From 7d213d5bb95db45c631d7637ac4109b43350f816 Mon Sep 17 00:00:00 2001
From: Kevin Stubbings <kwstubbs@github.com>
Date: Tue, 12 Sep 2023 21:10:11 -0700
Subject: [PATCH 1/3] Add Integer/Boolean Sanitizer

---
 .../security/SqlInjectionCustomizations.qll   |   9 +
 .../Security/CWE-089/SqlInjection.expected    | 214 +++++++++---------
 .../test/query-tests/Security/CWE-089/main.go |  11 +
 3 files changed, 127 insertions(+), 107 deletions(-)

diff --git a/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll
index 9687eea91a9..99f24b6a473 100644
--- a/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll
@@ -25,6 +25,15 @@ module SqlInjection {
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
+  /**
+   * A numeric- or boolean-typed node, considered a sanitizer for sql injection.
+   */
+  class NumericOrBooleanSanitizer extends Sanitizer {
+    NumericOrBooleanSanitizer() {
+      this.getType() instanceof NumericType or this.getType() instanceof BoolType
+    }
+  }
+
   /**
    * DEPRECATED: Use `Sanitizer` instead.
    *
diff --git a/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
index a45df038896..916415c9bf3 100644
--- a/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
+++ b/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
@@ -21,54 +21,54 @@ edges
 | issue48.go:37:53:37:73 | &... | issue48.go:40:3:40:31 | selection of Category |
 | issue48.go:39:8:40:32 | call to Sprintf | issue48.go:41:11:41:12 | q5 |
 | issue48.go:40:3:40:31 | selection of Category | issue48.go:39:8:40:32 | call to Sprintf |
-| main.go:10:11:10:16 | selection of Form | main.go:10:11:10:28 | index expression |
-| main.go:14:63:14:67 | selection of URL | main.go:14:63:14:75 | call to Query |
-| main.go:14:63:14:75 | call to Query | main.go:14:63:14:83 | index expression |
-| main.go:14:63:14:83 | index expression | main.go:14:11:14:84 | call to Sprintf |
-| main.go:15:63:15:70 | selection of Header | main.go:15:63:15:84 | call to Get |
-| main.go:15:63:15:84 | call to Get | main.go:15:11:15:85 | call to Sprintf |
-| main.go:27:17:30:2 | &... [pointer, Category] | main.go:33:3:33:13 | RequestData [pointer, Category] |
-| main.go:27:18:30:2 | struct literal [Category] | main.go:27:17:30:2 | &... [pointer, Category] |
-| main.go:29:13:29:19 | selection of URL | main.go:29:13:29:27 | call to Query |
-| main.go:29:13:29:27 | call to Query | main.go:29:13:29:39 | index expression |
-| main.go:29:13:29:39 | index expression | main.go:27:18:30:2 | struct literal [Category] |
-| main.go:32:7:33:23 | call to Sprintf | main.go:34:11:34:11 | q |
-| main.go:33:3:33:13 | RequestData [pointer, Category] | main.go:33:3:33:13 | implicit dereference [Category] |
-| main.go:33:3:33:13 | implicit dereference [Category] | main.go:33:3:33:22 | selection of Category |
-| main.go:33:3:33:22 | selection of Category | main.go:32:7:33:23 | call to Sprintf |
-| main.go:38:2:38:12 | definition of RequestData [pointer, Category] | main.go:39:2:39:12 | RequestData [pointer, Category] |
-| main.go:38:2:38:12 | definition of RequestData [pointer, Category] | main.go:42:3:42:13 | RequestData [pointer, Category] |
-| main.go:39:2:39:12 | RequestData [pointer, Category] | main.go:39:2:39:12 | implicit dereference [Category] |
-| main.go:39:2:39:12 | implicit dereference [Category] | main.go:38:2:38:12 | definition of RequestData [pointer, Category] |
-| main.go:39:25:39:31 | selection of URL | main.go:39:25:39:39 | call to Query |
-| main.go:39:25:39:39 | call to Query | main.go:39:25:39:51 | index expression |
-| main.go:39:25:39:51 | index expression | main.go:39:2:39:12 | implicit dereference [Category] |
-| main.go:41:7:42:23 | call to Sprintf | main.go:43:11:43:11 | q |
-| main.go:42:3:42:13 | RequestData [pointer, Category] | main.go:42:3:42:13 | implicit dereference [Category] |
