161:24 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:162:13:162:32 | type conversion | semmle.label | type conversion |
+#select
+| test.go:78:13:78:29 | type conversion | test.go:77:13:77:16 | &... : pointer type | test.go:78:13:78:29 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:77:13:77:16 | &... | stored value |
+| test.go:79:13:79:43 | type conversion | test.go:77:13:77:16 | &... : pointer type | test.go:79:13:79:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:77:13:77:16 | &... | stored value |
+| test.go:83:13:83:30 | type conversion | test.go:82:22:82:26 | &... : pointer type | test.go:83:13:83:30 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:82:22:82:26 | &... | stored value |
+| test.go:87:13:87:30 | type conversion | test.go:86:21:86:25 | &... : pointer type | test.go:87:13:87:30 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:86:21:86:25 | &... | stored value |
+| test.go:92:13:92:37 | type conversion | test.go:92:20:92:36 | call to Value : string | test.go:92:13:92:37 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:92:20:92:36 | call to Value | stored value |
+| test.go:93:13:93:49 | type conversion | test.go:93:20:93:39 | call to RawValue : interface type | test.go:93:13:93:49 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:93:20:93:39 | call to RawValue | stored value |
+| test.go:94:13:94:38 | type conversion | test.go:94:20:94:37 | call to String : string | test.go:94:13:94:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:94:20:94:37 | call to String | stored value |
+| test.go:95:13:95:37 | type conversion | test.go:95:20:95:36 | call to Value : string | test.go:95:13:95:37 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:95:20:95:36 | call to Value | stored value |
+| test.go:96:13:96:49 | type conversion | test.go:96:20:96:39 | call to RawValue : interface type | test.go:96:13:96:49 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:96:20:96:39 | call to RawValue | stored value |
+| test.go:97:13:97:38 | type conversion | test.go:97:20:97:37 | call to String : string | test.go:97:13:97:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:97:20:97:37 | call to String | stored value |
+| test.go:98:13:98:38 | type conversion | test.go:98:20:98:37 | call to Value : string | test.go:98:13:98:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:98:20:98:37 | call to Value | stored value |
+| test.go:99:13:99:50 | type conversion | test.go:99:20:99:40 | call to RawValue : interface type | test.go:99:13:99:50 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:99:20:99:40 | call to RawValue | stored value |
+| test.go:100:13:100:39 | type conversion | test.go:100:20:100:38 | call to String : string | test.go:100:13:100:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:100:20:100:38 | call to String | stored value |
+| test.go:107:13:107:33 | type conversion | test.go:106:9:106:13 | &... : pointer type | test.go:107:13:107:33 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:106:9:106:13 | &... | stored value |
+| test.go:111:13:111:29 | type conversion | test.go:110:9:110:12 | &... : pointer type | test.go:111:13:111:29 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:110:9:110:12 | &... | stored value |
+| test.go:115:13:115:48 | type conversion | test.go:114:12:114:19 | &... : pointer type | test.go:115:13:115:48 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:114:12:114:19 | &... | stored value |
+| test.go:119:13:119:43 | type conversion | test.go:118:16:118:24 | &... : pointer type | test.go:119:13:119:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:118:16:118:24 | &... | stored value |
+| test.go:123:13:123:39 | type conversion | test.go:122:16:122:23 | &... : pointer type | test.go:123:13:123:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:122:16:122:23 | &... | stored value |
+| test.go:127:13:127:47 | type conversion | test.go:126:15:126:24 | &... : pointer type | test.go:127:13:127:47 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:126:15:126:24 | &... | stored value |
+| test.go:131:13:131:38 | type conversion | test.go:130:18:130:30 | &... : pointer type | test.go:131:13:131:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:130:18:130:30 | &... | stored value |
+| test.go:138:13:138:48 | type conversion | test.go:137:12:137:19 | &... : pointer type | test.go:138:13:138:48 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:137:12:137:19 | &... | stored value |
+| test.go:142:13:142:43 | type conversion | test.go:141:16:141:24 | &... : pointer type | test.go:142:13:142:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:141:16:141:24 | &... | stored value |
+| test.go:146:13:146:39 | type conversion | test.go:145:16:145:23 | &... : pointer type | test.go:146:13:146:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:145:16:145:23 | &... | stored value |
+| test.go:150:13:150:47 | type conversion | test.go:149:15:149:24 | &... : pointer type | test.go:150:13:150:47 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:149:15:149:24 | &... | stored value |
+| test.go:154:13:154:38 | type conversion | test.go:153:18:153:30 | &... : pointer type | test.go:154:13:154:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:153:18:153:30 | &... | stored value |
+| test.go:158:13:158:28 | type conversion | test.go:157:14:157:22 | &... : pointer type | test.go:158:13:158:28 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:157:14:157:22 | &... | stored value |
+| test.go:162:13:162:32 | type conversion | test.go:161:15:161:24 | &... : pointer type | test.go:162:13:162:32 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:161:15:161:24 | &... | stored value |

ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.qlref

@@ -0,0 +1 @@
+Security/CWE-079/StoredXss.ql

ql/test/library-tests/semmle/go/frameworks/BeegoOrm/go.mod

@@ -0,0 +1,5 @@
+module test/beego
+
+go 1.14
+
+require github.com/astaxie/beego v1.12.3

ql/test/library-tests/semmle/go/frameworks/BeegoOrm/test.go

@@ -0,0 +1,163 @@
+package test
+
+import (
+	"github.com/astaxie/beego/orm"
+	"net/http"
+)
+
+// BAD: using untrusted data in SQL queries
+func testDbMethods(bdb *orm.DB, untrustedSource *http.Request) {
+	untrusted := untrustedSource.UserAgent()
+
+	bdb.Exec(untrusted)
+	bdb.ExecContext(nil, untrusted)
+	bdb.Prepare(untrusted)
+	bdb.PrepareContext(nil, untrusted)
+	bdb.Query(untrusted)
+	bdb.QueryContext(nil, untrusted)
+	bdb.QueryRow(untrusted)
+	bdb.QueryRowContext(nil, untrusted)
+}
+
+// BAD: using untrusted data to build SQL queries (QueryBuilder does not sanitize its arguments)
+func testQueryBuilderMethods(qb orm.QueryBuilder, untrustedSource *http.Request) {
+	untrusted := untrustedSource.UserAgent()
+
+	qb.Select(untrusted)
+	qb.From(untrusted)
+	qb.InnerJoin(untrusted)
+	qb.LeftJoin(untrusted)
+	qb.RightJoin(untrusted)
+	qb.On(untrusted)
+	qb.Where(untrusted)
+	qb.And(untrusted)
+	qb.Or(untrusted)
+	qb.In(untrusted)
+	qb.OrderBy(untrusted)
+	qb.GroupBy(untrusted)
+	qb.Having(untrusted)
+	qb.Update(untrusted)
+	qb.Set(untrusted)
+	qb.Delete(untrusted)
+	qb.InsertInto(untrusted, untrusted)
+	qb.Values(untrusted)
+	qb.Subquery(untrusted, untrusted)
+}
+
+func testOrmerRaw(ormer orm.Ormer, untrustedSource *http.Request) {
+	untrusted := untrustedSource.UserAgent()
+	ormer.Raw(untrusted)                               // BAD: using an untrusted string as a query
+	ormer.Raw("FROM ? SELECT ?", untrusted, untrusted) // GOOD: untrusted string used in argument context
+}
+
+func testFilterRaw(querySeter orm.QuerySeter, untrustedSource *http.Request) {
+	untrusted := untrustedSource.UserAgent()
+	querySeter.FilterRaw(untrusted, "safe") // GOOD: untrusted used as a column name
+	querySeter.FilterRaw("safe", untrusted) // BAD: untrusted used as a SQL fragment
+}
+
+func testConditionRaw(cond orm.Condition, untrustedSource *http.Request) {
+	untrusted := untrustedSource.UserAgent()
+	cond.Raw(untrusted, "safe") // GOOD: untrusted used as a column name
+	cond.Raw("safe", untrusted) // BAD: untrusted used as a SQL fragment
+}
+
+type SubStruct struct {
+	field string
+}
+
+type MyStruct struct {
+	field      string
+	substructs []SubStruct
+}
+
+// BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response
+func testOrmerReads(ormer orm.Ormer, sink http.ResponseWriter) {
