From 44a63b2f941b6d2f98f5f5da0e26f1a636123d52 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Tue, 15 Dec 2020 17:03:43 +0000 Subject: [PATCH] Model the Beego ORM subpackage --- change-notes/2020-12-15-beego-orm.md | 2 + ql/src/go.qll | 1 + ql/src/semmle/go/frameworks/BeegoOrm.qll | 100 ++++++ .../frameworks/BeegoOrm/SqlInjection.expected | 104 ++++++ .../go/frameworks/BeegoOrm/SqlInjection.qlref | 1 + .../go/frameworks/BeegoOrm/StoredXss.expected | 114 +++++++ .../go/frameworks/BeegoOrm/StoredXss.qlref | 1 + .../semmle/go/frameworks/BeegoOrm/go.mod | 5 + .../semmle/go/frameworks/BeegoOrm/test.go | 163 +++++++++ .../github.com/astaxie/beego/orm/stub.go | 311 ++++++++++++++++++ .../go/frameworks/BeegoOrm/vendor/modules.txt | 3 + 11 files changed, 805 insertions(+) create mode 100644 change-notes/2020-12-15-beego-orm.md create mode 100644 ql/src/semmle/go/frameworks/BeegoOrm.qll create mode 100644 ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.expected create mode 100644 ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.qlref create mode 100644 ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected create mode 100644 ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.qlref create mode 100644 ql/test/library-tests/semmle/go/frameworks/BeegoOrm/go.mod create mode 100644 ql/test/library-tests/semmle/go/frameworks/BeegoOrm/test.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/BeegoOrm/vendor/github.com/astaxie/beego/orm/stub.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/BeegoOrm/vendor/modules.txt diff --git a/change-notes/2020-12-15-beego-orm.md b/change-notes/2020-12-15-beego-orm.md new file mode 100644 index 00000000000..79fd312ed91 --- /dev/null +++ b/change-notes/2020-12-15-beego-orm.md @@ -0,0 +1,2 @@ +lgtm,codescanning +* Added support for the ORM subpackage of the Beego web framework diff --git a/ql/src/go.qll b/ql/src/go.qll index 9ce96a425a1..14b2d538bbf 100644 --- a/ql/src/go.qll +++ b/ql/src/go.qll @@ -30,6 +30,7 @@ import semmle.go.dataflow.SSA import semmle.go.dataflow.TaintTracking import semmle.go.dataflow.TaintTracking2 import semmle.go.frameworks.Beego +import semmle.go.frameworks.BeegoOrm import semmle.go.frameworks.Chi import semmle.go.frameworks.Echo import semmle.go.frameworks.Email diff --git a/ql/src/semmle/go/frameworks/BeegoOrm.qll b/ql/src/semmle/go/frameworks/BeegoOrm.qll new file mode 100644 index 00000000000..209f40078fe --- /dev/null +++ b/ql/src/semmle/go/frameworks/BeegoOrm.qll @@ -0,0 +1,100 @@ +/** + * Provides classes for working with untrusted flow sources, sinks and taint propagators + * from the `github.com/astaxie/beego/orm` subpackage. + */ + +import go +private import semmle.go.security.StoredXssCustomizations + +module BeegoOrm { + /** Gets the package name. */ + bindingset[result] + string packagePath() { result = package("github.com/astaxie/beego", "orm") } + + private class DbSink extends SQL::QueryString::Range { + DbSink() { + exists(Method m, string methodName, int argNum | + m.hasQualifiedName(packagePath(), "DB", methodName) and + methodName in [ + "Exec", "ExecContext", "Prepare", "PrepareContext", "Query", "QueryContext", "QueryRow", + "QueryRowContext" + ] and + if methodName.matches("%Context") then argNum = 1 else argNum = 0 + | + this = m.getACall().getArgument(argNum) + ) + } + } + + private class QueryBuilderSink extends SQL::QueryString::Range { + // Note this class doesn't do any escaping, unlike the true ORM part of the package + QueryBuilderSink() { + exists(Method impl | impl.implements(packagePath(), "QueryBuilder", _) | + this = impl.getACall().getAnArgument() + ) and + this.getType().getUnderlyingType() instanceof StringType + } + } + + private class OrmerRawSink extends SQL::QueryString::Range { + OrmerRawSink() { + exists(Method impl | impl.implements(packagePath(), "Ormer", "Raw") | + this = impl.getACall().getArgument(0) + ) + } + } + + private class QuerySeterFilterRawSink extends SQL::QueryString::Range { + QuerySeterFilterRawSink() { + exists(Method impl | impl.implements(packagePath(), "QuerySeter", "FilterRaw") | + this = impl.getACall().getArgument(1) + ) + } + } + + private class ConditionRawSink extends SQL::QueryString::Range { + ConditionRawSink() { + exists(Method impl | impl.implements(packagePath(), "Condition", "Raw") | + this = impl.getACall().getArgument(1) + ) + } + } + + private class OrmerSource extends StoredXss::Source { + OrmerSource() { + exists(Method impl | + impl.implements(packagePath(), "Ormer", ["Read", "ReadForUpdate", "ReadOrCreate"]) + | + this = FunctionOutput::parameter(0).getExitNode(impl.getACall()) + ) + } + } + + private class StringFieldSource extends StoredXss::Source { + StringFieldSource() { + exists(Method m | + m + .hasQualifiedName(packagePath(), ["JSONField", "JsonbField", "TextField"], + ["RawValue", "String", "Value"]) + | + this = m.getACall().getResult() + ) + } + } + + private class SeterSource extends StoredXss::Source { + SeterSource() { + exists(Method impl | + // All and One are exclusive to QuerySeter, QueryRow[s] are exclusive to RawSeter, the rest are common. + impl + .implements(packagePath(), ["QuerySeter", "RawSeter"], + [ + "All", "One", "Values", "ValuesList", "ValuesFlat", "RowsToMap", "RowsToStruct", + "QueryRow", "QueryRows" + ]) + | + this = FunctionOutput::parameter(0).getExitNode(impl.getACall()) + ) + } + } +} diff --git a/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.expected b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.expected new file mode 100644 index 00000000000..566d25c8035 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.expected @@ -0,0 +1,104 @@ +edges +| test.go:10:15:10:41 | call to UserAgent : string | test.go:12:11:12:19 | untrusted | +| test.go:10:15:10:41 | call to UserAgent : string | test.go:13:23:13:31 | untrusted | +| test.go:10:15:10:41 | call to UserAgent : string | test.go:14:14:14:22 | untrusted | +| test.go:10:15:10:41 | call to UserAgent : string | test.go:15:26:15:34 | untrusted | +| test.go:10:15:10:41 | call to UserAgent : string | test.go:16:12:16:20 | untrusted | +| test.go:10:15:10:41 | call to UserAgent : string | test.go:17:24:17:32 | untrusted | +| test.go:10:15:10:41 | call to UserAgent : string | test.go:18:15:18:23 | untrusted | +| test.go:10:15:10:41 | call to UserAgent : string | test.go:19:27:19:35 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:26:12:26:20 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:27:10:27:18 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:28:15:28:23 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:29:14:29:22 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:30:15:30:23 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:31:8:31:16 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:32:11:32:19 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:33:9:33:17 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:34:8:34:16 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:35:8:35:16 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:36:13:36:21 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:37:13:37:21 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:38:12:38:20 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:39:12:39:20 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:40:9:40:17 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:41:12:41:20 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:42:16:42:24 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:42:27:42:35 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:43:12:43:20 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:44:14:44:22 | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | test.go:44:25:44:33 | untrusted | +| test.go:48:15:48:41 | call to UserAgent : string | test.go:49:12:49:20 | untrusted | +| test.go:54:15:54:41 | call to UserAgent : string | test.go:56:31:56:39 | untrusted | +| test.go:60:15:60:41 | call to UserAgent : string | test.go:62:19:62:27 | untrusted | +nodes +| test.go:10:15:10:41 | call to UserAgent : string | semmle.label | call to UserAgent : string | +| test.go:12:11:12:19 | untrusted | semmle.label | untrusted | +| test.go:13:23:13:31 | untrusted | semmle.label | untrusted | +| test.go:14:14:14:22 | untrusted | semmle.label | untrusted | +| test.go:15:26:15:34 | untrusted | semmle.label | untrusted | +| test.go:16:12:16:20 | untrusted | semmle.label | untrusted | +| test.go:17:24:17:32 | untrusted | semmle.label | untrusted | +| test.go:18:15:18:23 | untrusted | semmle.label | untrusted | +| test.go:19:27:19:35 | untrusted | semmle.label | untrusted | +| test.go:24:15:24:41 | call to UserAgent : string | semmle.label | call to UserAgent : string | +| test.go:26:12:26:20 | untrusted | semmle.label | untrusted | +| test.go:27:10:27:18 | untrusted | semmle.label | untrusted | +| test.go:28:15:28:23 | untrusted | semmle.label | untrusted | +| test.go:29:14:29:22 | untrusted | semmle.label | untrusted | +| test.go:30:15:30:23 | untrusted | semmle.label | untrusted | +| test.go:31:8:31:16 | untrusted | semmle.label | untrusted | +| test.go:32:11:32:19 | untrusted | semmle.label | untrusted | +| test.go:33:9:33:17 | untrusted | semmle.label | untrusted | +| test.go:34:8:34:16 | untrusted | semmle.label | untrusted | +| test.go:35:8:35:16 | untrusted | semmle.label | untrusted | +| test.go:36:13:36:21 | untrusted | semmle.label | untrusted | +| test.go:37:13:37:21 | untrusted | semmle.label | untrusted | +| test.go:38:12:38:20 | untrusted | semmle.label | untrusted | +| test.go:39:12:39:20 | untrusted | semmle.label | untrusted | +| test.go:40:9:40:17 | untrusted | semmle.label | untrusted | +| test.go:41:12:41:20 | untrusted | semmle.label | untrusted | +| test.go:42:16:42:24 | untrusted | semmle.label | untrusted | +| test.go:42:27:42:35 | untrusted | semmle.label | untrusted | +| test.go:43:12:43:20 | untrusted | semmle.label | untrusted | +| test.go:44:14:44:22 | untrusted | semmle.label | untrusted | +| test.go:44:25:44:33 | untrusted | semmle.label | untrusted | +| test.go:48:15:48:41 | call to UserAgent : string | semmle.label | call to UserAgent : string | +| test.go:49:12:49:20 | untrusted | semmle.label | untrusted | +| test.go:54:15:54:41 | call to UserAgent : string | semmle.label | call to UserAgent : string | +| test.go:56:31:56:39 | untrusted | semmle.label | untrusted | +| test.go:60:15:60:41 | call to UserAgent : string | semmle.label | call to UserAgent : string | +| test.go:62:19:62:27 | untrusted | semmle.label | untrusted | +#select +| test.go:12:11:12:19 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:12:11:12:19 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value | +| test.go:13:23:13:31 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:13:23:13:31 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value | +| test.go:14:14:14:22 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:14:14:14:22 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value | +| test.go:15:26:15:34 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:15:26:15:34 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value | +| test.go:16:12:16:20 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:16:12:16:20 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value | +| test.go:17:24:17:32 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:17:24:17:32 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value | +| test.go:18:15:18:23 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:18:15:18:23 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value | +| test.go:19:27:19:35 | untrusted | test.go:10:15:10:41 | call to UserAgent : string | test.go:19:27:19:35 | untrusted | This query depends on $@. | test.go:10:15:10:41 | call to UserAgent | a user-provided value | +| test.go:26:12:26:20 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:26:12:26:20 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:27:10:27:18 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:27:10:27:18 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:28:15:28:23 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:28:15:28:23 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:29:14:29:22 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:29:14:29:22 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:30:15:30:23 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:30:15:30:23 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:31:8:31:16 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:31:8:31:16 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:32:11:32:19 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:32:11:32:19 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:33:9:33:17 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:33:9:33:17 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:34:8:34:16 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:34:8:34:16 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:35:8:35:16 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:35:8:35:16 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:36:13:36:21 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:36:13:36:21 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:37:13:37:21 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:37:13:37:21 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:38:12:38:20 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:38:12:38:20 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:39:12:39:20 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:39:12:39:20 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:40:9:40:17 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:40:9:40:17 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:41:12:41:20 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:41:12:41:20 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:42:16:42:24 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:42:16:42:24 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:42:27:42:35 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:42:27:42:35 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:43:12:43:20 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:43:12:43:20 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:44:14:44:22 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:44:14:44:22 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:44:25:44:33 | untrusted | test.go:24:15:24:41 | call to UserAgent : string | test.go:44:25:44:33 | untrusted | This query depends on $@. | test.go:24:15:24:41 | call to UserAgent | a user-provided value | +| test.go:49:12:49:20 | untrusted | test.go:48:15:48:41 | call to UserAgent : string | test.go:49:12:49:20 | untrusted | This query depends on $@. | test.go:48:15:48:41 | call to UserAgent | a user-provided value | +| test.go:56:31:56:39 | untrusted | test.go:54:15:54:41 | call to UserAgent : string | test.go:56:31:56:39 | untrusted | This query depends on $@. | test.go:54:15:54:41 | call to UserAgent | a user-provided value | +| test.go:62:19:62:27 | untrusted | test.go:60:15:60:41 | call to UserAgent : string | test.go:62:19:62:27 | untrusted | This query depends on $@. | test.go:60:15:60:41 | call to UserAgent | a user-provided value | diff --git a/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.qlref b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.qlref new file mode 100644 index 00000000000..d1d02cbe8d3 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.qlref @@ -0,0 +1 @@ +Security/CWE-089/SqlInjection.ql diff --git a/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected new file mode 100644 index 00000000000..48e154c7d5a --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected @@ -0,0 +1,114 @@ +edges +| test.go:77:13:77:16 | &... : pointer type | test.go:78:13:78:29 | type conversion | +| test.go:77:13:77:16 | &... : pointer type | test.go:79:13:79:43 | type conversion | +| test.go:82:22:82:26 | &... : pointer type | test.go:83:13:83:30 | type conversion | +| test.go:86:21:86:25 | &... : pointer type | test.go:87:13:87:30 | type conversion | +| test.go:92:20:92:36 | call to Value : string | test.go:92:13:92:37 | type conversion | +| test.go:93:20:93:39 | call to RawValue : interface type | test.go:93:13:93:49 | type conversion | +| test.go:94:20:94:37 | call to String : string | test.go:94:13:94:38 | type conversion | +| test.go:95:20:95:36 | call to Value : string | test.go:95:13:95:37 | type conversion | +| test.go:96:20:96:39 | call to RawValue : interface type | test.go:96:13:96:49 | type conversion | +| test.go:97:20:97:37 | call to String : string | test.go:97:13:97:38 | type conversion | +| test.go:98:20:98:37 | call to Value : string | test.go:98:13:98:38 | type conversion | +| test.go:99:20:99:40 | call to RawValue : interface type | test.go:99:13:99:50 | type conversion | +| test.go:100:20:100:38 | call to String : string | test.go:100:13:100:39 | type conversion | +| test.go:106:9:106:13 | &... : pointer type | test.go:107:13:107:33 | type conversion | +| test.go:106:9:106:13 | &... : pointer type | test.go:107:20:107:26 | implicit dereference : MyStruct | +| test.go:107:20:107:26 | implicit dereference : MyStruct | test.go:107:13:107:33 | type conversion | +| test.go:107:20:107:26 | implicit dereference : MyStruct | test.go:107:20:107:26 | implicit dereference : MyStruct | +| test.go:110:9:110:12 | &... : pointer type | test.go:111:13:111:29 | type conversion | +| test.go:114:12:114:19 | &... : pointer type | test.go:115:13:115:48 | type conversion | +| test.go:118:16:118:24 | &... : pointer type | test.go:119:13:119:43 | type conversion | +| test.go:122:16:122:23 | &... : pointer type | test.go:123:13:123:39 | type conversion | +| test.go:126:15:126:24 | &... : pointer type | test.go:127:13:127:47 | type conversion | +| test.go:130:18:130:30 | &... : pointer type | test.go:131:13:131:38 | type conversion | +| test.go:137:12:137:19 | &... : pointer type | test.go:138:13:138:48 | type conversion | +| test.go:141:16:141:24 | &... : pointer type | test.go:142:13:142:43 | type conversion | +| test.go:145:16:145:23 | &... : pointer type | test.go:146:13:146:39 | type conversion | +| test.go:149:15:149:24 | &... : pointer type | test.go:150:13:150:47 | type conversion | +| test.go:153:18:153:30 | &... : pointer type | test.go:154:13:154:38 | type conversion | +| test.go:157:14:157:22 | &... : pointer type | test.go:158:13:158:28 | type conversion | +| test.go:161:15:161:24 | &... : pointer type | test.go:162:13:162:32 | type conversion | +nodes +| test.go:77:13:77:16 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:78:13:78:29 | type conversion | semmle.label | type conversion | +| test.go:79:13:79:43 | type conversion | semmle.label | type conversion | +| test.go:82:22:82:26 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:83:13:83:30 | type conversion | semmle.label | type conversion | +| test.go:86:21:86:25 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:87:13:87:30 | type conversion | semmle.label | type conversion | +| test.go:92:13:92:37 | type conversion | semmle.label | type conversion | +| test.go:92:20:92:36 | call to Value : string | semmle.label | call to Value : string | +| test.go:93:13:93:49 | type conversion | semmle.label | type conversion | +| test.go:93:20:93:39 | call to RawValue : interface type | semmle.label | call to RawValue : interface type | +| test.go:94:13:94:38 | type conversion | semmle.label | type conversion | +| test.go:94:20:94:37 | call to String : string | semmle.label | call to String : string | +| test.go:95:13:95:37 | type conversion | semmle.label | type conversion | +| test.go:95:20:95:36 | call to Value : string | semmle.label | call to Value : string | +| test.go:96:13:96:49 | type conversion | semmle.label | type conversion | +| test.go:96:20:96:39 | call to RawValue : interface type | semmle.label | call to RawValue : interface type | +| test.go:97:13:97:38 | type conversion | semmle.label | type conversion | +| test.go:97:20:97:37 | call to String : string | semmle.label | call to String : string | +| test.go:98:13:98:38 | type conversion | semmle.label | type conversion | +| test.go:98:20:98:37 | call to Value : string | semmle.label | call to Value : string | +| test.go:99:13:99:50 | type conversion | semmle.label | type conversion | +| test.go:99:20:99:40 | call to RawValue : interface type | semmle.label | call to RawValue : interface type | +| test.go:100:13:100:39 | type conversion | semmle.label | type conversion | +| test.go:100:20:100:38 | call to String : string | semmle.label | call to String : string | +| test.go:106:9:106:13 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:107:13:107:33 | type conversion | semmle.label | type conversion | +| test.go:107:20:107:26 | implicit dereference : MyStruct | semmle.label | implicit dereference : MyStruct | +| test.go:110:9:110:12 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:111:13:111:29 | type conversion | semmle.label | type conversion | +| test.go:114:12:114:19 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:115:13:115:48 | type conversion | semmle.label | type conversion | +| test.go:118:16:118:24 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:119:13:119:43 | type conversion | semmle.label | type conversion | +| test.go:122:16:122:23 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:123:13:123:39 | type conversion | semmle.label | type conversion | +| test.go:126:15:126:24 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:127:13:127:47 | type conversion | semmle.label | type conversion | +| test.go:130:18:130:30 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:131:13:131:38 | type conversion | semmle.label | type conversion | +| test.go:137:12:137:19 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:138:13:138:48 | type conversion | semmle.label | type conversion | +| test.go:141:16:141:24 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:142:13:142:43 | type conversion | semmle.label | type conversion | +| test.go:145:16:145:23 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:146:13:146:39 | type conversion | semmle.label | type conversion | +| test.go:149:15:149:24 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:150:13:150:47 | type conversion | semmle.label | type conversion | +| test.go:153:18:153:30 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:154:13:154:38 | type conversion | semmle.label | type conversion | +| test.go:157:14:157:22 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:158:13:158:28 | type conversion | semmle.label | type conversion | +| test.go:161:15:161:24 | &... : pointer type | semmle.label | &... : pointer type | +| test.go:162:13:162:32 | type conversion | semmle.label | type conversion | +#select +| test.go:78:13:78:29 | type conversion | test.go:77:13:77:16 | &... : pointer type | test.go:78:13:78:29 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:77:13:77:16 | &... | stored value | +| test.go:79:13:79:43 | type conversion | test.go:77:13:77:16 | &... : pointer type | test.go:79:13:79:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:77:13:77:16 | &... | stored value | +| test.go:83:13:83:30 | type conversion | test.go:82:22:82:26 | &... : pointer type | test.go:83:13:83:30 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:82:22:82:26 | &... | stored value | +| test.go:87:13:87:30 | type conversion | test.go:86:21:86:25 | &... : pointer type | test.go:87:13:87:30 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:86:21:86:25 | &... | stored value | +| test.go:92:13:92:37 | type conversion | test.go:92:20:92:36 | call to Value : string | test.go:92:13:92:37 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:92:20:92:36 | call to Value | stored value | +| test.go:93:13:93:49 | type conversion | test.go:93:20:93:39 | call to RawValue : interface type | test.go:93:13:93:49 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:93:20:93:39 | call to RawValue | stored value | +| test.go:94:13:94:38 | type conversion | test.go:94:20:94:37 | call to String : string | test.go:94:13:94:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:94:20:94:37 | call to String | stored value | +| test.go:95:13:95:37 | type conversion | test.go:95:20:95:36 | call to Value : string | test.go:95:13:95:37 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:95:20:95:36 | call to Value | stored value | +| test.go:96:13:96:49 | type conversion | test.go:96:20:96:39 | call to RawValue : interface type | test.go:96:13:96:49 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:96:20:96:39 | call to RawValue | stored value | +| test.go:97:13:97:38 | type conversion | test.go:97:20:97:37 | call to String : string | test.go:97:13:97:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:97:20:97:37 | call to String | stored value | +| test.go:98:13:98:38 | type conversion | test.go:98:20:98:37 | call to Value : string | test.go:98:13:98:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:98:20:98:37 | call to Value | stored value | +| test.go:99:13:99:50 | type conversion | test.go:99:20:99:40 | call to RawValue : interface type | test.go:99:13:99:50 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:99:20:99:40 | call to RawValue | stored value | +| test.go:100:13:100:39 | type conversion | test.go:100:20:100:38 | call to String : string | test.go:100:13:100:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:100:20:100:38 | call to String | stored value | +| test.go:107:13:107:33 | type conversion | test.go:106:9:106:13 | &... : pointer type | test.go:107:13:107:33 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:106:9:106:13 | &... | stored value | +| test.go:111:13:111:29 | type conversion | test.go:110:9:110:12 | &... : pointer type | test.go:111:13:111:29 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:110:9:110:12 | &... | stored value | +| test.go:115:13:115:48 | type conversion | test.go:114:12:114:19 | &... : pointer type | test.go:115:13:115:48 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:114:12:114:19 | &... | stored value | +| test.go:119:13:119:43 | type conversion | test.go:118:16:118:24 | &... : pointer type | test.go:119:13:119:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:118:16:118:24 | &... | stored value | +| test.go:123:13:123:39 | type conversion | test.go:122:16:122:23 | &... : pointer type | test.go:123:13:123:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:122:16:122:23 | &... | stored value | +| test.go:127:13:127:47 | type conversion | test.go:126:15:126:24 | &... : pointer type | test.go:127:13:127:47 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:126:15:126:24 | &... | stored value | +| test.go:131:13:131:38 | type conversion | test.go:130:18:130:30 | &... : pointer type | test.go:131:13:131:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:130:18:130:30 | &... | stored value | +| test.go:138:13:138:48 | type conversion | test.go:137:12:137:19 | &... : pointer type | test.go:138:13:138:48 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:137:12:137:19 | &... | stored value | +| test.go:142:13:142:43 | type conversion | test.go:141:16:141:24 | &... : pointer type | test.go:142:13:142:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:141:16:141:24 | &... | stored value | +| test.go:146:13:146:39 | type conversion | test.go:145:16:145:23 | &... : pointer type | test.go:146:13:146:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:145:16:145:23 | &... | stored value | +| test.go:150:13:150:47 | type conversion | test.go:149:15:149:24 | &... : pointer type | test.go:150:13:150:47 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:149:15:149:24 | &... | stored value | +| test.go:154:13:154:38 | type conversion | test.go:153:18:153:30 | &... : pointer type | test.go:154:13:154:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:153:18:153:30 | &... | stored value | +| test.go:158:13:158:28 | type conversion | test.go:157:14:157:22 | &... : pointer type | test.go:158:13:158:28 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:157:14:157:22 | &... | stored value | +| test.go:162:13:162:32 | type conversion | test.go:161:15:161:24 | &... : pointer type | test.go:162:13:162:32 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:161:15:161:24 | &... | stored value | diff --git a/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.qlref b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.qlref new file mode 100644 index 00000000000..1ab28863211 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.qlref @@ -0,0 +1 @@ +Security/CWE-079/StoredXss.ql diff --git a/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/go.mod b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/go.mod new file mode 100644 index 00000000000..796f225a4f8 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/go.mod @@ -0,0 +1,5 @@ +module test/beego + +go 1.14 + +require github.com/astaxie/beego v1.12.3 diff --git a/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/test.go b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/test.go new file mode 100644 index 00000000000..6e590a12276 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/test.go @@ -0,0 +1,163 @@ +package test + +import ( + "github.com/astaxie/beego/orm" + "net/http" +) + +// BAD: using untrusted data in SQL queries +func testDbMethods(bdb *orm.DB, untrustedSource *http.Request) { + untrusted := untrustedSource.UserAgent() + + bdb.Exec(untrusted) + bdb.ExecContext(nil, untrusted) + bdb.Prepare(untrusted) + bdb.PrepareContext(nil, untrusted) + bdb.Query(untrusted) + bdb.QueryContext(nil, untrusted) + bdb.QueryRow(untrusted) + bdb.QueryRowContext(nil, untrusted) +} + +// BAD: using untrusted data to build SQL queries (QueryBuilder does not sanitize its arguments) +func testQueryBuilderMethods(qb orm.QueryBuilder, untrustedSource *http.Request) { + untrusted := untrustedSource.UserAgent() + + qb.Select(untrusted) + qb.From(untrusted) + qb.InnerJoin(untrusted) + qb.LeftJoin(untrusted) + qb.RightJoin(untrusted) + qb.On(untrusted) + qb.Where(untrusted) + qb.And(untrusted) + qb.Or(untrusted) + qb.In(untrusted) + qb.OrderBy(untrusted) + qb.GroupBy(untrusted) + qb.Having(untrusted) + qb.Update(untrusted) + qb.Set(untrusted) + qb.Delete(untrusted) + qb.InsertInto(untrusted, untrusted) + qb.Values(untrusted) + qb.Subquery(untrusted, untrusted) +} + +func testOrmerRaw(ormer orm.Ormer, untrustedSource *http.Request) { + untrusted := untrustedSource.UserAgent() + ormer.Raw(untrusted) // BAD: using an untrusted string as a query + ormer.Raw("FROM ? SELECT ?", untrusted, untrusted) // GOOD: untrusted string used in argument context +} + +func testFilterRaw(querySeter orm.QuerySeter, untrustedSource *http.Request) { + untrusted := untrustedSource.UserAgent() + querySeter.FilterRaw(untrusted, "safe") // GOOD: untrusted used as a column name + querySeter.FilterRaw("safe", untrusted) // BAD: untrusted used as a SQL fragment +} + +func testConditionRaw(cond orm.Condition, untrustedSource *http.Request) { + untrusted := untrustedSource.UserAgent() + cond.Raw(untrusted, "safe") // GOOD: untrusted used as a column name + cond.Raw("safe", untrusted) // BAD: untrusted used as a SQL fragment +} + +type SubStruct struct { + field string +} + +type MyStruct struct { + field string + substructs []SubStruct +} + +// BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response +func testOrmerReads(ormer orm.Ormer, sink http.ResponseWriter) { + obj := MyStruct{} + ormer.Read(&obj) + sink.Write([]byte(obj.field)) + sink.Write([]byte(obj.substructs[0].field)) + + obj2 := MyStruct{} + ormer.ReadForUpdate(&obj2) + sink.Write([]byte(obj2.field)) + + obj3 := MyStruct{} + ormer.ReadOrCreate(&obj3, "arg") + sink.Write([]byte(obj3.field)) +} + +// BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response +func testFieldReads(textField *orm.TextField, jsonField *orm.JSONField, jsonbField *orm.JsonbField, sink http.ResponseWriter) { + sink.Write([]byte(textField.Value())) + sink.Write([]byte(textField.RawValue().