Add Where method of squirrel sql builders to query range

2026-01-30 06:42:57 +01:00 · 2021-11-22 21:43:31 +05:30
parent 4cae4b23fc
commit aeaa861fc6
2 changed files with 4 additions and 2 deletions
--- a/ql/lib/semmle/go/frameworks/SQL.qll
+++ b/ql/lib/semmle/go/frameworks/SQL.qll
@@ -88,10 +88,11 @@ module SQL {
            // first argument to `squirrel.Expr`
            fn.hasQualifiedName(sq, "Expr")
            or
-            // first argument to the `Prefix` or `Suffix` method of one of the `*Builder` classes
+            // first argument to the `Prefix`, `Suffix` or `Where` method of one of the `*Builder` classes
            exists(string builder | builder.matches("%Builder") |
              fn.(Method).hasQualifiedName(sq, builder, "Prefix") or
-              fn.(Method).hasQualifiedName(sq, builder, "Suffix")
+              fn.(Method).hasQualifiedName(sq, builder, "Suffix") or
+              fn.(Method).hasQualifiedName(sq, builder, "Where")
            )
          ) and
          this = fn.getACall().getArgument(0) and
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go
@@ -44,6 +44,7 @@ func test(db *sql.DB, ctx context.Context) {

 func squirrelTest(querypart string) {
 	squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) // $ querystring=querypart
+	squirrel.Select("*").From("users").Where(querypart)                // $ querystring=querypart
 	squirrel.Select("*").From("users").Suffix(querypart)               // $ querystring=querypart
 }