From 95c1f754c6a6ad5c5ba3aa833fc0cfa237c3df22 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 9 Sep 2020 14:04:02 +0100 Subject: [PATCH 1/4] Add alternative package locations --- ql/src/semmle/go/frameworks/SQL.qll | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ql/src/semmle/go/frameworks/SQL.qll b/ql/src/semmle/go/frameworks/SQL.qll index a959f9bec45..d338ddbcf57 100644 --- a/ql/src/semmle/go/frameworks/SQL.qll +++ b/ql/src/semmle/go/frameworks/SQL.qll @@ -161,12 +161,13 @@ module SQL { } } - /** A model for sinks of github.com/jinzhu/gorm. */ + /** A model for sinks of GORM. */ private class GormSink extends SQL::QueryString::Range { GormSink() { - exists(Method meth, string name | - meth.hasQualifiedName("github.com/jinzhu/gorm", "DB", name) and + exists(Method meth, string package, string name | + meth.hasQualifiedName(package, "DB", name) and this = meth.getACall().getArgument(0) and + package in ["github.com/jinzhu/gorm", "github.com/go-gorm/gorm", "gorm.io/gorm"] and name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", "Joins"] ) } From d807e8de75ac945ad8b035db2271fc5a759bfeff Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 9 Sep 2020 14:01:55 +0100 Subject: [PATCH 2/4] Add more methods from GORM as sinks Cf. https://gorm.io/docs/security.html --- ql/src/semmle/go/frameworks/SQL.qll | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ql/src/semmle/go/frameworks/SQL.qll b/ql/src/semmle/go/frameworks/SQL.qll index d338ddbcf57..ecb5becdfca 100644 --- a/ql/src/semmle/go/frameworks/SQL.qll +++ b/ql/src/semmle/go/frameworks/SQL.qll @@ -168,7 +168,8 @@ module SQL { meth.hasQualifiedName(package, "DB", name) and this = meth.getACall().getArgument(0) and package in ["github.com/jinzhu/gorm", "github.com/go-gorm/gorm", "gorm.io/gorm"] and - name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", "Joins"] + name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", + "Joins", "Exec", "Distinct", "Pluck"] ) } } From 3af90c9fc87609b03a68c0e34a651d3032eb2aa1 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 10 Sep 2020 10:57:26 +0100 Subject: [PATCH 3/4] Update GORM tests --- .../semmle/go/frameworks/SQL/Gorm/go.mod | 3 +- .../go/frameworks/SQL/Gorm/gorm.expected | 34 +- .../semmle/go/frameworks/SQL/Gorm/gorm.go | 45 +- .../semmle/go/frameworks/SQL/Gorm/gorm.ql | 5 +- .../SQL/Gorm/vendor/gorm.io/gorm/stub.go | 753 ++++++++++++++++++ .../go/frameworks/SQL/Gorm/vendor/modules.txt | 5 +- 6 files changed, 821 insertions(+), 24 deletions(-) create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/gorm.io/gorm/stub.go diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/go.mod b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/go.mod index fad4c47a355..0d4e11ba7a3 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/go.mod +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/go.mod @@ -3,5 +3,6 @@ module gormtest go 1.14 require ( - github.com/jinzhu/gorm v1.9.15 + github.com/jinzhu/gorm v1.9.16 + gorm.io/gorm v1.20.0 ) diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.expected b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.expected index 55c7a9ff66b..ca70ed07c33 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.expected +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.expected @@ -1,9 +1,25 @@ -| gorm.go:15:11:15:19 | untrusted | -| gorm.go:16:9:16:17 | untrusted | -| gorm.go:17:11:17:19 | untrusted | -| gorm.go:18:8:18:16 | untrusted | -| gorm.go:19:12:19:20 | untrusted | -| gorm.go:20:11:20:19 | untrusted | -| gorm.go:21:11:21:19 | untrusted | -| gorm.go:22:12:22:20 | untrusted | -| gorm.go:23:11:23:19 | untrusted | +| gorm.go:20:12:20:20 | untrusted | github.com/jinzhu/gorm | DB | Where | +| gorm.go:21:10:21:18 | untrusted | github.com/jinzhu/gorm | DB | Raw | +| gorm.go:22:10:22:18 | untrusted | github.com/jinzhu/gorm | DB | Not | +| gorm.go:23:12:23:20 | untrusted | github.com/jinzhu/gorm | DB | Order | +| gorm.go:24:9:24:17 | untrusted | github.com/jinzhu/gorm | DB | Or | +| gorm.go:25:13:25:21 | untrusted | github.com/jinzhu/gorm | DB | Select | +| gorm.go:26:12:26:20 | untrusted | github.com/jinzhu/gorm | DB | Table | +| gorm.go:27:12:27:20 | untrusted | github.com/jinzhu/gorm | DB | Group | +| gorm.go:28:13:28:21 | untrusted | github.com/jinzhu/gorm | DB | Having | +| gorm.go:29:12:29:20 | untrusted | github.com/jinzhu/gorm | DB | Joins | +| gorm.go:30:11:30:19 | untrusted | github.com/jinzhu/gorm | DB | Exec | +| gorm.go:31:12:31:20 | untrusted | github.com/jinzhu/gorm | DB | Pluck | +| gorm.go:34:12:34:20 | untrusted | gorm.io/gorm | DB | Where | +| gorm.go:35:10:35:18 | untrusted | gorm.io/gorm | DB | Raw | +| gorm.go:36:10:36:18 | untrusted | gorm.io/gorm | DB | Not | +| gorm.go:37:12:37:20 | untrusted | gorm.io/gorm | DB | Order | +| gorm.go:38:9:38:17 | untrusted | gorm.io/gorm | DB | Or | +| gorm.go:39:13:39:21 | untrusted | gorm.io/gorm | DB | Select | +| gorm.go:40:12:40:20 | untrusted | gorm.io/gorm | DB | Table | +| gorm.go:41:12:41:20 | untrusted | gorm.io/gorm | DB | Group | +| gorm.go:42:13:42:21 | untrusted | gorm.io/gorm | DB | Having | +| gorm.go:43:12:43:20 | untrusted | gorm.io/gorm | DB | Joins | +| gorm.go:44:11:44:19 | untrusted | gorm.io/gorm | DB | Exec | +| gorm.go:45:15:45:23 | untrusted | gorm.io/gorm | DB | Distinct | +| gorm.go:46:12:46:20 | untrusted | gorm.io/gorm | DB | Pluck | diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.go b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.go index f6389e9df6c..bee8edbf7af 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.go +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.go @@ -1,7 +1,11 @@ package gormtest +//go:generate depstubber -vendor github.com/jinzhu/gorm DB +//go:generate depstubber -vendor gorm.io/gorm DB + import ( - "github.com/jinzhu/gorm" + gorm1 "github.com/jinzhu/gorm" + gorm2 "gorm.io/gorm" ) func getUntrustedString() string { @@ -10,16 +14,35 @@ func getUntrustedString() string { func main() { - db := gorm.DB{} untrusted := getUntrustedString() - db.Where(untrusted) - db.Not(untrusted) - db.Order(untrusted) - db.Or(untrusted) - db.Select(untrusted) - db.Table(untrusted) - db.Group(untrusted) - db.Having(untrusted) - db.Joins(untrusted) + + db1 := gorm1.DB{} + db1.Where(untrusted) + db1.Raw(untrusted) + db1.Not(untrusted) + db1.Order(untrusted) + db1.Or(untrusted) + db1.Select(untrusted) + db1.Table(untrusted) + db1.Group(untrusted) + db1.Having(untrusted) + db1.Joins(untrusted) + db1.Exec(untrusted) + db1.Pluck(untrusted, nil) + + db2 := gorm2.DB{} + db2.Where(untrusted) + db2.Raw(untrusted) + db2.Not(untrusted) + db2.Order(untrusted) + db2.Or(untrusted) + db2.Select(untrusted) + db2.Table(untrusted) + db2.Group(untrusted) + db2.Having(untrusted) + db2.Joins(untrusted) + db2.Exec(untrusted) + db2.Distinct(untrusted) + db2.Pluck(untrusted, nil) } diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.ql b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.ql index 7b56fd97441..47a9e0bbc8d 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.ql +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.ql @@ -1,4 +1,5 @@ import go -from SQL::QueryString qs -select qs +from SQL::QueryString qs, Method meth, string a, string b, string c +where meth.hasQualifiedName(a, b, c) and qs = meth.getACall().getArgument(0) +select qs, a, b, c diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/gorm.io/gorm/stub.go b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/gorm.io/gorm/stub.go new file mode 100644 index 00000000000..ec931f515e6 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/gorm.io/gorm/stub.go @@ -0,0 +1,753 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for