-| main.go:42:3:42:13 | implicit dereference [Category] | main.go:42:3:42:22 | selection of Category |
-| main.go:42:3:42:22 | selection of Category | main.go:41:7:42:23 | call to Sprintf |
-| main.go:47:2:47:12 | definition of RequestData [pointer, Category] | main.go:48:4:48:14 | RequestData [pointer, Category] |
-| main.go:47:2:47:12 | definition of RequestData [pointer, Category] | main.go:51:3:51:13 | RequestData [pointer, Category] |
-| main.go:48:3:48:14 | star expression [Category] | main.go:47:2:47:12 | definition of RequestData [pointer, Category] |
-| main.go:48:4:48:14 | RequestData [pointer, Category] | main.go:48:3:48:14 | star expression [Category] |
-| main.go:48:28:48:34 | selection of URL | main.go:48:28:48:42 | call to Query |
-| main.go:48:28:48:42 | call to Query | main.go:48:28:48:54 | index expression |
-| main.go:48:28:48:54 | index expression | main.go:48:3:48:14 | star expression [Category] |
-| main.go:50:7:51:23 | call to Sprintf | main.go:52:11:52:11 | q |
-| main.go:51:3:51:13 | RequestData [pointer, Category] | main.go:51:3:51:13 | implicit dereference [Category] |
-| main.go:51:3:51:13 | implicit dereference [Category] | main.go:51:3:51:22 | selection of Category |
-| main.go:51:3:51:22 | selection of Category | main.go:50:7:51:23 | call to Sprintf |
-| main.go:56:2:56:12 | definition of RequestData [pointer, Category] | main.go:57:4:57:14 | RequestData [pointer, Category] |
-| main.go:56:2:56:12 | definition of RequestData [pointer, Category] | main.go:60:5:60:15 | RequestData [pointer, Category] |
-| main.go:57:3:57:14 | star expression [Category] | main.go:56:2:56:12 | definition of RequestData [pointer, Category] |
-| main.go:57:4:57:14 | RequestData [pointer, Category] | main.go:57:3:57:14 | star expression [Category] |
-| main.go:57:28:57:34 | selection of URL | main.go:57:28:57:42 | call to Query |
-| main.go:57:28:57:42 | call to Query | main.go:57:28:57:54 | index expression |
-| main.go:57:28:57:54 | index expression | main.go:57:3:57:14 | star expression [Category] |
-| main.go:59:7:60:26 | call to Sprintf | main.go:61:11:61:11 | q |
-| main.go:60:3:60:25 | selection of Category | main.go:59:7:60:26 | call to Sprintf |
-| main.go:60:4:60:15 | star expression [Category] | main.go:60:3:60:25 | selection of Category |
-| main.go:60:5:60:15 | RequestData [pointer, Category] | main.go:60:4:60:15 | star expression [Category] |
+| main.go:11:11:11:16 | selection of Form | main.go:11:11:11:28 | index expression |
+| main.go:15:63:15:67 | selection of URL | main.go:15:63:15:75 | call to Query |
+| main.go:15:63:15:75 | call to Query | main.go:15:63:15:83 | index expression |
+| main.go:15:63:15:83 | index expression | main.go:15:11:15:84 | call to Sprintf |
+| main.go:16:63:16:70 | selection of Header | main.go:16:63:16:84 | call to Get |
+| main.go:16:63:16:84 | call to Get | main.go:16:11:16:85 | call to Sprintf |
+| main.go:28:17:31:2 | &... [pointer, Category] | main.go:34:3:34:13 | RequestData [pointer, Category] |
+| main.go:28:18:31:2 | struct literal [Category] | main.go:28:17:31:2 | &... [pointer, Category] |
+| main.go:30:13:30:19 | selection of URL | main.go:30:13:30:27 | call to Query |
+| main.go:30:13:30:27 | call to Query | main.go:30:13:30:39 | index expression |
+| main.go:30:13:30:39 | index expression | main.go:28:18:31:2 | struct literal [Category] |
+| main.go:33:7:34:23 | call to Sprintf | main.go:35:11:35:11 | q |
+| main.go:34:3:34:13 | RequestData [pointer, Category] | main.go:34:3:34:13 | implicit dereference [Category] |
+| main.go:34:3:34:13 | implicit dereference [Category] | main.go:34:3:34:22 | selection of Category |
+| main.go:34:3:34:22 | selection of Category | main.go:33:7:34:23 | call to Sprintf |
