From aeaa861fc6f06f46a282373bccc6da627aa54e72 Mon Sep 17 00:00:00 2001 From: tunnelshade Date: Mon, 22 Nov 2021 21:43:31 +0530 Subject: [PATCH] Add `Where` method of squirrel sql builders to query range --- ql/lib/semmle/go/frameworks/SQL.qll | 5 +++-- ql/test/library-tests/semmle/go/frameworks/SQL/main.go | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ql/lib/semmle/go/frameworks/SQL.qll b/ql/lib/semmle/go/frameworks/SQL.qll index b8c51750b8f..9f01d4c7b91 100644 --- a/ql/lib/semmle/go/frameworks/SQL.qll +++ b/ql/lib/semmle/go/frameworks/SQL.qll @@ -88,10 +88,11 @@ module SQL { // first argument to `squirrel.Expr` fn.hasQualifiedName(sq, "Expr") or - // first argument to the `Prefix` or `Suffix` method of one of the `*Builder` classes + // first argument to the `Prefix`, `Suffix` or `Where` method of one of the `*Builder` classes exists(string builder | builder.matches("%Builder") | fn.(Method).hasQualifiedName(sq, builder, "Prefix") or - fn.(Method).hasQualifiedName(sq, builder, "Suffix") + fn.(Method).hasQualifiedName(sq, builder, "Suffix") or + fn.(Method).hasQualifiedName(sq, builder, "Where") ) ) and this = fn.getACall().getArgument(0) and diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go index f1597f3c123..fa05b5b698f 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go @@ -44,6 +44,7 @@ func test(db *sql.DB, ctx context.Context) { func squirrelTest(querypart string) { squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) // $ querystring=querypart + squirrel.Select("*").From("users").Where(querypart) // $ querystring=querypart squirrel.Select("*").From("users").Suffix(querypart) // $ querystring=querypart }