Add tests for SQL framework

2026-01-30 06:42:57 +01:00 · 2020-11-10 23:58:15 -08:00
parent 30b17d9762
commit d517125507
4 changed files with 104 additions and 77 deletions
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/QueryString.expected
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/QueryString.expected
@@ -1,37 +0,0 @@
-| main.go:13:10:13:14 | query |
-| main.go:14:22:14:26 | query |
-| main.go:15:13:15:17 | query |
-| main.go:16:25:16:29 | query |
-| main.go:17:11:17:15 | query |
-| main.go:18:23:18:27 | query |
-| main.go:19:14:19:18 | query |
-| main.go:20:26:20:30 | query |
-| main.go:24:57:24:65 | querypart |
-| main.go:25:44:25:52 | querypart |
-| main.go:29:10:29:14 | query |
-| main.go:30:22:30:26 | query |
-| main.go:31:13:31:17 | query |
-| main.go:32:25:32:29 | query |
-| main.go:33:11:33:15 | query |
-| main.go:34:23:34:27 | query |
-| main.go:35:14:35:18 | query |
-| main.go:36:26:36:30 | query |
-| pg.go:14:7:14:11 | query |
-| pg.go:16:24:16:28 | query |
-| pg.go:17:15:17:19 | query |
-| pg.go:18:22:18:26 | query |
-| pg.go:19:13:19:17 | query |
-| pg.go:20:22:20:26 | query |
-| pg.go:21:13:21:17 | query |
-| pg.go:26:10:26:14 | query |
-| pg.go:27:15:27:19 | query |
-| pg.go:28:13:28:17 | query |
-| pg.go:29:13:29:17 | query |
-| pg.go:32:8:32:12 | query |
-| pg.go:33:15:33:19 | query |
-| pg.go:34:8:34:12 | query |
-| pg.go:36:19:36:23 | query |
-| pg.go:37:11:37:15 | query |
-| pg.go:38:10:38:14 | query |
-| pg.go:39:17:39:21 | query |
-| pg.go:40:12:40:16 | query |
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/QueryString.ql
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/QueryString.ql
@@ -1,4 +1,33 @@
 import go
+import TestUtilities.InlineExpectationsTest

-from SQL::QueryString qs
-select qs
+class SQLTest extends InlineExpectationsTest {
+  SQLTest() { this = "SQLTest" }
+
+  override string getARelevantTag() { result = "query" }
+
+  override predicate hasActualResult(string file, int line, string element, string tag, string value) {
+    tag = "query" and
+    exists(SQL::Query q, SQL::QueryString qs, string qsFile, int qsLine | qs = q.getAQueryString() |
+      q.hasLocationInfo(file, line, _, _, _) and
+      qs.hasLocationInfo(qsFile, qsLine, _, _, _) and
+      element = q.toString() and
+      value = qs.toString()
+    )
+  }
+}
+
+class QueryString extends InlineExpectationsTest {
+  QueryString() { this = "QueryString no Query" }
+
+  override string getARelevantTag() { result = "querystring" }
+
+  override predicate hasActualResult(string file, int line, string element, string tag, string value) {
+    tag = "querystring" and
+    element = "" and
+    exists(SQL::QueryString qs | not exists(SQL::Query q | qs = q.getAQueryString()) |
+      qs.hasLocationInfo(file, line, _, _, _) and
+      value = qs.toString()
+    )
+  }
+}
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go
@@ -9,31 +9,66 @@ import (
 	"github.com/Masterminds/squirrel"
 )

-func test(db *sql.DB, query string, ctx context.Context) {
-	db.Exec(query)
-	db.ExecContext(ctx, query)
-	db.Prepare(query)
-	db.PrepareContext(ctx, query)
-	db.Query(query)
-	db.QueryContext(ctx, query)
-	db.QueryRow(query)
-	db.QueryRowContext(ctx, query)
+var (
+	query1  string
+	query2  string
+	query3  string
+	query4  string
+	query5  string
+	query6  string
+	query7  string
+	query8  string
+	query11 string
+	query12 string
+	query13 string
+	query14 string
+	query15 string
+	query16 string
+	query17 string
+	query18 string
+	query21 string
+	query22 string
+	query23 string
+)
+
+func test(db *sql.DB, ctx context.Context) {
+	db.Exec(query1)                 // $query=query1
+	db.ExecContext(ctx, query2)     // $query=query2
+	db.Prepare(query3)              // $querystring=query3
+	db.PrepareContext(ctx, query4)  // $querystring=query4
+	db.Query(query5)                // $query=query5
+	db.QueryContext(ctx, query6)    // $query=query6
+	db.QueryRow(query7)             // $query=query7
+	db.QueryRowContext(ctx, query8) // $query=query8
 }