+| main.go:39:2:39:12 | definition of RequestData [pointer, Category] | main.go:40:2:40:12 | RequestData [pointer, Category] |
+| main.go:39:2:39:12 | definition of RequestData [pointer, Category] | main.go:43:3:43:13 | RequestData [pointer, Category] |
+| main.go:40:2:40:12 | RequestData [pointer, Category] | main.go:40:2:40:12 | implicit dereference [Category] |
+| main.go:40:2:40:12 | implicit dereference [Category] | main.go:39:2:39:12 | definition of RequestData [pointer, Category] |
+| main.go:40:25:40:31 | selection of URL | main.go:40:25:40:39 | call to Query |
+| main.go:40:25:40:39 | call to Query | main.go:40:25:40:51 | index expression |
+| main.go:40:25:40:51 | index expression | main.go:40:2:40:12 | implicit dereference [Category] |
+| main.go:42:7:43:23 | call to Sprintf | main.go:44:11:44:11 | q |
+| main.go:43:3:43:13 | RequestData [pointer, Category] | main.go:43:3:43:13 | implicit dereference [Category] |
+| main.go:43:3:43:13 | implicit dereference [Category] | main.go:43:3:43:22 | selection of Category |
+| main.go:43:3:43:22 | selection of Category | main.go:42:7:43:23 | call to Sprintf |
+| main.go:48:2:48:12 | definition of RequestData [pointer, Category] | main.go:49:4:49:14 | RequestData [pointer, Category] |
+| main.go:48:2:48:12 | definition of RequestData [pointer, Category] | main.go:52:3:52:13 | RequestData [pointer, Category] |
+| main.go:49:3:49:14 | star expression [Category] | main.go:48:2:48:12 | definition of RequestData [pointer, Category] |
+| main.go:49:4:49:14 | RequestData [pointer, Category] | main.go:49:3:49:14 | star expression [Category] |
+| main.go:49:28:49:34 | selection of URL | main.go:49:28:49:42 | call to Query |
+| main.go:49:28:49:42 | call to Query | main.go:49:28:49:54 | index expression |
+| main.go:49:28:49:54 | index expression | main.go:49:3:49:14 | star expression [Category] |
+| main.go:51:7:52:23 | call to Sprintf | main.go:53:11:53:11 | q |
+| main.go:52:3:52:13 | RequestData [pointer, Category] | main.go:52:3:52:13 | implicit dereference [Category] |
+| main.go:52:3:52:13 | implicit dereference [Category] | main.go:52:3:52:22 | selection of Category |
+| main.go:52:3:52:22 | selection of Category | main.go:51:7:52:23 | call to Sprintf |
+| main.go:57:2:57:12 | definition of RequestData [pointer, Category] | main.go:58:4:58:14 | RequestData [pointer, Category] |
+| main.go:57:2:57:12 | definition of RequestData [pointer, Category] | main.go:61:5:61:15 | RequestData [pointer, Category] |
+| main.go:58:3:58:14 | star expression [Category] | main.go:57:2:57:12 | definition of RequestData [pointer, Category] |
+| main.go:58:4:58:14 | RequestData [pointer, Category] | main.go:58:3:58:14 | star expression [Category] |
+| main.go:58:28:58:34 | selection of URL | main.go:58:28:58:42 | call to Query |
+| main.go:58:28:58:42 | call to Query | main.go:58:28:58:54 | index expression |
+| main.go:58:28:58:54 | index expression | main.go:58:3:58:14 | star expression [Category] |
+| main.go:60:7:61:26 | call to Sprintf | main.go:62:11:62:11 | q |
+| main.go:61:3:61:25 | selection of Category | main.go:60:7:61:26 | call to Sprintf |
+| main.go:61:4:61:15 | star expression [Category] | main.go:61:3:61:25 | selection of Category |
+| main.go:61:5:61:15 | RequestData [pointer, Category] | main.go:61:4:61:15 | star expression [Category] |
 | mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:42:28:42:41 | untrustedInput |
 | mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:50:34:50:39 | filter |
 | mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:61:27:61:32 | filter |
@@ -114,58 +114,58 @@ nodes
 | issue48.go:39:8:40:32 | call to Sprintf | semmle.label | call to Sprintf |
 | issue48.go:40:3:40:31 | selection of Category | semmle.label | selection of Category |
 | issue48.go:41:11:41:12 | q5 | semmle.label | q5 |
