@@ -48,6 +48,41 @@ module SQL {
4848 }
4949 }
5050
51+ private class SqlDriverMethodModels extends TaintTracking:: FunctionModel , Method {
52+ FunctionInput inp ;
53+ FunctionOutput outp ;
54+
55+ SqlDriverMethodModels ( ) {
56+ // signature: func (NotNull).ConvertValue(v interface{}) (Value, error)
57+ this .hasQualifiedName ( "database/sql/driver" , "NotNull" , "ConvertValue" ) and
58+ ( inp .isParameter ( 0 ) and outp .isResult ( 0 ) )
59+ or
60+ // signature: func (Null).ConvertValue(v interface{}) (Value, error)
61+ this .hasQualifiedName ( "database/sql/driver" , "Null" , "ConvertValue" ) and
62+ ( inp .isParameter ( 0 ) and outp .isResult ( 0 ) )
63+ or
64+ // signature: func (ValueConverter).ConvertValue(v interface{}) (Value, error)
65+ this .implements ( "database/sql/driver" , "ValueConverter" , "ConvertValue" ) and
66+ ( inp .isParameter ( 0 ) and outp .isResult ( 0 ) )
67+ or
68+ // signature: func (Conn).Prepare(query string) (Stmt, error)
69+ this .implements ( "database/sql/driver" , "Conn" , "Prepare" ) and
70+ ( inp .isParameter ( 0 ) and outp .isResult ( 0 ) )
71+ or
72+ // signature: func (ConnPrepareContext).PrepareContext(ctx context.Context, query string) (Stmt, error)
73+ this .implements ( "database/sql/driver" , "ConnPrepareContext" , "PrepareContext" ) and
74+ ( inp .isParameter ( 1 ) and outp .isResult ( 0 ) )
75+ or
76+ // signature: func (Valuer).Value() (Value, error)
77+ this .implements ( "database/sql/driver" , "Valuer" , "Value" ) and
78+ ( inp .isReceiver ( ) and outp .isResult ( 0 ) )
79+ }
80+
81+ override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
82+ input = inp and output = outp
83+ }
84+ }
85+
5186 /**
5287 * A data-flow node whose string value is interpreted as (part of) a SQL query.
5388 *
0 commit comments