Skip to content

Commit 3b2b7d7

Browse files
owen-mcowen-mc
committed
Convert Xorm sql-injection sinks to MaD
1 parent ba31041 commit 3b2b7d7

File tree

2 files changed

+53
-22
lines changed

2 files changed

+53
-22
lines changed

go/ql/lib/ext/xorm.io.xorm.model.yml

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/go-all
4+
extensible: packageGrouping
5+
data:
6+
- ["xorm", "xorm.io/xorm"]
7+
- ["xorm", "github.com/go-xorm/xorm"]
8+
- addsTo:
9+
pack: codeql/go-all
10+
extensible: sinkModel
11+
data:
12+
- ["group:xorm", "Engine", True, "Alias", "", "", "Argument[0]", "sql-injection", "manual"]
13+
- ["group:xorm", "Engine", True, "And", "", "", "Argument[0]", "sql-injection", "manual"]
14+
- ["group:xorm", "Engine", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
15+
- ["group:xorm", "Engine", True, "GroupBy", "", "", "Argument[0]", "sql-injection", "manual"]
16+
- ["group:xorm", "Engine", True, "Having", "", "", "Argument[0]", "sql-injection", "manual"]
17+
- ["group:xorm", "Engine", True, "In", "", "", "Argument[0]", "sql-injection", "manual"]
18+
- ["group:xorm", "Engine", True, "Join", "", "", "Argument[0..2]", "sql-injection", "manual"]
19+
- ["group:xorm", "Engine", True, "NotIn", "", "", "Argument[0]", "sql-injection", "manual"]
20+
- ["group:xorm", "Engine", True, "Or", "", "", "Argument[0]", "sql-injection", "manual"]
21+
- ["group:xorm", "Engine", True, "OrderBy", "", "", "Argument[0]", "sql-injection", "manual"]
22+
- ["group:xorm", "Engine", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
23+
- ["group:xorm", "Engine", True, "QueryString", "", "", "Argument[0]", "sql-injection", "manual"]
24+
- ["group:xorm", "Engine", True, "QueryInterface", "", "", "Argument[0]", "sql-injection", "manual"]
25+
- ["group:xorm", "Engine", True, "Select", "", "", "Argument[0]", "sql-injection", "manual"]
26+
- ["group:xorm", "Engine", True, "SetExpr", "", "", "Argument[0]", "sql-injection", "manual"]
27+
- ["group:xorm", "Engine", True, "SQL", "", "", "Argument[0]", "sql-injection", "manual"]
28+
- ["group:xorm", "Engine", True, "Sum", "", "", "Argument[1]", "sql-injection", "manual"]
29+
- ["group:xorm", "Engine", True, "Sums", "", "", "Argument[1]", "sql-injection", "manual"]
30+
- ["group:xorm", "Engine", True, "SumInt", "", "", "Argument[1]", "sql-injection", "manual"]
31+
- ["group:xorm", "Engine", True, "SumsInt", "", "", "Argument[1]", "sql-injection", "manual"]
32+
- ["group:xorm", "Engine", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
33+
- ["group:xorm", "Session", True, "Alias", "", "", "Argument[0]", "sql-injection", "manual"]
34+
- ["group:xorm", "Session", True, "And", "", "", "Argument[0]", "sql-injection", "manual"]
35+
- ["group:xorm", "Session", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
36+
- ["group:xorm", "Session", True, "GroupBy", "", "", "Argument[0]", "sql-injection", "manual"]
37+
- ["group:xorm", "Session", True, "Having", "", "", "Argument[0]", "sql-injection", "manual"]
38+
- ["group:xorm", "Session", True, "In", "", "", "Argument[0]", "sql-injection", "manual"]
39+
- ["group:xorm", "Session", True, "Join", "", "", "Argument[0..2]", "sql-injection", "manual"]
40+
- ["group:xorm", "Session", True, "NotIn", "", "", "Argument[0]", "sql-injection", "manual"]
41+
- ["group:xorm", "Session", True, "Or", "", "", "Argument[0]", "sql-injection", "manual"]
42+
- ["group:xorm", "Session", True, "OrderBy", "", "", "Argument[0]", "sql-injection", "manual"]
43+
- ["group:xorm", "Session", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
44+
- ["group:xorm", "Session", True, "QueryString", "", "", "Argument[0]", "sql-injection", "manual"]
45+
- ["group:xorm", "Session", True, "QueryInterface", "", "", "Argument[0]", "sql-injection", "manual"]
46+
- ["group:xorm", "Session", True, "Select", "", "", "Argument[0]", "sql-injection", "manual"]
47+
- ["group:xorm", "Session", True, "SetExpr", "", "", "Argument[0]", "sql-injection", "manual"]
48+
- ["group:xorm", "Session", True, "SQL", "", "", "Argument[0]", "sql-injection", "manual"]
49+
- ["group:xorm", "Session", True, "Sum", "", "", "Argument[1]", "sql-injection", "manual"]
50+
- ["group:xorm", "Session", True, "Sums", "", "", "Argument[1]", "sql-injection", "manual"]
51+
- ["group:xorm", "Session", True, "SumInt", "", "", "Argument[1]", "sql-injection", "manual"]
52+
- ["group:xorm", "Session", True, "SumsInt", "", "", "Argument[1]", "sql-injection", "manual"]
53+
- ["group:xorm", "Session", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]

go/ql/lib/semmle/go/frameworks/SQL.qll

Lines changed: 0 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -168,28 +168,6 @@ module Gorm {
168168
module Xorm {
169169
/** Gets the package name for Xorm. */
170170
string packagePath() { result = package(["xorm.io/xorm", "github.com/go-xorm/xorm"], "") }
171-
172-
/** A model for sinks of XORM. */
173-
private class XormSink extends SQL::QueryString::Range {
174-
XormSink() {
175-
exists(Method meth, string type, string name, int n |
176-
meth.hasQualifiedName(Xorm::packagePath(), type, name) and
177-
this = meth.getACall().getSyntacticArgument(n) and
178-
type = ["Engine", "Session"]
179-
|
180-
name =
181-
[
182-
"Query", "Exec", "QueryString", "QueryInterface", "SQL", "Where", "And", "Or", "Alias",
183-
"NotIn", "In", "Select", "SetExpr", "OrderBy", "Having", "GroupBy"
184-
] and
185-
n = 0
186-
or
187-
name = ["SumInt", "Sum", "Sums", "SumsInt"] and n = 1
188-
or
189-
name = "Join" and n = [0, 1, 2]
190-
)
191-
}
192-
}
193171
}
194172

195173
/**

0 commit comments

Comments
 (0)