+	obj := MyStruct{}
+	ormer.Read(&obj)
+	sink.Write([]byte(obj.field))
+	sink.Write([]byte(obj.substructs[0].field))
+
+	obj2 := MyStruct{}
+	ormer.ReadForUpdate(&obj2)
+	sink.Write([]byte(obj2.field))
+
+	obj3 := MyStruct{}
+	ormer.ReadOrCreate(&obj3, "arg")
+	sink.Write([]byte(obj3.field))
+}
+
+// BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response
+func testFieldReads(textField *orm.TextField, jsonField *orm.JSONField, jsonbField *orm.JsonbField, sink http.ResponseWriter) {
+	sink.Write([]byte(textField.Value()))
+	sink.Write([]byte(textField.RawValue().(string)))
+	sink.Write([]byte(textField.String()))
+	sink.Write([]byte(jsonField.Value()))
+	sink.Write([]byte(jsonField.RawValue().(string)))
+	sink.Write([]byte(jsonField.String()))
+	sink.Write([]byte(jsonbField.Value()))
+	sink.Write([]byte(jsonbField.RawValue().(string)))
+	sink.Write([]byte(jsonbField.String()))
+}
+
+// BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response
+func testQuerySeterReads(qs orm.QuerySeter, sink http.ResponseWriter) {
+	var objs []*MyStruct
+	qs.All(&objs)
+	sink.Write([]byte(objs[0].field))
+
+	var obj MyStruct
+	qs.One(&obj)
+	sink.Write([]byte(obj.field))
+
+	var allMaps []orm.Params
+	qs.Values(&allMaps)
+	sink.Write([]byte(allMaps[0]["field"].(string)))
+
+	var allLists []orm.ParamsList
+	qs.ValuesList(&allLists)
+	sink.Write([]byte(allLists[0][0].(string)))
+
+	var oneList orm.ParamsList
+	qs.ValuesFlat(&oneList, "colname")
+	sink.Write([]byte(oneList[0].(string)))
+
+	var oneRowMap orm.Params
+	qs.RowsToMap(&oneRowMap, "key", "value")
+	sink.Write([]byte(oneRowMap["field"].(string)))
+
+	var oneRowStruct MyStruct
+	qs.RowsToStruct(&oneRowStruct, "key", "value")
+	sink.Write([]byte(oneRowStruct.field))
+}
+
+// BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response
+func testRawSeterReads(rs orm.RawSeter, sink http.ResponseWriter) {
+	var allMaps []orm.Params
+	rs.Values(&allMaps)
+	sink.Write([]byte(allMaps[0]["field"].(string)))
+
+	var allLists []orm.ParamsList
+	rs.ValuesList(&allLists)
+	sink.Write([]byte(allLists[0][0].(string)))
+
+	var oneList orm.ParamsList
+	rs.ValuesFlat(&oneList, "colname")
+	sink.Write([]byte(oneList[0].(string)))
+
+	var oneRowMap orm.Params
+	rs.RowsToMap(&oneRowMap, "key", "value")
+	sink.Write([]byte(oneRowMap["field"].(string)))
+
+	var oneRowStruct MyStruct
+	rs.RowsToStruct(&oneRowStruct, "key", "value")
+	sink.Write([]byte(oneRowStruct.field))
+
+	var strField string
+	rs.QueryRow(&strField)
+	sink.Write([]byte(strField))
+
+	var strFields []string
+	rs.QueryRows(&strFields)
+	sink.Write([]byte(strFields[0]))
+}