-| main.go:10:11:10:16 | selection of Form | semmle.label | selection of Form |
-| main.go:10:11:10:28 | index expression | semmle.label | index expression |
-| main.go:14:11:14:84 | call to Sprintf | semmle.label | call to Sprintf |
-| main.go:14:63:14:67 | selection of URL | semmle.label | selection of URL |
-| main.go:14:63:14:75 | call to Query | semmle.label | call to Query |
-| main.go:14:63:14:83 | index expression | semmle.label | index expression |
-| main.go:15:11:15:85 | call to Sprintf | semmle.label | call to Sprintf |
-| main.go:15:63:15:70 | selection of Header | semmle.label | selection of Header |
-| main.go:15:63:15:84 | call to Get | semmle.label | call to Get |
-| main.go:27:17:30:2 | &... [pointer, Category] | semmle.label | &... [pointer, Category] |
-| main.go:27:18:30:2 | struct literal [Category] | semmle.label | struct literal [Category] |
-| main.go:29:13:29:19 | selection of URL | semmle.label | selection of URL |
-| main.go:29:13:29:27 | call to Query | semmle.label | call to Query |
-| main.go:29:13:29:39 | index expression | semmle.label | index expression |
-| main.go:32:7:33:23 | call to Sprintf | semmle.label | call to Sprintf |
-| main.go:33:3:33:13 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
-| main.go:33:3:33:13 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
-| main.go:33:3:33:22 | selection of Category | semmle.label | selection of Category |
-| main.go:34:11:34:11 | q | semmle.label | q |
-| main.go:38:2:38:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
-| main.go:39:2:39:12 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
-| main.go:39:2:39:12 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
-| main.go:39:25:39:31 | selection of URL | semmle.label | selection of URL |
-| main.go:39:25:39:39 | call to Query | semmle.label | call to Query |
-| main.go:39:25:39:51 | index expression | semmle.label | index expression |
-| main.go:41:7:42:23 | call to Sprintf | semmle.label | call to Sprintf |
-| main.go:42:3:42:13 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
-| main.go:42:3:42:13 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
-| main.go:42:3:42:22 | selection of Category | semmle.label | selection of Category |
-| main.go:43:11:43:11 | q | semmle.label | q |
-| main.go:47:2:47:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
-| main.go:48:3:48:14 | star expression [Category] | semmle.label | star expression [Category] |
-| main.go:48:4:48:14 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
-| main.go:48:28:48:34 | selection of URL | semmle.label | selection of URL |
-| main.go:48:28:48:42 | call to Query | semmle.label | call to Query |
-| main.go:48:28:48:54 | index expression | semmle.label | index expression |
-| main.go:50:7:51:23 | call to Sprintf | semmle.label | call to Sprintf |
-| main.go:51:3:51:13 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
-| main.go:51:3:51:13 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
-| main.go:51:3:51:22 | selection of Category | semmle.label | selection of Category |
-| main.go:52:11:52:11 | q | semmle.label | q |
-| main.go:56:2:56:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
-| main.go:57:3:57:14 | star expression [Category] | semmle.label | star expression [Category] |
-| main.go:57:4:57:14 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
-| main.go:57:28:57:34 | selection of URL | semmle.label | selection of URL |
-| main.go:57:28:57:42 | call to Query | semmle.label | call to Query |
-| main.go:57:28:57:54 | index expression | semmle.label | index expression |
-| main.go:59:7:60:26 | call to Sprintf | semmle.label | call to Sprintf |
-| main.go:60:3:60:25 | selection of Category | semmle.label | selection of Category |
