Merge pull request #328 from owen-mc/gorm-exec

max-schaefer · web-flow · commit e9bf3317b543 · 2020-09-11T08:41:09.000+01:00
Update GORM model
diff --git a/change-notes/2020-09-10-gorm-model-improved.md b/change-notes/2020-09-10-gorm-model-improved.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Support for the [GORM](https://github.com/go-gorm/gorm) ORM library (specifically, its SQL
+  statement building facilities) has been improved, which may lead to more results from the
+  security queries.
diff --git a/ql/src/semmle/go/frameworks/SQL.qll b/ql/src/semmle/go/frameworks/SQL.qll
@@ -161,13 +161,15 @@ module SQL {
     }
   }
 
-  /** A model for sinks of github.com/jinzhu/gorm. */
+  /** A model for sinks of GORM. */
   private class GormSink extends SQL::QueryString::Range {
     GormSink() {
-      exists(Method meth, string name |
-        meth.hasQualifiedName("github.com/jinzhu/gorm", "DB", name) and
+      exists(Method meth, string package, string name |
+        meth.hasQualifiedName(package, "DB", name) and
         this = meth.getACall().getArgument(0) and
-        name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", "Joins"]
+        package in ["github.com/jinzhu/gorm", "github.com/go-gorm/gorm", "gorm.io/gorm"] and
+        name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having",
+              "Joins", "Exec", "Distinct", "Pluck"]
       )
     }
   }
diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/go.mod b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/go.mod
@@ -3,5 +3,6 @@ module gormtest
 go 1.14
 
 require (
-	github.com/jinzhu/gorm v1.9.15
+	github.com/jinzhu/gorm v1.9.16
+	gorm.io/gorm v1.20.0
 )
diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.expected b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.expected
@@ -1,9 +1,25 @@
-| gorm.go:15:11:15:19 | untrusted |
-| gorm.go:16:9:16:17 | untrusted |
-| gorm.go:17:11:17:19 | untrusted |
-| gorm.go:18:8:18:16 | untrusted |
-| gorm.go:19:12:19:20 | untrusted |
-| gorm.go:20:11:20:19 | untrusted |
-| gorm.go:21:11:21:19 | untrusted |
-| gorm.go:22:12:22:20 | untrusted |
-| gorm.go:23:11:23:19 | untrusted |
+| gorm.go:20:12:20:20 | untrusted | github.com/jinzhu/gorm | DB | Where |
+| gorm.go:21:10:21:18 | untrusted | github.com/jinzhu/gorm | DB | Raw |
+| gorm.go:22:10:22:18 | untrusted | github.com/jinzhu/gorm | DB | Not |
+| gorm.go:23:12:23:20 | untrusted | github.com/jinzhu/gorm | DB | Order |
+| gorm.go:24:9:24:17 | untrusted | github.com/jinzhu/gorm | DB | Or |
+| gorm.go:25:13:25:21 | untrusted | github.com/jinzhu/gorm | DB | Select |
+| gorm.go:26:12:26:20 | untrusted | github.com/jinzhu/gorm | DB | Table |
+| gorm.go:27:12:27:20 | untrusted | github.com/jinzhu/gorm | DB | Group |
+| gorm.go:28:13:28:21 | untrusted | github.com/jinzhu/gorm | DB | Having |
+| gorm.go:29:12:29:20 | untrusted | github.com/jinzhu/gorm | DB | Joins |
+| gorm.go:30:11:30:19 | untrusted | github.com/jinzhu/gorm | DB | Exec |
+| gorm.go:31:12:31:20 | untrusted | github.com/jinzhu/gorm | DB | Pluck |
+| gorm.go:34:12:34:20 | untrusted | gorm.io/gorm | DB | Where |
+| gorm.go:35:10:35:18 | untrusted | gorm.io/gorm | DB | Raw |
+| gorm.go:36:10:36:18 | untrusted | gorm.io/gorm | DB | Not |
+| gorm.go:37:12:37:20 | untrusted | gorm.io/gorm | DB | Order |
+| gorm.go:38:9:38:17 | untrusted | gorm.io/gorm | DB | Or |
+| gorm.go:39:13:39:21 | untrusted | gorm.io/gorm | DB | Select |
+| gorm.go:40:12:40:20 | untrusted | gorm.io/gorm | DB | Table |
+| gorm.go:41:12:41:20 | untrusted | gorm.io/gorm | DB | Group |
+| gorm.go:42:13:42:21 | untrusted | gorm.io/gorm | DB | Having |
+| gorm.go:43:12:43:20 | untrusted | gorm.io/gorm | DB | Joins |
+| gorm.go:44:11:44:19 | untrusted | gorm.io/gorm | DB | Exec |
+| gorm.go:45:15:45:23 | untrusted | gorm.io/gorm | DB | Distinct |
+| gorm.go:46:12:46:20 | untrusted | gorm.io/gorm | DB | Pluck |
diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.go b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.go
@@ -1,7 +1,11 @@
 package gormtest
 