ql/test/library-tests/semmle/go/frameworks/BeegoOrm/vendor/github.com/astaxie/beego/orm/stub.go

@@ -0,0 +1,311 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/astaxie/beego/orm, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/astaxie/beego/orm (exports: DB,QueryBuilder,Ormer,QuerySeter,Condition,Fielder,RawSeter,JSONField,JsonbField,TextField; functions: )
+
+// Package orm is a stub of github.com/astaxie/beego/orm, generated by depstubber.
+package orm
+
+import (
+	context "context"
+	sql "database/sql"
+	sync "sync"
+)
+
+type Condition struct{}
+
+func (_ Condition) And(_ string, _ ...interface{}) *Condition {
+	return nil
+}
+
+func (_ Condition) AndNot(_ string, _ ...interface{}) *Condition {
+	return nil
+}
+
+func (_ Condition) Or(_ string, _ ...interface{}) *Condition {
+	return nil
+}
+
+func (_ Condition) OrNot(_ string, _ ...interface{}) *Condition {
+	return nil
+}
+
+func (_ Condition) Raw(_ string, _ string) *Condition {
+	return nil
+}
+
+func (_ *Condition) AndCond(_ *Condition) *Condition {
+	return nil
+}
+
+func (_ *Condition) AndNotCond(_ *Condition) *Condition {
+	return nil
+}
+
+func (_ *Condition) IsEmpty() bool {
+	return false
+}
+
+func (_ *Condition) OrCond(_ *Condition) *Condition {
+	return nil
+}
+
+func (_ *Condition) OrNotCond(_ *Condition) *Condition {
+	return nil
+}
+
+type DB struct {
+	RWMutex *sync.RWMutex
+	DB      *sql.DB
+}
+
+func (_ DB) Lock() {}
+
+func (_ DB) RLock() {}
+
+func (_ DB) RLocker() sync.Locker {
+	return nil
+}
+
+func (_ DB) RUnlock() {}
+
+func (_ DB) Unlock() {}
+
+func (_ *DB) Begin() (*sql.Tx, error) {
+	return nil, nil
+}
+
+func (_ *DB) BeginTx(_ context.Context, _ *sql.TxOptions) (*sql.Tx, error) {
+	return nil, nil
+}
+
+func (_ *DB) Exec(_ string, _ ...interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ *DB) ExecContext(_ context.Context, _ string, _ ...interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ *DB) Prepare(_ string) (*sql.Stmt, error) {
+	return nil, nil
+}
+
+func (_ *DB) PrepareContext(_ context.Context, _ string) (*sql.Stmt, error) {
+	return nil, nil
+}
+
+func (_ *DB) Query(_ string, _ ...interface{}) (*sql.Rows, error) {
+	return nil, nil
+}
+
+func (_ *DB) QueryContext(_ context.Context, _ string, _ ...interface{}) (*sql.Rows, error) {
+	return nil, nil
+}
+
+func (_ *DB) QueryRow(_ string, _ ...interface{}) *sql.Row {
+	return nil
+}
+
+func (_ *DB) QueryRowContext(_ context.Context, _ string, _ ...interface{}) *sql.Row {
+	return nil
+}
+
+type Driver interface {
+	Name() string
+	Type() DriverType
+}
+
+type DriverType int
+
+type Fielder interface {
+	FieldType() int
+	RawValue() interface{}
+	SetRaw(_ interface{}) error
+	String() string
+}
+
+type Inserter interface {
+	Close() error
+	Insert(_ interface{}) (int64, error)
+}
+
+type JSONField string
+
+func (_ JSONField) Value() string {
+	return ""
+}
+
+func (_ *JSONField) FieldType() int {
+	return 0
+}
+
+func (_ *JSONField) RawValue() interface{} {
+	return nil
+}
+
+func (_ *JSONField) Set(_ string) {}
+
+func (_ *JSONField) SetRaw(_ interface{}) error {
+	return nil
+}
+
+func (_ *JSONField) String() string {
+	return ""
+}
+
+type JsonbField string
+
+func (_ JsonbField) Value() string {
+	return ""
+}
+
+func (_ *JsonbField) FieldType() int {
+	return 0
+}
+
+func (_ *JsonbField) RawValue() interface{} {
+	return nil
+}
+
+func (_ *JsonbField) Set(_ string) {}
+
+func (_ *JsonbField) SetRaw(_ interface{}) error {
+	return nil
+}
+
+func (_ *JsonbField) String() string {
+	return ""
+}
+
+type Ormer interface {
+	Begin() error
+	BeginTx(_ context.Context, _ *sql.TxOptions) error
+	Commit() error
+	DBStats() *sql.DBStats
+	Delete(_ interface{}, _ ...string) (int64, error)
+	Driver() Driver
+	Insert(_ interface{}) (int64, error)