(string))) + sink.Write([]byte(textField.String())) + sink.Write([]byte(jsonField.Value())) + sink.Write([]byte(jsonField.RawValue().(string))) + sink.Write([]byte(jsonField.String())) + sink.Write([]byte(jsonbField.Value())) + sink.Write([]byte(jsonbField.RawValue().(string))) + sink.Write([]byte(jsonbField.String())) +} + +// BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response +func testQuerySeterReads(qs orm.QuerySeter, sink http.ResponseWriter) { + var objs []*MyStruct + qs.All(&objs) + sink.Write([]byte(objs[0].field)) + + var obj MyStruct + qs.One(&obj) + sink.Write([]byte(obj.field)) + + var allMaps []orm.Params + qs.Values(&allMaps) + sink.Write([]byte(allMaps[0]["field"].(string))) + + var allLists []orm.ParamsList + qs.ValuesList(&allLists) + sink.Write([]byte(allLists[0][0].(string))) + + var oneList orm.ParamsList + qs.ValuesFlat(&oneList, "colname") + sink.Write([]byte(oneList[0].(string))) + + var oneRowMap orm.Params + qs.RowsToMap(&oneRowMap, "key", "value") + sink.Write([]byte(oneRowMap["field"].(string))) + + var oneRowStruct MyStruct + qs.RowsToStruct(&oneRowStruct, "key", "value") + sink.Write([]byte(oneRowStruct.field)) +} + +// BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response +func testRawSeterReads(rs orm.RawSeter, sink http.ResponseWriter) { + var allMaps []orm.Params + rs.Values(&allMaps) + sink.Write([]byte(allMaps[0]["field"].(string))) + + var allLists []orm.ParamsList + rs.ValuesList(&allLists) + sink.Write([]byte(allLists[0][0].(string))) + + var oneList orm.ParamsList + rs.ValuesFlat(&oneList, "colname") + sink.Write([]byte(oneList[0].(string))) + + var oneRowMap orm.Params + rs.RowsToMap(&oneRowMap, "key", "value") + sink.Write([]byte(oneRowMap["field"].(string))) + + var oneRowStruct MyStruct + rs.RowsToStruct(&oneRowStruct, "key", "value") + sink.Write([]byte(oneRowStruct.field)) + + var strField string + rs.QueryRow(&strField) + sink.Write([]byte(strField)) + + var strFields []string + rs.QueryRows(&strFields) + sink.Write([]byte(strFields[0])) +} diff --git a/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/vendor/github.com/astaxie/beego/orm/stub.go b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/vendor/github.com/astaxie/beego/orm/stub.go new file mode 100644 index 00000000000..a6da198a05c --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/vendor/github.com/astaxie/beego/orm/stub.go @@ -0,0 +1,311 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/astaxie/beego/orm, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/astaxie/beego/orm (exports: DB,QueryBuilder,Ormer,QuerySeter,Condition,Fielder,RawSeter,JSONField,JsonbField,TextField; functions: ) + +// Package orm is a stub of github.com/astaxie/beego/orm, generated by depstubber. +package orm + +import ( + context "context" + sql "database/sql" + sync "sync" +) + +type Condition struct{} + +func (_ Condition) And(_ string, _ ...interface{}) *Condition { + return nil +} + +func (_ Condition) AndNot(_ string, _ ...interface{}) *Condition { + return nil +} + +func (_ Condition) Or(_ string, _ ...interface{}) *Condition { + return nil +} + +func (_ Condition) OrNot(_ string, _ ...interface{}) *Condition { + return nil +} + +func (_ Condition) Raw(_ string, _ string) *Condition { + return nil +} + +func (_ *Condition) AndCond(_ *Condition) *Condition { + return nil +} + +func (_ *Condition) AndNotCond(_ *Condition) *Condition { + return nil +} + +func (_ *Condition) IsEmpty() bool { + return false +} + +func (_ *Condition) OrCond(_ *Condition) *Condition { + return nil +} + +func (_ *Condition) OrNotCond(_ *Condition) *Condition { + return nil +} + +type DB struct { + RWMutex *sync.RWMutex + DB *sql.DB +} + +func (_ DB) Lock() {} + +func (_ DB) RLock() {} + +func (_ DB) RLocker() sync.Locker { + return nil +} + +func (_ DB) RUnlock() {} + +func (_ DB) Unlock() {} + +func (_ *DB) Begin() (*sql.Tx, error) { + return nil, nil +} + +func (_ *DB) BeginTx(_ context.Context, _ *sql.TxOptions) (*sql.Tx, error) { + return nil, nil +} + +func (_ *DB) Exec(_ string, _ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *DB) ExecContext(_ context.Context, _ string, _ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *DB) Prepare(_ string) (*sql.Stmt, error) { + return nil, nil +} + +func (_ *DB) PrepareContext(_ context.Context, _ string) (*sql.Stmt, error) { + return nil, nil +} + +func (_ *DB) Query(_ string, _ ...interface{}) (*sql.Rows, error) { + return nil, nil +} + +func (_ *DB) QueryContext(_ context.Context, _ string, _ ...interface{}) (*sql.Rows, error) { + return nil, nil +} + +func (_ *DB) QueryRow(_ string, _ ...interface{}) *sql.Row { + return nil +} + +func (_ *DB) QueryRowContext(_ context.Context, _ string, _ ...interface{}) *sql.Row { + return nil +} + +type Driver interface { + Name() string + Type() DriverType +} + +type DriverType int + +type Fielder interface { + FieldType() int + RawValue() interface{} + SetRaw(_ interface{}) error + String() string +} + +type Inserter interface { + Close() error + Insert(_ interface{}) (int64, error) +} + +type JSONField string + +func (_ JSONField) Value() string { + return "" +} + +func (_ *JSONField) FieldType() int { + return 0 +} + +func (_ *JSONField) RawValue() interface{} { + return nil +} + +func (_ *JSONField) Set(_ string) {} + +func (_ *JSONField) SetRaw(_ interface{}) error { + return nil +} + +func (_ *JSONField) String() string { + return "" +} + +type JsonbField string + +func (_ JsonbField) Value() string { + return "" +} + +func (_ *JsonbField) FieldType() int { + return 0 +} + +func (_ *JsonbField) RawValue() interface{} { + return nil +} + +func (_ *JsonbField) Set(_ string) {} + +func (_ *JsonbField) SetRaw(_ interface{}) error { + return nil +} + +func (_ *JsonbField) String() string { + return "" +} + +type Ormer interface { + Begin() error + BeginTx(_ context.Context, _ *sql.TxOptions) error + Commit() error + DBStats() *sql.DBStats + Delete(_ interface{}, _ ...string) (int64, error) + Driver() Driver + Insert(_ interface{}) (int64, error) + InsertMulti(_ int, _ interface{}) (int64, error) + InsertOrUpdate(_ interface{}, _ ...string) (int64, error) + LoadRelated(_ interface{}, _ string, _ ...interface{}) (int64, error) + QueryM2M(_ interface{}, _ string) QueryM2Mer + QueryTable(_ interface{}) QuerySeter + Raw(_ string, _ ...interface{}) RawSeter + Read(_ interface{}, _ ...string) error + ReadForUpdate(_ interface{}, _ ...string) error + ReadOrCreate(_ interface{}, _ string, _ ...string) (bool, int64, error) + Rollback() error + Update(_ interface{}, _ ...string) (int64, error) + Using(_ string) error +} + +type Params map[string]interface{} + +type ParamsList []interface{} + +type QueryBuilder interface { + And(_ string) QueryBuilder + Asc() QueryBuilder + Delete(_ ...string) QueryBuilder + Desc() QueryBuilder + ForUpdate() QueryBuilder + From(_ ...string) QueryBuilder + GroupBy(_ ...string) QueryBuilder + Having(_ string) QueryBuilder + In(_ ...string) QueryBuilder + InnerJoin(_ string) QueryBuilder + InsertInto(_ string, _ ...string) QueryBuilder + LeftJoin(_ string) QueryBuilder + Limit(_ int) QueryBuilder + Offset(_ int) QueryBuilder + On(_ string) QueryBuilder + Or(_ string) QueryBuilder + OrderBy(_ ...string) QueryBuilder + RightJoin(_ string) QueryBuilder + Select(_ ...string) QueryBuilder + Set(_ ...string) QueryBuilder + String() string + Subquery(_ string, _ string) string + Update(_ ...string) QueryBuilder + Values(_ ...string) QueryBuilder + Where(_ string) QueryBuilder +} + +type QueryM2Mer interface { + Add(_ ...interface{}) (int64, error) + Clear() (int64, error) + Count() (int64, error) + Exist(_ interface{}) bool + Remove(_ ...interface{}) (int64, error) +} + +type QuerySeter interface { + All(_ interface{}, _ ...string) (int64, error) + Count() (int64, error) + Delete() (int64, error) + Distinct() QuerySeter + Exclude(_ string, _ ...interface{}) QuerySeter + Exist() bool + Filter(_ string, _ ...interface{}) QuerySeter + FilterRaw(_ string, _ string) QuerySeter + ForUpdate() QuerySeter + GetCond() *Condition + GroupBy(_ ...string) QuerySeter + Limit(_ interface{}, _ ...interface{}) QuerySeter + Offset(_ interface{}) QuerySeter + One(_ interface{}, _ ...string) error + OrderBy(_ ...string) QuerySeter + PrepareInsert() (Inserter, error) + RelatedSel(_ ...interface{}) QuerySeter + RowsToMap(_ *Params, _ string, _ string) (int64, error) + RowsToStruct(_ interface{}, _ string, _ string) (int64, error) + SetCond(_ *Condition) QuerySeter + Update(_ Params) (int64, error) + Values(_ *[]Params, _ ...string) (int64, error) + ValuesFlat(_ *ParamsList, _ string) (int64, error) + ValuesList(_ *[]ParamsList, _ ...string) (int64, error) +} + +type RawPreparer interface { + Close() error + Exec(_ ...interface{}) (sql.Result, error) +} + +type RawSeter interface { + Exec() (sql.Result, error) + Prepare() (RawPreparer, error) + QueryRow(_ ...interface{}) error + QueryRows(_ ...interface{}) (int64, error) + RowsToMap(_ *Params, _ string, _ string) (int64, error) + RowsToStruct(_ interface{}, _ string, _ string) (int64, error) + SetArgs(_ ...interface{}) RawSeter + Values(_ *[]Params, _ ...string) (int64, error) + ValuesFlat(_ *ParamsList, _ ...string) (int64, error) + ValuesList(_ *[]ParamsList, _ ...string) (int64, error) +} + +type TextField string + +func (_ TextField) Value() string { + return "" +} + +func (_ *TextField) FieldType() int { + return 0 +} + +func (_ *TextField) RawValue() interface{} { + return nil +} + +func (_ *TextField) Set(_ string) {} + +func (_ *TextField) SetRaw(_ interface{}) error { + return nil +} + +func (_ *TextField) String() string { + return "" +} diff --git a/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/vendor/modules.txt b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/vendor/modules.txt new file mode 100644 index 00000000000..864abfe6c70 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/vendor/modules.txt @@ -0,0 +1,3 @@ +# github.com/astaxie/beego v1.12.3 +## explicit +github.com/astaxie/beego