Revert "database/sql summary models for Row types"

This reverts commit 80ad349a48.
2025-12-17 01:03:14 +01:00 · 2025-01-07 21:08:43 -05:00
parent 0258ce70a4
commit ca1e9d7c75
3 changed files with 20 additions and 3 deletions
--- a/go/ql/lib/ext/database.sql.driver.model.yml
+++ b/go/ql/lib/ext/database.sql.driver.model.yml
@@ -23,6 +23,5 @@ extensions:
    data:
      - ["database/sql/driver", "Conn", True, "Prepare", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"]
      - ["database/sql/driver", "ConnPrepareContext", True, "PrepareContext", "", "", "Argument[1]", "ReturnValue[0]", "taint", "manual"]
-      - ["database/sql/driver", "Rows", True, "Next", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
      - ["database/sql/driver", "ValueConverter", True, "ConvertValue", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"]
      - ["database/sql/driver", "Valuer", True, "Value", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
--- a/go/ql/lib/ext/database.sql.model.yml
+++ b/go/ql/lib/ext/database.sql.model.yml
@@ -53,8 +53,6 @@ extensions:
      - ["database/sql", "Conn", True, "PrepareContext", "", "", "Argument[1]", "ReturnValue[0]", "taint", "manual"]
      - ["database/sql", "DB", True, "Prepare", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"]
      - ["database/sql", "DB", True, "PrepareContext", "", "", "Argument[1]", "ReturnValue[0]", "taint", "manual"]
-      - ["database/sql", "Row", True, "Scan", "", "", "Argument[receiver]", "Argument[0].ArrayElement", "taint", "manual"]
-      - ["database/sql", "Rows", True, "Scan", "", "", "Argument[receiver]", "Argument[0].ArrayElement", "taint", "manual"]
      - ["database/sql", "Scanner", True, "Scan", "", "", "Argument[0]", "Argument[receiver]", "taint", "manual"]
      - ["database/sql", "Tx", True, "Prepare", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"]
      - ["database/sql", "Tx", True, "PrepareContext", "", "", "Argument[1]", "ReturnValue[0]", "taint", "manual"]
--- a/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll
@@ -66,4 +66,24 @@ module DatabaseSql {
      result = this.getReceiver().getAPredecessor*().(DataFlow::MethodCallNode).getAnArgument()
    }
  }
+
+  // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet.
+  private class SqlMethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    SqlMethodModels() {
+      // signature: func (*Row) Scan(dest ...interface{}) error
+      this.hasQualifiedName("database/sql", "Row", "Scan") and
+      (inp.isReceiver() and outp.isParameter(_))
+      or
+      // signature: func (*Rows) Scan(dest ...interface{}) error
+      this.hasQualifiedName("database/sql", "Rows", "Scan") and
+      (inp.isReceiver() and outp.isParameter(_))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
 }