-| main.go:60:4:60:15 | star expression [Category] | semmle.label | star expression [Category] |
-| main.go:60:5:60:15 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
-| main.go:61:11:61:11 | q | semmle.label | q |
+| main.go:11:11:11:16 | selection of Form | semmle.label | selection of Form |
+| main.go:11:11:11:28 | index expression | semmle.label | index expression |
+| main.go:15:11:15:84 | call to Sprintf | semmle.label | call to Sprintf |
+| main.go:15:63:15:67 | selection of URL | semmle.label | selection of URL |
+| main.go:15:63:15:75 | call to Query | semmle.label | call to Query |
+| main.go:15:63:15:83 | index expression | semmle.label | index expression |
+| main.go:16:11:16:85 | call to Sprintf | semmle.label | call to Sprintf |
+| main.go:16:63:16:70 | selection of Header | semmle.label | selection of Header |
+| main.go:16:63:16:84 | call to Get | semmle.label | call to Get |
+| main.go:28:17:31:2 | &... [pointer, Category] | semmle.label | &... [pointer, Category] |
+| main.go:28:18:31:2 | struct literal [Category] | semmle.label | struct literal [Category] |
+| main.go:30:13:30:19 | selection of URL | semmle.label | selection of URL |
+| main.go:30:13:30:27 | call to Query | semmle.label | call to Query |
+| main.go:30:13:30:39 | index expression | semmle.label | index expression |
+| main.go:33:7:34:23 | call to Sprintf | semmle.label | call to Sprintf |
+| main.go:34:3:34:13 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
+| main.go:34:3:34:13 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
+| main.go:34:3:34:22 | selection of Category | semmle.label | selection of Category |
+| main.go:35:11:35:11 | q | semmle.label | q |
+| main.go:39:2:39:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
+| main.go:40:2:40:12 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
+| main.go:40:2:40:12 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
+| main.go:40:25:40:31 | selection of URL | semmle.label | selection of URL |
+| main.go:40:25:40:39 | call to Query | semmle.label | call to Query |
+| main.go:40:25:40:51 | index expression | semmle.label | index expression |
+| main.go:42:7:43:23 | call to Sprintf | semmle.label | call to Sprintf |
+| main.go:43:3:43:13 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
+| main.go:43:3:43:13 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
+| main.go:43:3:43:22 | selection of Category | semmle.label | selection of Category |
+| main.go:44:11:44:11 | q | semmle.label | q |
+| main.go:48:2:48:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
+| main.go:49:3:49:14 | star expression [Category] | semmle.label | star expression [Category] |
+| main.go:49:4:49:14 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
+| main.go:49:28:49:34 | selection of URL | semmle.label | selection of URL |
+| main.go:49:28:49:42 | call to Query | semmle.label | call to Query |
+| main.go:49:28:49:54 | index expression | semmle.label | index expression |
+| main.go:51:7:52:23 | call to Sprintf | semmle.label | call to Sprintf |
+| main.go:52:3:52:13 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
+| main.go:52:3:52:13 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
+| main.go:52:3:52:22 | selection of Category | semmle.label | selection of Category |
+| main.go:53:11:53:11 | q | semmle.label | q |
+| main.go:57:2:57:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
+| main.go:58:3:58:14 | star expression [Category] | semmle.label | star expression [Category] |
+| main.go:58:4:58:14 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
+| main.go:58:28:58:34 | selection of URL | semmle.label | selection of URL |
+| main.go:58:28:58:42 | call to Query | semmle.label | call to Query |
+| main.go:58:28:58:54 | index expression | semmle.label | index expression |
