Convert Bun sql-injection sinks to MaD

Author: owen-mc

go/ql/lib/ext/github.com.uptrace.bun.model.yml

@@ -0,0 +1,68 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/uptrace/bun", "", True, "NewRawQuery", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "AddColumnQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "AddColumnQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "AddColumnQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "NewRaw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "QueryRow", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "QueryRowContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "Conn", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateIndexQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateTableQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateTableQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "CreateTableQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "NewRaw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "QueryRow", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "QueryRowContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DeleteQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DeleteQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DeleteQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DropColumnQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DropColumnQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DropColumnQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DropTableQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "DropTableQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "InsertQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "InsertQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "InsertQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "InsertQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "InsertQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "MergeQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "MergeQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "RawQuery", True, "NewRaw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "ColumnExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "DistinctOn", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "For", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "GroupExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "Having", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "OrderExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "TruncateTableQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "UpdateQuery", True, "ModelTableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "UpdateQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "UpdateQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/uptrace/bun", "UpdateQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]

go/ql/lib/semmle/go/frameworks/SQL.qll

@@ -171,45 +171,8 @@ module Xorm {
 }
 
 /**
+ * DEPRECATED
+ *
  * Provides classes for working with the [Bun](https://bun.uptrace.dev/) package.
  */
-module Bun {
-  /** Gets the package name for Bun package. */
-  private string packagePath() { result = package("github.com/uptrace/bun", "") }
-
-  /** A model for sinks of Bun. */
-  private class BunSink extends SQL::QueryString::Range {
-    BunSink() {
-      exists(Function f, string m, int arg | this = f.getACall().getArgument(arg) |
-        f.hasQualifiedName(packagePath(), m) and
-        m = "NewRawQuery" and
-        arg = 1
-      )
-      or
-      exists(Method f, string tp, string m, int arg | this = f.getACall().getArgument(arg) |
-        f.hasQualifiedName(packagePath(), tp, m) and
-        (
-          tp = ["DB", "Conn"] and
-          m = ["ExecContext", "PrepareContext", "QueryContext", "QueryRowContext"] and
-          arg = 1
-          or
-          tp = ["DB", "Conn"] and
-          m = ["Exec", "NewRaw", "Prepare", "Query", "QueryRow", "Raw"] and
-          arg = 0
-          or
-          tp.matches("%Query") and
-          m =
-            [
-              "ColumnExpr", "DistinctOn", "For", "GroupExpr", "Having", "ModelTableExpr",
-              "OrderExpr", "TableExpr", "Where", "WhereOr"
-            ] and
-          arg = 0
-          or
-          tp = "RawQuery" and
-          m = "NewRaw" and
-          arg = 0
-        )
-      )
-    }
-  }
-}
+deprecated module Bun { }

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/QueryString.expected

@@ -0,0 +1,3 @@
+failures
+invalidModelRow
+testFailures

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/QueryString.ql

@@ -0,0 +1,60 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import TestUtilities.InlineExpectationsTest
+
+module SqlTest implements TestSig {
+  string getARelevantTag() { result = "query" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "query" and
+    exists(SQL::Query q, SQL::QueryString qs | qs = q.getAQueryString() |
+      q.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = q.toString() and
+      value = qs.toString()
+    )
+  }
+}
+
+module QueryString implements TestSig {
+  string getARelevantTag() { result = "querystring" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "querystring" and
+    element = "" and
+    exists(SQL::QueryString qs | not exists(SQL::Query q | qs = q.getAQueryString()) |
+      qs.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      value = qs.toString()
+    )
+  }
+}
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLit }
+
+  predicate isSink(DataFlow::Node n) {
+    n = any(DataFlow::CallNode cn | cn.getTarget().getName() = "sink").getAnArgument()
+  }
+}
+
+module Flow = TaintTracking::Global<Config>;
+
+module TaintFlow implements TestSig {
+  string getARelevantTag() { result = "flowfrom" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "flowfrom" and
+    element = "" and
+    exists(DataFlow::Node fromNode, DataFlow::Node toNode |
+      toNode
+          .hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+            location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      Flow::flow(fromNode, toNode) and
+      value = fromNode.asExpr().(StringLit).getValue()
+    )
+  }
+}
+
+import MakeTest<MergeTests3<SqlTest, QueryString, TaintFlow>>

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/bun.go

@@ -22,28 +22,28 @@ func main() {
 		panic(err)
 	}
 	db := bun.NewDB(sqlite, sqlitedialect.New())
-	bun.NewRawQuery(db, untrusted)
-
-	db.ExecContext(ctx, untrusted)
-	db.PrepareContext(ctx, untrusted)
-	db.QueryContext(ctx, untrusted)
-	db.QueryRowContext(ctx, untrusted)
-
-	db.Exec(untrusted)
-	db.NewRaw(untrusted)
-	db.Prepare(untrusted)
-	db.Query(untrusted)
-	db.QueryRow(untrusted)
-	db.Raw(untrusted)
-
-	db.NewSelect().ColumnExpr(untrusted)
-	db.NewSelect().DistinctOn(untrusted)
-	db.NewSelect().For(untrusted)
-	db.NewSelect().GroupExpr(untrusted)
-	db.NewSelect().Having(untrusted)
-	db.NewSelect().ModelTableExpr(untrusted)
-	db.NewSelect().OrderExpr(untrusted)
-	db.NewSelect().TableExpr(untrusted)
-	db.NewSelect().Where(untrusted)
-	db.NewSelect().WhereOr(untrusted)
+	bun.NewRawQuery(db, untrusted) // $ querystring=untrusted
+
+	db.ExecContext(ctx, untrusted)     // $ querystring=untrusted
+	db.PrepareContext(ctx, untrusted)  // $ querystring=untrusted
+	db.QueryContext(ctx, untrusted)    // $ querystring=untrusted
+	db.QueryRowContext(ctx, untrusted) // $ querystring=untrusted
+
+	db.Exec(untrusted)     // $ querystring=untrusted
+	db.NewRaw(untrusted)   // $ querystring=untrusted
+	db.Prepare(untrusted)  // $ querystring=untrusted
+	db.Query(untrusted)    // $ querystring=untrusted
+	db.QueryRow(untrusted) // $ querystring=untrusted
+	db.Raw(untrusted)      // $ querystring=untrusted
+
+	db.NewSelect().ColumnExpr(untrusted)     // $ querystring=untrusted
+	db.NewSelect().DistinctOn(untrusted)     // $ querystring=untrusted
+	db.NewSelect().For(untrusted)            // $ querystring=untrusted
+	db.NewSelect().GroupExpr(untrusted)      // $ querystring=untrusted
+	db.NewSelect().Having(untrusted)         // $ querystring=untrusted
+	db.NewSelect().ModelTableExpr(untrusted) // $ querystring=untrusted
+	db.NewSelect().OrderExpr(untrusted)      // $ querystring=untrusted
+	db.NewSelect().TableExpr(untrusted)      // $ querystring=untrusted
+	db.NewSelect().Where(untrusted)          // $ querystring=untrusted
+	db.NewSelect().WhereOr(untrusted)        // $ querystring=untrusted
 }