+//go:generate depstubber -vendor github.com/jinzhu/gorm DB
+//go:generate depstubber -vendor gorm.io/gorm DB
+
 import (
-	"github.com/jinzhu/gorm"
+	gorm1 "github.com/jinzhu/gorm"
+	gorm2 "gorm.io/gorm"
 )
 
 func getUntrustedString() string {
@@ -10,16 +14,35 @@ func getUntrustedString() string {
 
 func main() {
 
-	db := gorm.DB{}
 	untrusted := getUntrustedString()
-	db.Where(untrusted)
-	db.Not(untrusted)
-	db.Order(untrusted)
-	db.Or(untrusted)
-	db.Select(untrusted)
-	db.Table(untrusted)
-	db.Group(untrusted)
-	db.Having(untrusted)
-	db.Joins(untrusted)
+
+	db1 := gorm1.DB{}
+	db1.Where(untrusted)
+	db1.Raw(untrusted)
+	db1.Not(untrusted)
+	db1.Order(untrusted)
+	db1.Or(untrusted)
+	db1.Select(untrusted)
+	db1.Table(untrusted)
+	db1.Group(untrusted)
+	db1.Having(untrusted)
+	db1.Joins(untrusted)
+	db1.Exec(untrusted)
+	db1.Pluck(untrusted, nil)
+
+	db2 := gorm2.DB{}
+	db2.Where(untrusted)
+	db2.Raw(untrusted)
+	db2.Not(untrusted)
+	db2.Order(untrusted)
+	db2.Or(untrusted)
+	db2.Select(untrusted)
+	db2.Table(untrusted)
+	db2.Group(untrusted)
+	db2.Having(untrusted)
+	db2.Joins(untrusted)
+	db2.Exec(untrusted)
+	db2.Distinct(untrusted)
+	db2.Pluck(untrusted, nil)
 
 }
diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.ql b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.ql
@@ -1,4 +1,5 @@
 import go
 
-from SQL::QueryString qs
-select qs
+from SQL::QueryString qs, Method meth, string a, string b, string c
+where meth.hasQualifiedName(a, b, c) and qs = meth.getACall().getArgument(0)
+select qs, a, b, c
diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/gorm.io/gorm/stub.go b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/gorm.io/gorm/stub.go
diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/modules.txt b/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/vendor/modules.txt

Original file line number	Diff line number	Diff line change
`@@ -161,13 +161,15 @@ module SQL {`
`161`	`161`	`}`
`162`	`162`	`}`
`163`	`163`
`164`		`- /** A model for sinks of github.com/jinzhu/gorm. */`
	`164`	`+ /** A model for sinks of GORM. */`
`165`	`165`	`private class GormSink extends SQL::QueryString::Range {`
`166`	`166`	`GormSink() {`
`167`		`- exists(Method meth, string name \|`
`168`		`- meth.hasQualifiedName("github.com/jinzhu/gorm", "DB", name) and`
	`167`	`+ exists(Method meth, string package, string name \|`
	`168`	`+ meth.hasQualifiedName(package, "DB", name) and`
`169`	`169`	`this = meth.getACall().getArgument(0) and`
`170`		`- name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", "Joins"]`
	`170`	`+ package in ["github.com/jinzhu/gorm", "github.com/go-gorm/gorm", "gorm.io/gorm"] and`
	`171`	`+ name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having",`
	`172`	`+ "Joins", "Exec", "Distinct", "Pluck"]`
`171`	`173`	`)`
`172`	`174`	`}`
`173`	`175`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,5 +3,6 @@ module gormtest`
`3`	`3`	`go 1.14`
`4`	`4`
`5`	`5`	`require (`
`6`		`- github.com/jinzhu/gorm v1.9.15`
	`6`	`+ github.com/jinzhu/gorm v1.9.16`
	`7`	`+ gorm.io/gorm v1.20.0`
`7`	`8`	`)`