From d517125507176d32340fa215cf38b62eff19ddfa Mon Sep 17 00:00:00 2001 From: Sauyon Lee Date: Tue, 10 Nov 2020 23:58:15 -0800 Subject: [PATCH] Add tests for SQL framework --- .../go/frameworks/SQL/QueryString.expected | 37 ---------- .../semmle/go/frameworks/SQL/QueryString.ql | 33 ++++++++- .../semmle/go/frameworks/SQL/main.go | 73 ++++++++++++++----- .../semmle/go/frameworks/SQL/pg.go | 38 +++++----- 4 files changed, 104 insertions(+), 77 deletions(-) diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/QueryString.expected b/ql/test/library-tests/semmle/go/frameworks/SQL/QueryString.expected index 30ae736f33a..e69de29bb2d 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/QueryString.expected +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/QueryString.expected @@ -1,37 +0,0 @@ -| main.go:13:10:13:14 | query | -| main.go:14:22:14:26 | query | -| main.go:15:13:15:17 | query | -| main.go:16:25:16:29 | query | -| main.go:17:11:17:15 | query | -| main.go:18:23:18:27 | query | -| main.go:19:14:19:18 | query | -| main.go:20:26:20:30 | query | -| main.go:24:57:24:65 | querypart | -| main.go:25:44:25:52 | querypart | -| main.go:29:10:29:14 | query | -| main.go:30:22:30:26 | query | -| main.go:31:13:31:17 | query | -| main.go:32:25:32:29 | query | -| main.go:33:11:33:15 | query | -| main.go:34:23:34:27 | query | -| main.go:35:14:35:18 | query | -| main.go:36:26:36:30 | query | -| pg.go:14:7:14:11 | query | -| pg.go:16:24:16:28 | query | -| pg.go:17:15:17:19 | query | -| pg.go:18:22:18:26 | query | -| pg.go:19:13:19:17 | query | -| pg.go:20:22:20:26 | query | -| pg.go:21:13:21:17 | query | -| pg.go:26:10:26:14 | query | -| pg.go:27:15:27:19 | query | -| pg.go:28:13:28:17 | query | -| pg.go:29:13:29:17 | query | -| pg.go:32:8:32:12 | query | -| pg.go:33:15:33:19 | query | -| pg.go:34:8:34:12 | query | -| pg.go:36:19:36:23 | query | -| pg.go:37:11:37:15 | query | -| pg.go:38:10:38:14 | query | -| pg.go:39:17:39:21 | query | -| pg.go:40:12:40:16 | query | diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/QueryString.ql b/ql/test/library-tests/semmle/go/frameworks/SQL/QueryString.ql index 7b56fd97441..7ad5cb58164 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/QueryString.ql +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/QueryString.ql @@ -1,4 +1,33 @@ import go +import TestUtilities.InlineExpectationsTest -from SQL::QueryString qs -select qs +class SQLTest extends InlineExpectationsTest { + SQLTest() { this = "SQLTest" } + + override string getARelevantTag() { result = "query" } + + override predicate hasActualResult(string file, int line, string element, string tag, string value) { + tag = "query" and + exists(SQL::Query q, SQL::QueryString qs, string qsFile, int qsLine | qs = q.getAQueryString() | + q.hasLocationInfo(file, line, _, _, _) and + qs.hasLocationInfo(qsFile, qsLine, _, _, _) and + element = q.toString() and + value = qs.toString() + ) + } +} + +class QueryString extends InlineExpectationsTest { + QueryString() { this = "QueryString no Query" } + + override string getARelevantTag() { result = "querystring" } + + override predicate hasActualResult(string file, int line, string element, string tag, string value) { + tag = "querystring" and + element = "" and + exists(SQL::QueryString qs | not exists(SQL::Query q | qs = q.getAQueryString()) | + qs.hasLocationInfo(file, line, _, _, _) and + value = qs.toString() + ) + } +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go index 4cc357c0759..3458e337abe 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go @@ -9,31 +9,66 @@ import ( "github.com/Masterminds/squirrel" ) -func test(db *sql.DB, query string, ctx context.Context) { - db.Exec(query) - db.ExecContext(ctx, query) - db.Prepare(query) - db.PrepareContext(ctx, query) - db.Query(query) - db.QueryContext(ctx, query) - db.QueryRow(query) - db.QueryRowContext(ctx, query) +var ( + query1 string + query2 string + query3 string + query4 string + query5 string + query6 string + query7 string + query8 string + query11 string + query12 string + query13 string + query14 string + query15 string + query16 string + query17 string + query18 string + query21 string + query22 string + query23 string +) + +func test(db *sql.DB, ctx context.Context) { + db.Exec(query1) // $query=query1 + db.ExecContext(ctx, query2) // $query=query2 + db.Prepare(query3) // $querystring=query3 + db.PrepareContext(ctx, query4) // $querystring=query4 + db.Query(query5) // $query=query5 + db.QueryContext(ctx, query6) // $query=query6 + db.QueryRow(query7) // $query=query7 + db.QueryRowContext(ctx, query8) // $query=query8 } func squirrelTest(querypart string) { - squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) - squirrel.Select("*").From("users").Suffix(querypart) + squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) // $querystring=querypart + squirrel.Select("*").From("users").Suffix(querypart) // $querystring=querypart } func test2(tx *sql.Tx, query string, ctx context.Context) { - tx.Exec(query) - tx.ExecContext(ctx, query) - tx.Prepare(query) - tx.PrepareContext(ctx, query) - tx.Query(query) - tx.QueryContext(ctx, query) - tx.QueryRow(query) - tx.QueryRowContext(ctx, query) + tx.Exec(query11) // $query=query11 + tx.ExecContext(ctx, query12) // $query=query12 + tx.Prepare(query13) // $querystring=query13 + tx.PrepareContext(ctx, query14) // $querystring=query14 + tx.Query(query15) // $query=query15 + tx.QueryContext(ctx, query16) // $query=query16 + tx.QueryRow(query17) // $query=query17 + tx.QueryRowContext(ctx, query18) // $query=query18 +} + +func test3(db *sql.DB, ctx context.Context) { + stmt1, _ := db.Prepare(query21) // $f+:querystring=query21 + stmt1.Exec() // $f-:query=query21 + stmt2, _ := db.PrepareContext(ctx, query22) // $f+:querystring=query22 + stmt2.ExecContext(ctx) // $f-:query=query22 + stmt3, _ := db.Prepare(query23) // $f+:querystring=query23 + runQuery(stmt3) +} + +func runQuery(stmt *sql.Stmt) { + stmt.Exec() // $f-:query=query23 } func main() {} diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go b/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go index ac2340661ea..ecd20c01f76 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go @@ -11,31 +11,31 @@ import ( ) func pgtest(query string, conn pg.Conn, db pg.DB, tx pg.Tx) { - pg.Q(query) + pg.Q(query) // $querystring=query var dst []byte - conn.FormatQuery(dst, query) - conn.Prepare(query) - db.FormatQuery(dst, query) - db.Prepare(query) - tx.FormatQuery(dst, query) - tx.Prepare(query) + conn.FormatQuery(dst, query) // $querystring=query + conn.Prepare(query) // $querystring=query + db.FormatQuery(dst, query) // $querystring=query + db.Prepare(query) // $querystring=query + tx.FormatQuery(dst, query) // $querystring=query + tx.Prepare(query) // $querystring=query } // go-pg v9 dropped support for `FormatQuery` func newpgtest(query string, conn newpg.Conn, db newpg.DB, tx newpg.Tx) { - newpg.Q(query) - conn.Prepare(query) - db.Prepare(query) - tx.Prepare(query) + newpg.Q(query) // $querystring=query + conn.Prepare(query) // $querystring=query + db.Prepare(query) // $querystring=query + tx.Prepare(query) // $querystring=query } func pgormtest(query string, q orm.Query) { - orm.Q(query) - q.ColumnExpr(query) - q.For(query) + orm.Q(query) // $querystring=query + q.ColumnExpr(query) // $querystring=query + q.For(query) // $querystring=query var b []byte - q.FormatQuery(b, query) - q.Having(query) - q.Where(query) - q.WhereInMulti(query) - q.WhereOr(query) + q.FormatQuery(b, query) // $querystring=query + q.Having(query) // $querystring=query + q.Where(query) // $querystring=query + q.WhereInMulti(query) // $querystring=query + q.WhereOr(query) // $querystring=query }