+| main.go:60:7:61:26 | call to Sprintf | semmle.label | call to Sprintf |
+| main.go:61:3:61:25 | selection of Category | semmle.label | selection of Category |
+| main.go:61:4:61:15 | star expression [Category] | semmle.label | star expression [Category] |
+| main.go:61:5:61:15 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
+| main.go:62:11:62:11 | q | semmle.label | q |
 | mongoDB.go:40:20:40:30 | call to Referer | semmle.label | call to Referer |
 | mongoDB.go:42:19:42:42 | struct literal | semmle.label | struct literal |
 | mongoDB.go:42:28:42:41 | untrustedInput | semmle.label | untrustedInput |
@@ -191,13 +191,13 @@ subpaths
 | issue48.go:22:11:22:12 | q3 | issue48.go:17:25:17:32 | selection of Body | issue48.go:22:11:22:12 | q3 | This query depends on a $@. | issue48.go:17:25:17:32 | selection of Body | user-provided value |
 | issue48.go:32:11:32:12 | q4 | issue48.go:27:26:27:33 | selection of Body | issue48.go:32:11:32:12 | q4 | This query depends on a $@. | issue48.go:27:26:27:33 | selection of Body | user-provided value |
 | issue48.go:41:11:41:12 | q5 | issue48.go:37:24:37:30 | selection of URL | issue48.go:41:11:41:12 | q5 | This query depends on a $@. | issue48.go:37:24:37:30 | selection of URL | user-provided value |
-| main.go:10:11:10:28 | index expression | main.go:10:11:10:16 | selection of Form | main.go:10:11:10:28 | index expression | This query depends on a $@. | main.go:10:11:10:16 | selection of Form | user-provided value |
-| main.go:14:11:14:84 | call to Sprintf | main.go:14:63:14:67 | selection of URL | main.go:14:11:14:84 | call to Sprintf | This query depends on a $@. | main.go:14:63:14:67 | selection of URL | user-provided value |
-| main.go:15:11:15:85 | call to Sprintf | main.go:15:63:15:70 | selection of Header | main.go:15:11:15:85 | call to Sprintf | This query depends on a $@. | main.go:15:63:15:70 | selection of Header | user-provided value |
-| main.go:34:11:34:11 | q | main.go:29:13:29:19 | selection of URL | main.go:34:11:34:11 | q | This query depends on a $@. | main.go:29:13:29:19 | selection of URL | user-provided value |
-| main.go:43:11:43:11 | q | main.go:39:25:39:31 | selection of URL | main.go:43:11:43:11 | q | This query depends on a $@. | main.go:39:25:39:31 | selection of URL | user-provided value |
-| main.go:52:11:52:11 | q | main.go:48:28:48:34 | selection of URL | main.go:52:11:52:11 | q | This query depends on a $@. | main.go:48:28:48:34 | selection of URL | user-provided value |
-| main.go:61:11:61:11 | q | main.go:57:28:57:34 | selection of URL | main.go:61:11:61:11 | q | This query depends on a $@. | main.go:57:28:57:34 | selection of URL | user-provided value |
+| main.go:11:11:11:28 | index expression | main.go:11:11:11:16 | selection of Form | main.go:11:11:11:28 | index expression | This query depends on a $@. | main.go:11:11:11:16 | selection of Form | user-provided value |
+| main.go:15:11:15:84 | call to Sprintf | main.go:15:63:15:67 | selection of URL | main.go:15:11:15:84 | call to Sprintf | This query depends on a $@. | main.go:15:63:15:67 | selection of URL | user-provided value |
+| main.go:16:11:16:85 | call to Sprintf | main.go:16:63:16:70 | selection of Header | main.go:16:11:16:85 | call to Sprintf | This query depends on a $@. | main.go:16:63:16:70 | selection of Header | user-provided value |
+| main.go:35:11:35:11 | q | main.go:30:13:30:19 | selection of URL | main.go:35:11:35:11 | q | This query depends on a $@. | main.go:30:13:30:19 | selection of URL | user-provided value |
+| main.go:44:11:44:11 | q | main.go:40:25:40:31 | selection of URL | main.go:44:11:44:11 | q | This query depends on a $@. | main.go:40:25:40:31 | selection of URL | user-provided value |