 func squirrelTest(querypart string) {
-	squirrel.Select("*").From("users").Where(squirrel.Expr(querypart))
-	squirrel.Select("*").From("users").Suffix(querypart)
+	squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) // $querystring=querypart
+	squirrel.Select("*").From("users").Suffix(querypart)               // $querystring=querypart
 }

 func test2(tx *sql.Tx, query string, ctx context.Context) {
-	tx.Exec(query)
-	tx.ExecContext(ctx, query)
-	tx.Prepare(query)
-	tx.PrepareContext(ctx, query)
-	tx.Query(query)
-	tx.QueryContext(ctx, query)
-	tx.QueryRow(query)
-	tx.QueryRowContext(ctx, query)
+	tx.Exec(query11)                 // $query=query11
+	tx.ExecContext(ctx, query12)     // $query=query12
+	tx.Prepare(query13)              // $querystring=query13
+	tx.PrepareContext(ctx, query14)  // $querystring=query14
+	tx.Query(query15)                // $query=query15
+	tx.QueryContext(ctx, query16)    // $query=query16
+	tx.QueryRow(query17)             // $query=query17
+	tx.QueryRowContext(ctx, query18) // $query=query18
+}
+
+func test3(db *sql.DB, ctx context.Context) {
+	stmt1, _ := db.Prepare(query21)             // $f+:querystring=query21
+	stmt1.Exec()                                // $f-:query=query21
+	stmt2, _ := db.PrepareContext(ctx, query22) // $f+:querystring=query22
+	stmt2.ExecContext(ctx)                      // $f-:query=query22
+	stmt3, _ := db.Prepare(query23)             // $f+:querystring=query23
+	runQuery(stmt3)
+}
+
+func runQuery(stmt *sql.Stmt) {
+	stmt.Exec() // $f-:query=query23
 }

 func main() {}
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go
@@ -11,31 +11,31 @@ import (
 )

 func pgtest(query string, conn pg.Conn, db pg.DB, tx pg.Tx) {
-	pg.Q(query)
+	pg.Q(query) // $querystring=query
 	var dst []byte
-	conn.FormatQuery(dst, query)
-	conn.Prepare(query)
-	db.FormatQuery(dst, query)
-	db.Prepare(query)
-	tx.FormatQuery(dst, query)
-	tx.Prepare(query)
+	conn.FormatQuery(dst, query) // $querystring=query
+	conn.Prepare(query)          // $querystring=query
+	db.FormatQuery(dst, query)   // $querystring=query
+	db.Prepare(query)            // $querystring=query
+	tx.FormatQuery(dst, query)   // $querystring=query
+	tx.Prepare(query)            // $querystring=query
 }

 // go-pg v9 dropped support for `FormatQuery`
 func newpgtest(query string, conn newpg.Conn, db newpg.DB, tx newpg.Tx) {
-	newpg.Q(query)
-	conn.Prepare(query)
-	db.Prepare(query)
-	tx.Prepare(query)
+	newpg.Q(query)      // $querystring=query
+	conn.Prepare(query) // $querystring=query
+	db.Prepare(query)   // $querystring=query
+	tx.Prepare(query)   // $querystring=query
 }
 func pgormtest(query string, q orm.Query) {
-	orm.Q(query)
-	q.ColumnExpr(query)
-	q.For(query)
+	orm.Q(query)        // $querystring=query
+	q.ColumnExpr(query) // $querystring=query
+	q.For(query)        // $querystring=query
 	var b []byte
-	q.FormatQuery(b, query)
-	q.Having(query)
-	q.Where(query)
-	q.WhereInMulti(query)
-	q.WhereOr(query)
+	q.FormatQuery(b, query) // $querystring=query
+	q.Having(query)         // $querystring=query
+	q.Where(query)          // $querystring=query
+	q.WhereInMulti(query)   // $querystring=query
+	q.WhereOr(query)        // $querystring=query
 }