Convert database/sql/driver sql-injection sinks to MaD

owen-mc · owen-mc · commit 652dd88c363c · 2024-08-16T11:19:06.000+01:00
diff --git a/go/ql/lib/ext/database.sql.driver.model.yml b/go/ql/lib/ext/database.sql.driver.model.yml
@@ -1,4 +1,14 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["database/sql/driver", "Execer", False, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql/driver", "ExecerContext", False, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql/driver", "Conn", False, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql/driver", "ConnPrepareContext", False, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql/driver", "Queryer", False, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql/driver", "QueryerContext", False, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel
diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll b/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll
@@ -60,36 +60,13 @@ module DatabaseSql {
     override DataFlow::Node getAResult() { result = this.getResult(0) }
 
     override SQL::QueryString getAQueryString() {
-      result = this.getAnArgument()
+      result = this.getASyntacticArgument()
       or
       this.getTarget().hasQualifiedName("database/sql/driver", "Stmt") and
       result = this.getReceiver().getAPredecessor*().(DataFlow::MethodCallNode).getAnArgument()
     }
   }
 
-  /** A query string used in an API function of the standard `database/sql/driver` package. */
-  private class DriverQueryString extends SQL::QueryString::Range {
-    DriverQueryString() {
-      exists(Method meth, int n |
-        (
-          meth.hasQualifiedName("database/sql/driver", "Execer", "Exec") and n = 0
-          or
-          meth.hasQualifiedName("database/sql/driver", "ExecerContext", "ExecContext") and n = 1
-          or
-          meth.hasQualifiedName("database/sql/driver", "Conn", "Prepare") and n = 0
-          or
-          meth.hasQualifiedName("database/sql/driver", "ConnPrepareContext", "PrepareContext") and
-          n = 1
-          or
-          meth.hasQualifiedName("database/sql/driver", "Queryer", "Query") and n = 0
-          or
-          meth.hasQualifiedName("database/sql/driver", "QueryerContext", "QueryContext") and n = 1
-        ) and
-        this = meth.getACall().getArgument(n)
-      )
-    }
-  }
-
   // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet.
   private class SqlMethodModels extends TaintTracking::FunctionModel, Method {
     FunctionInput inp;