+| main.go:53:11:53:11 | q | main.go:49:28:49:34 | selection of URL | main.go:53:11:53:11 | q | This query depends on a $@. | main.go:49:28:49:34 | selection of URL | user-provided value |
+| main.go:62:11:62:11 | q | main.go:58:28:58:34 | selection of URL | main.go:62:11:62:11 | q | This query depends on a $@. | main.go:58:28:58:34 | selection of URL | user-provided value |
 | mongoDB.go:57:22:57:29 | pipeline | mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:57:22:57:29 | pipeline | This query depends on a $@. | mongoDB.go:40:20:40:30 | call to Referer | user-provided value |
 | mongoDB.go:61:27:61:32 | filter | mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:61:27:61:32 | filter | This query depends on a $@. | mongoDB.go:40:20:40:30 | call to Referer | user-provided value |
 | mongoDB.go:63:23:63:28 | filter | mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:63:23:63:28 | filter | This query depends on a $@. | mongoDB.go:40:20:40:30 | call to Referer | user-provided value |
diff --git a/go/ql/test/query-tests/Security/CWE-089/main.go b/go/ql/test/query-tests/Security/CWE-089/main.go
index b1858f7e5b1..7e5f5a35a9d 100644
--- a/go/ql/test/query-tests/Security/CWE-089/main.go
+++ b/go/ql/test/query-tests/Security/CWE-089/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"database/sql"
+	"encoding/json"
 	"fmt"
 	"net/http"
 )
@@ -60,3 +61,13 @@ func handler5(db *sql.DB, req *http.Request) {
 		(*RequestData).Category)
 	db.Query(q)
 }
+
+// This is an integer, so should not counted as injection
+func handlerint(db *sql.DB, req *http.Request) {
+	var request RequestStruct
+	json.NewDecoder(req.Body).Decode(&request)
+
+	q := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%d' ORDER BY PRICE",
+		request.Id)
+	db.Query(q)
+}

From f9fe86a1ca055e4532d7f745c5adad48f4615c12 Mon Sep 17 00:00:00 2001
From: Kevin Stubbings <kwstubbs@github.com>
Date: Tue, 12 Sep 2023 21:34:30 -0700
Subject: [PATCH 2/3] Added change-notes

---
 .../change-notes/2023-09-12-add-int&bool-sanitizer-for-sql.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 go/ql/lib/change-notes/2023-09-12-add-int&bool-sanitizer-for-sql.md

diff --git a/go/ql/lib/change-notes/2023-09-12-add-int&bool-sanitizer-for-sql.md b/go/ql/lib/change-notes/2023-09-12-add-int&bool-sanitizer-for-sql.md
new file mode 100644
index 00000000000..26751edf2fe
--- /dev/null
+++ b/go/ql/lib/change-notes/2023-09-12-add-int&bool-sanitizer-for-sql.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added Numeric and Boolean types to SQL injection sanitzers.
\ No newline at end of file

From a63bb1bbedfe5464ed5f6559e873dadd9eea935c Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Fri, 15 Sep 2023 12:58:44 +0100
Subject: [PATCH 3/3] Tidy

---
 .../go/security/SqlInjectionCustomizations.qll | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll
index 99f24b6a473..7cd99ab5508 100644
--- a/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll
@@ -25,15 +25,6 @@ module SqlInjection {
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
-  /**
-   * A numeric- or boolean-typed node, considered a sanitizer for sql injection.
-   */
-  class NumericOrBooleanSanitizer extends Sanitizer {
-    NumericOrBooleanSanitizer() {
-      this.getType() instanceof NumericType or this.getType() instanceof BoolType
-    }
-  }
-
   /**
    * DEPRECATED: Use `Sanitizer` instead.
    *
@@ -49,4 +40,13 @@ module SqlInjection {
 
   /** A NoSql query, considered as a taint sink for SQL injection. */
   class NoSqlQueryAsSink extends Sink instanceof NoSql::Query { }
+
+  /**
+   * A numeric- or boolean-typed node, considered a sanitizer for sql injection.
+   */
+  class NumericOrBooleanSanitizer extends Sanitizer {
+    NumericOrBooleanSanitizer() {
+      this.getType() instanceof NumericType or this.getType() instanceof BoolType
+    }
+  }
 }