Merge pull request #349 from gagliardetto/stdlib-339-340-342-346-347

Merge #339 #340 #342 #346 #347

Author: smowton

ql/src/semmle/go/frameworks/SQL.qll

@@ -6,6 +6,79 @@ import go
 
 /** Provides classes for working with SQL-related APIs. */
 module SQL {
+  private class SqlFunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    SqlFunctionModels() {
+      // signature: func Named(name string, value interface{}) NamedArg
+      hasQualifiedName("database/sql", "Named") and
+      (inp.isParameter(_) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class SqlMethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    SqlMethodModels() {
+      // signature: func (*Row).Scan(dest ...interface{}) error
+      this.hasQualifiedName("database/sql", "Row", "Scan") and
+      (inp.isReceiver() and outp.isParameter(_))
+      or
+      // signature: func (*Rows).Scan(dest ...interface{}) error
+      this.hasQualifiedName("database/sql", "Rows", "Scan") and
+      (inp.isReceiver() and outp.isParameter(_))
+      or
+      // signature: func (Scanner).Scan(src interface{}) error
+      this.implements("database/sql", "Scanner", "Scan") and
+      (inp.isParameter(0) and outp.isReceiver())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class SqlDriverMethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    SqlDriverMethodModels() {
+      // signature: func (NotNull).ConvertValue(v interface{}) (Value, error)
+      this.hasQualifiedName("database/sql/driver", "NotNull", "ConvertValue") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func (Null).ConvertValue(v interface{}) (Value, error)
+      this.hasQualifiedName("database/sql/driver", "Null", "ConvertValue") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func (ValueConverter).ConvertValue(v interface{}) (Value, error)
+      this.implements("database/sql/driver", "ValueConverter", "ConvertValue") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func (Conn).Prepare(query string) (Stmt, error)
+      this.implements("database/sql/driver", "Conn", "Prepare") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func (ConnPrepareContext).PrepareContext(ctx context.Context, query string) (Stmt, error)
+      this.implements("database/sql/driver", "ConnPrepareContext", "PrepareContext") and
+      (inp.isParameter(1) and outp.isResult(0))
+      or
+      // signature: func (Valuer).Value() (Value, error)
+      this.implements("database/sql/driver", "Valuer", "Value") and
+      (inp.isReceiver() and outp.isResult(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
   /**
    * A data-flow node whose string value is interpreted as (part of) a SQL query.
    *
@@ -34,7 +107,8 @@ module SQL {
         exists(Method meth, string base, string m, int n |
           (
             meth.hasQualifiedName("database/sql", "DB", m) or
-            meth.hasQualifiedName("database/sql", "Tx", m)
+            meth.hasQualifiedName("database/sql", "Tx", m) or
+            meth.hasQualifiedName("database/sql", "Conn", m)
           ) and
           this = meth.getACall().getArgument(n)
         |
@@ -48,6 +122,29 @@ module SQL {
       }
     }
 
+    /** A query string used in an API function of the standard `database/sql/driver` package. */
+    private class DriverQueryString extends Range {
+      DriverQueryString() {
+        exists(Method meth, int n |
+          (
+            meth.hasQualifiedName("database/sql/driver", "Execer", "Exec") and n = 0
+            or
+            meth.hasQualifiedName("database/sql/driver", "ExecerContext", "ExecContext") and n = 1
+            or
+            meth.hasQualifiedName("database/sql/driver", "Conn", "Prepare") and n = 0
+            or
+            meth.hasQualifiedName("database/sql/driver", "ConnPrepareContext", "PrepareContext") and
+            n = 1
+            or
+            meth.hasQualifiedName("database/sql/driver", "Queryer", "Query") and n = 0
+            or
+            meth.hasQualifiedName("database/sql/driver", "QueryerContext", "QueryContext") and n = 1
+          ) and
+          this = meth.getACall().getArgument(n)
+        )
+      }
+    }
+
     /**
      * An argument to an API of the squirrel library that is directly interpreted as SQL without
      * taking syntactic structure into account.