gorm.io/gorm, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: gorm.io/gorm (exports: DB; functions: ) + +// Package gorm is a stub of gorm.io/gorm, generated by depstubber. +package gorm + +import ( + context "context" + sql "database/sql" + reflect "reflect" + strings "strings" + sync "sync" + time "time" +) + +type Association struct { + DB *DB + Relationship interface{} + Error error +} + +func (_ *Association) Append(_ ...interface{}) error { + return nil +} + +func (_ *Association) Clear() error { + return nil +} + +func (_ *Association) Count() int64 { + return 0 +} + +func (_ *Association) Delete(_ ...interface{}) error { + return nil +} + +func (_ *Association) Find(_ interface{}, _ ...interface{}) error { + return nil +} + +func (_ *Association) Replace(_ ...interface{}) error { + return nil +} + +type Config struct { + SkipDefaultTransaction bool + NamingStrategy interface{} + Logger interface{} + NowFunc func() time.Time + DryRun bool + PrepareStmt bool + DisableAutomaticPing bool + DisableForeignKeyConstraintWhenMigrating bool + AllowGlobalUpdate bool + ClauseBuilders map[string]interface{} + ConnPool ConnPool + Dialector Dialector + Plugins map[string]Plugin +} + +func (_ Config) BindVarTo(_ interface{}, _ *Statement, _ interface{}) {} + +func (_ Config) DataTypeOf(_ interface{}) string { + return "" +} + +func (_ Config) DefaultValueOf(_ interface{}) interface{} { + return nil +} + +func (_ Config) Explain(_ string, _ ...interface{}) string { + return "" +} + +func (_ Config) Initialize(_ *DB) error { + return nil +} + +func (_ Config) Migrator(_ *DB) Migrator { + return nil +} + +func (_ Config) Name() string { + return "" +} + +func (_ Config) QuoteTo(_ interface{}, _ string) {} + +type ConnPool interface { + ExecContext(_ context.Context, _ string, _ ...interface{}) (sql.Result, error) + PrepareContext(_ context.Context, _ string) (*sql.Stmt, error) + QueryContext(_ context.Context, _ string, _ ...interface{}) (*sql.Rows, error) + QueryRowContext(_ context.Context, _ string, _ ...interface{}) *sql.Row +} + +type DB struct { + Config *Config + Error error + RowsAffected int64 + Statement *Statement +} + +func (_ DB) BindVarTo(_ interface{}, _ *Statement, _ interface{}) {} + +func (_ DB) DataTypeOf(_ interface{}) string { + return "" +} + +func (_ DB) DefaultValueOf(_ interface{}) interface{} { + return nil +} + +func (_ DB) Explain(_ string, _ ...interface{}) string { + return "" +} + +func (_ DB) Initialize(_ *DB) error { + return nil +} + +func (_ DB) Name() string { + return "" +} + +func (_ DB) QuoteTo(_ interface{}, _ string) {} + +func (_ *DB) AddError(_ error) error { + return nil +} + +func (_ *DB) Assign(_ ...interface{}) *DB { + return nil +} + +func (_ *DB) Association(_ string) *Association { + return nil +} + +func (_ *DB) Attrs(_ ...interface{}) *DB { + return nil +} + +func (_ *DB) AutoMigrate(_ ...interface{}) error { + return nil +} + +func (_ *DB) Begin(_ ...*sql.TxOptions) *DB { + return nil +} + +func (_ *DB) Callback() interface{} { + return nil +} + +func (_ *DB) Clauses(_ ...interface{}) *DB { + return nil +} + +func (_ *DB) Commit() *DB { + return nil +} + +func (_ *DB) Count(_ *int64) *DB { + return nil +} + +func (_ *DB) Create(_ interface{}) *DB { + return nil +} + +func (_ *DB) DB() (*sql.DB, error) { + return nil, nil +} + +func (_ *DB) Debug() *DB { + return nil +} + +func (_ *DB) Delete(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) Distinct(_ ...interface{}) *DB { + return nil +} + +func (_ *DB) Exec(_ string, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) Find(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) FindInBatches(_ interface{}, _ int, _ func(*DB, int) error) *DB { + return nil +} + +func (_ *DB) First(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) FirstOrCreate(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) FirstOrInit(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) Get(_ string) (interface{}, bool) { + return nil, false +} + +func (_ *DB) Group(_ string) *DB { + return nil +} + +func (_ *DB) Having(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) InstanceGet(_ string) (interface{}, bool) { + return nil, false +} + +func (_ *DB) InstanceSet(_ string, _ interface{}) *DB { + return nil +} + +func (_ *DB) Joins(_ string, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) Last(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) Limit(_ int) *DB { + return nil +} + +func (_ *DB) Migrator() Migrator { + return nil +} + +func (_ *DB) Model(_ interface{}) *DB { + return nil +} + +func (_ *DB) Not(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) Offset(_ int) *DB { + return nil +} + +func (_ *DB) Omit(_ ...string) *DB { + return nil +} + +func (_ *DB) Or(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) Order(_ interface{}) *DB { + return nil +} + +func (_ *DB) Pluck(_ string, _ interface{}) *DB { + return nil +} + +func (_ *DB) Preload(_ string, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) Raw(_ string, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) Rollback() *DB { + return nil +} + +func (_ *DB) RollbackTo(_ string) *DB { + return nil +} + +func (_ *DB) Row() *sql.Row { + return nil +} + +func (_ *DB) Rows() (*sql.Rows, error) { + return nil, nil +} + +func (_ *DB) Save(_ interface{}) *DB { + return nil +} + +func (_ *DB) SavePoint(_ string) *DB { + return nil +} + +func (_ *DB) Scan(_ interface{}) *DB { + return nil +} + +func (_ *DB) ScanRows(_ *sql.Rows, _ interface{}) error { + return nil +} + +func (_ *DB) Scopes(_ ...func(*DB) *DB) *DB { + return nil +} + +func (_ *DB) Select(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) Session(_ *Session) *DB { + return nil +} + +func (_ *DB) Set(_ string, _ interface{}) *DB { + return nil +} + +func (_ *DB) SetupJoinTable(_ interface{}, _ string, _ interface{}) error { + return nil +} + +func (_ *DB) Table(_ string, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) Take(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) Transaction(_ func(*DB) error, _ ...*sql.TxOptions) error { + return nil +} + +func (_ *DB) Unscoped() *DB { + return nil +} + +func (_ *DB) Update(_ string, _ interface{}) *DB { + return nil +} + +func (_ *DB) UpdateColumn(_ string, _ interface{}) *DB { + return nil +} + +func (_ *DB) UpdateColumns(_ interface{}) *DB { + return nil +} + +func (_ *DB) Updates(_ interface{}) *DB { + return nil +} + +func (_ *DB) Use(_ Plugin) error { + return nil +} + +func (_ *DB) Where(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ *DB) WithContext(_ context.Context) *DB { + return nil +} + +type Dialector interface { + BindVarTo(_ interface{}, _ *Statement, _ interface{}) + DataTypeOf(_ interface{}) string + DefaultValueOf(_ interface{}) interface{} + Explain(_ string, _ ...interface{}) string + Initialize(_ *DB) error + Migrator(_ *DB) Migrator + Name() string + QuoteTo(_ interface{}, _ string) +} + +type Migrator interface { + AddColumn(_ interface{}, _ string) error + AlterColumn(_ interface{}, _ string) error + AutoMigrate(_ ...interface{}) error + ColumnTypes(_ interface{}) ([]*sql.ColumnType, error) + CreateConstraint(_ interface{}, _ string) error + CreateIndex(_ interface{}, _ string) error + CreateTable(_ ...interface{}) error + CreateView(_ string, _ ViewOption) error + CurrentDatabase() string + DropColumn(_ interface{}, _ string) error + DropConstraint(_ interface{}, _ string) error + DropIndex(_ interface{}, _ string) error + DropTable(_ ...interface{}) error + DropView(_ string) error + FullDataTypeOf(_ interface{}) interface{} + HasColumn(_ interface{}, _ string) bool + HasConstraint(_ interface{}, _ string) bool + HasIndex(_ interface{}, _ string) bool + HasTable(_ interface{}) bool + MigrateColumn(_ interface{}, _ interface{}, _ *sql.ColumnType) error + RenameColumn(_ interface{}, _ string, _ string) error + RenameIndex(_ interface{}, _ string, _ string) error + RenameTable(_ interface{}, _ interface{}) error +} + +type Plugin interface { + Initialize(_ *DB) error + Name() string +} + +type Session struct { + DryRun bool + PrepareStmt bool + WithConditions bool + SkipDefaultTransaction bool + AllowGlobalUpdate bool + Context context.Context + Logger interface{} + NowFunc func() time.Time +} + +type Statement struct { + DB *DB + TableExpr interface{} + Table string + Model interface{} + Unscoped bool + Dest interface{} + ReflectValue reflect.Value + Clauses map[string]interface{} + Distinct bool + Selects []string + Omits []string + Joins []interface{} + Preloads map[string][]interface{} + Settings sync.Map + ConnPool ConnPool + Schema interface{} + Context context.Context + RaiseErrorOnNotFound bool + UpdatingColumn bool + SQL strings.Builder + Vars []interface{} + CurDestIndex int +} + +func (_ Statement) AddError(_ error) error { + return nil +} + +func (_ Statement) Assign(_ ...interface{}) *DB { + return nil +} + +func (_ Statement) Association(_ string) *Association { + return nil +} + +func (_ Statement) Attrs(_ ...interface{}) *DB { + return nil +} + +func (_ Statement) AutoMigrate(_ ...interface{}) error { + return nil +} + +func (_ Statement) Begin(_ ...*sql.TxOptions) *DB { + return nil +} + +func (_ Statement) BindVarTo(_ interface{}, _ *Statement, _ interface{}) {} + +func (_ Statement) Callback() interface{} { + return nil +} + +func (_ Statement) Commit() *DB { + return nil +} + +func (_ Statement) Count(_ *int64) *DB { + return nil +} + +func (_ Statement) Create(_ interface{}) *DB { + return nil +} + +func (_ Statement) DataTypeOf(_ interface{}) string { + return "" +} + +func (_ Statement) Debug() *DB { + return nil +} + +func (_ Statement) DefaultValueOf(_ interface{}) interface{} { + return nil +} + +func (_ Statement) Delete(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) Exec(_ string, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) Explain(_ string, _ ...interface{}) string { + return "" +} + +func (_ Statement) Find(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) FindInBatches(_ interface{}, _ int, _ func(*DB, int) error) *DB { + return nil +} + +func (_ Statement) First(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) FirstOrCreate(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) FirstOrInit(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) Get(_ string) (interface{}, bool) { + return nil, false +} + +func (_ Statement) Group(_ string) *DB { + return nil +} + +func (_ Statement) Having(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) Initialize(_ *DB) error { + return nil +} + +func (_ Statement) InstanceGet(_ string) (interface{}, bool) { + return nil, false +} + +func (_ Statement) InstanceSet(_ string, _ interface{}) *DB { + return nil +} + +func (_ Statement) Last(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) Limit(_ int) *DB { + return nil +} + +func (_ Statement) Migrator() Migrator { + return nil +} + +func (_ Statement) Name() string { + return "" +} + +func (_ Statement) Not(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) Offset(_ int) *DB { + return nil +} + +func (_ Statement) Omit(_ ...string) *DB { + return nil +} + +func (_ Statement) Or(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) Order(_ interface{}) *DB { + return nil +} + +func (_ Statement) Pluck(_ string, _ interface{}) *DB { + return nil +} + +func (_ Statement) Preload(_ string, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) Raw(_ string, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) Rollback() *DB { + return nil +} + +func (_ Statement) RollbackTo(_ string) *DB { + return nil +} + +func (_ Statement) Row() *sql.Row { + return nil +} + +func (_ Statement) Rows() (*sql.Rows, error) { + return nil, nil +} + +func (_ Statement) Save(_ interface{}) *DB { + return nil +} + +func (_ Statement) SavePoint(_ string) *DB { + return nil +} + +func (_ Statement) Scan(_ interface{}) *DB { + return nil +} + +func (_ Statement) ScanRows(_ *sql.Rows, _ interface{}) error { + return nil +} + +func (_ Statement) Scopes(_ ...func(*DB) *DB) *DB { + return nil +} + +func (_ Statement) Select(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) Session(_ *Session) *DB { + return nil +} + +func (_ Statement) Set(_ string, _ interface{}) *DB { + return nil +} + +func (_ Statement) SetupJoinTable(_ interface{}, _ string, _ interface{}) error { + return nil +} + +func (_ Statement) Take(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) Transaction(_ func(*DB) error, _ ...*sql.TxOptions) error { + return nil +} + +func (_ Statement) Update(_ string, _ interface{}) *DB { + return nil +} + +func (_ Statement) UpdateColumn(_ string, _ interface{}) *DB { + return nil +} + +func (_ Statement) UpdateColumns(_ interface{}) *DB { + return nil +} + +func (_ Statement) Updates(_ interface{}) *DB { + return nil +} + +func (_ Statement) Use(_ Plugin) error { + return nil +} + +func (_ Statement) Where(_ interface{}, _ ...interface{}) *DB { + return nil +} + +func (_ Statement) WithContext(_ context.Context) *DB { + return nil +} + +func (_ *Statement) AddClause(_ interface{}) {} + +func (_ *Statement) AddClauseIfNotExists(_ interface{}) {} + +func (_ *Statement) AddVar(_ interface{}, _ ...interface{}) {} + +func (_ *Statement) Build(_ ...string) {} + +func (_ *Statement) BuildCondition(_ interface{}, _ ...interface{}) []interface{} { + return nil +} + +func (_ *Statement) Changed(_ ...string) bool { + return false +} + +func (_ *Statement) Parse(_ interface{}) error { + return nil +} + +func (_ *Statement) Quote(_ interface{}) string { + return "" +} + +func (_ *Statement) QuoteTo(_ interface{}, _ interface{}) {} + +func (_ *Statement) SelectAndOmitColumns(_ bool, _ bool) (map[string]bool, bool) { + return nil, false +} + +func (_ *Statement) SetColumn(_ string, _ interface{}) {} + +func (_ *Statement) WriteByte(_ byte) error { + return nil +} + +func (_ *Statement) WriteQuoted(_ interface{}) {} + +func (_ *Statement) WriteString(_ string) (int, error) { + return 0, nil +} + +type ViewOption struct { + Replace bool + CheckOption string + Query *DB +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/modules.txt b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/modules.txt index 13d6ffb9c58..3123a1a8775 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/modules.txt +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/modules.txt @@ -1,3 +1,6 @@ -# github.com/jinzhu/gorm v1.9.15 +# github.com/jinzhu/gorm v1.9.16 ## explicit github.com/jinzhu/gorm +# gorm.io/gorm v1.20.0 +## explicit +gorm.io/gorm From 13e82de53df25f4a809c5da9dcf5992d1d63c5c0 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 10 Sep 2020 17:28:25 +0100 Subject: [PATCH 4/4] Add change note --- change-notes/2020-09-10-gorm-model-improved.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 change-notes/2020-09-10-gorm-model-improved.md diff --git a/change-notes/2020-09-10-gorm-model-improved.md b/change-notes/2020-09-10-gorm-model-improved.md new file mode 100644 index 00000000000..10b99296eb6 --- /dev/null +++ b/change-notes/2020-09-10-gorm-model-improved.md @@ -0,0 +1,4 @@ +lgtm,codescanning +* Support for the [GORM](https://github.com/go-gorm/gorm) ORM library (specifically, its SQL + statement building facilities) has been improved, which may lead to more results from the + security queries.