+	InsertMulti(_ int, _ interface{}) (int64, error)
+	InsertOrUpdate(_ interface{}, _ ...string) (int64, error)
+	LoadRelated(_ interface{}, _ string, _ ...interface{}) (int64, error)
+	QueryM2M(_ interface{}, _ string) QueryM2Mer
+	QueryTable(_ interface{}) QuerySeter
+	Raw(_ string, _ ...interface{}) RawSeter
+	Read(_ interface{}, _ ...string) error
+	ReadForUpdate(_ interface{}, _ ...string) error
+	ReadOrCreate(_ interface{}, _ string, _ ...string) (bool, int64, error)
+	Rollback() error
+	Update(_ interface{}, _ ...string) (int64, error)
+	Using(_ string) error
+}
+
+type Params map[string]interface{}
+
+type ParamsList []interface{}
+
+type QueryBuilder interface {
+	And(_ string) QueryBuilder
+	Asc() QueryBuilder
+	Delete(_ ...string) QueryBuilder
+	Desc() QueryBuilder
+	ForUpdate() QueryBuilder
+	From(_ ...string) QueryBuilder
+	GroupBy(_ ...string) QueryBuilder
+	Having(_ string) QueryBuilder
+	In(_ ...string) QueryBuilder
+	InnerJoin(_ string) QueryBuilder
+	InsertInto(_ string, _ ...string) QueryBuilder
+	LeftJoin(_ string) QueryBuilder
+	Limit(_ int) QueryBuilder
+	Offset(_ int) QueryBuilder
+	On(_ string) QueryBuilder
+	Or(_ string) QueryBuilder
+	OrderBy(_ ...string) QueryBuilder
+	RightJoin(_ string) QueryBuilder
+	Select(_ ...string) QueryBuilder
+	Set(_ ...string) QueryBuilder
+	String() string
+	Subquery(_ string, _ string) string
+	Update(_ ...string) QueryBuilder
+	Values(_ ...string) QueryBuilder
+	Where(_ string) QueryBuilder
+}
+
+type QueryM2Mer interface {
+	Add(_ ...interface{}) (int64, error)
+	Clear() (int64, error)
+	Count() (int64, error)
+	Exist(_ interface{}) bool
+	Remove(_ ...interface{}) (int64, error)
+}
+
+type QuerySeter interface {
+	All(_ interface{}, _ ...string) (int64, error)
+	Count() (int64, error)
+	Delete() (int64, error)
+	Distinct() QuerySeter
+	Exclude(_ string, _ ...interface{}) QuerySeter
+	Exist() bool
+	Filter(_ string, _ ...interface{}) QuerySeter
+	FilterRaw(_ string, _ string) QuerySeter
+	ForUpdate() QuerySeter
+	GetCond() *Condition
+	GroupBy(_ ...string) QuerySeter
+	Limit(_ interface{}, _ ...interface{}) QuerySeter
+	Offset(_ interface{}) QuerySeter
+	One(_ interface{}, _ ...string) error
+	OrderBy(_ ...string) QuerySeter
+	PrepareInsert() (Inserter, error)
+	RelatedSel(_ ...interface{}) QuerySeter
+	RowsToMap(_ *Params, _ string, _ string) (int64, error)
+	RowsToStruct(_ interface{}, _ string, _ string) (int64, error)
+	SetCond(_ *Condition) QuerySeter
+	Update(_ Params) (int64, error)
+	Values(_ *[]Params, _ ...string) (int64, error)
+	ValuesFlat(_ *ParamsList, _ string) (int64, error)
+	ValuesList(_ *[]ParamsList, _ ...string) (int64, error)
+}
+
+type RawPreparer interface {
+	Close() error
+	Exec(_ ...interface{}) (sql.Result, error)
+}
+
+type RawSeter interface {
+	Exec() (sql.Result, error)
+	Prepare() (RawPreparer, error)
+	QueryRow(_ ...interface{}) error
+	QueryRows(_ ...interface{}) (int64, error)
+	RowsToMap(_ *Params, _ string, _ string) (int64, error)
+	RowsToStruct(_ interface{}, _ string, _ string) (int64, error)
+	SetArgs(_ ...interface{}) RawSeter
+	Values(_ *[]Params, _ ...string) (int64, error)
+	ValuesFlat(_ *ParamsList, _ ...string) (int64, error)
+	ValuesList(_ *[]ParamsList, _ ...string) (int64, error)
+}
+
+type TextField string
+
+func (_ TextField) Value() string {
+	return ""
+}
+
+func (_ *TextField) FieldType() int {
+	return 0
+}
+
+func (_ *TextField) RawValue() interface{} {
+	return nil
+}
+
+func (_ *TextField) Set(_ string) {}
+
+func (_ *TextField) SetRaw(_ interface{}) error {
+	return nil
+}
+
+func (_ *TextField) String() string {
+	return ""
+}

ql/test/library-tests/semmle/go/frameworks/BeegoOrm/vendor/modules.txt

@@ -0,0 +1,3 @@
+# github.com/astaxie/beego v1.12.3
+## explicit
+github.com/astaxie/beego