Revert "Convert squirrel sql-injection sinks to MaD (non-existent methods removed)"

smowton · smowton · commit a832730a1155 · 2024-08-24T17:44:40.000+01:00
This reverts commit 06f86dd.
diff --git a/go/ql/lib/ext/github.com.mastermind.squirrel.model.yml b/go/ql/lib/ext/github.com.mastermind.squirrel.model.yml
diff --git a/go/ql/lib/semmle/go/frameworks/SQL.qll b/go/ql/lib/semmle/go/frameworks/SQL.qll
@@ -67,10 +67,42 @@ module SQL {
      */
     abstract class Range extends DataFlow::Node { }
 
-    private class DefaultQueryString extends Range {
-      DefaultQueryString() {
-        exists(DataFlow::ArgumentNode arg | sinkNode(arg, "sql-injection") |
-          this = arg.getACorrespondingSyntacticArgument()
+    /**
+     * An argument to an API of the squirrel library that is directly interpreted as SQL without
+     * taking syntactic structure into account.
+     */
+    private class SquirrelQueryString extends Range {
+      SquirrelQueryString() {
+        exists(Function fn |
+          exists(string sq |
+            sq =
+              package([
+                  "github.com/Masterminds/squirrel", "gopkg.in/Masterminds/squirrel",
+                  "github.com/lann/squirrel"
+                ], "")
+          |
+            fn.hasQualifiedName(sq, ["Delete", "Expr", "Insert", "Select", "Update"])
+            or
+            exists(Method m, string builder | m = fn |
+              builder = ["DeleteBuilder", "InsertBuilder", "SelectBuilder", "UpdateBuilder"] and
+              m.hasQualifiedName(sq, builder,
+                ["Columns", "From", "Options", "OrderBy", "Prefix", "Suffix", "Where"])
+              or
+              builder = "InsertBuilder" and
+              m.hasQualifiedName(sq, builder, ["Replace", "Into"])
+              or
+              builder = "SelectBuilder" and
+              m.hasQualifiedName(sq, builder,
+                ["CrossJoin", "GroupBy", "InnerJoin", "LeftJoin", "RightJoin"])
+              or
+              builder = "UpdateBuilder" and
+              m.hasQualifiedName(sq, builder, ["Set", "Table"])
+            )
+          ) and
+          this = fn.getACall().getArgument(0)
+        |
+          this.getType().getUnderlyingType() instanceof StringType or
+          this.getType().getUnderlyingType().(SliceType).getElementType() instanceof StringType
         )
       }
     }
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/squirrel.go b/go/ql/test/library-tests/semmle/go/frameworks/SQL/squirrel.go
@@ -10,35 +10,35 @@ func squirrelTest(querypart string) {
 	squirrel.Expr(querypart)                    // $ querystring=querypart
 	deleteBuilder := squirrel.Delete(querypart) // $ querystring=querypart
 	deleteBuilder.From(querypart)               // $ querystring=querypart
-	deleteBuilder.OrderBy(querypart)            // $ querystring=querypart
+	deleteBuilder.OrderBy(querypart)            // $ querystring=[]type{args}
 	deleteBuilder.Prefix(querypart)             // $ querystring=querypart
 	deleteBuilder.Suffix(querypart)             // $ querystring=querypart
 	deleteBuilder.Where(querypart)              // $ querystring=querypart
 
 	insertBuilder := squirrel.Insert(querypart) // $ querystring=querypart
-	insertBuilder.Columns(querypart)            // $ querystring=querypart
-	insertBuilder.Options(querypart)            // $ querystring=querypart
+	insertBuilder.Columns(querypart)            // $ querystring=[]type{args}
+	insertBuilder.Options(querypart)            // $ querystring=[]type{args}
 	insertBuilder.Prefix(querypart)             // $ querystring=querypart
 	insertBuilder.Suffix(querypart)             // $ querystring=querypart
 	insertBuilder.Into(querypart)               // $ querystring=querypart
 
-	selectBuilder := squirrel.Select(querypart) // $ querystring=querypart
-	selectBuilder.Columns(querypart)            // $ querystring=querypart
+	selectBuilder := squirrel.Select(querypart) // $ querystring=[]type{args}
+	selectBuilder.Columns(querypart)            // $ querystring=[]type{args}
 	selectBuilder.From(querypart)               // $ querystring=querypart
-	selectBuilder.Options(querypart)            // $ querystring=querypart
-	selectBuilder.OrderBy(querypart)            // $ querystring=querypart
+	selectBuilder.Options(querypart)            // $ querystring=[]type{args}
+	selectBuilder.OrderBy(querypart)            // $ querystring=[]type{args}
 	selectBuilder.Prefix(querypart)             // $ querystring=querypart
 	selectBuilder.Suffix(querypart)             // $ querystring=querypart
 	selectBuilder.Where(querypart)              // $ querystring=querypart
 	selectBuilder.CrossJoin(querypart)          // $ querystring=querypart
-	selectBuilder.GroupBy(querypart)            // $ querystring=querypart
+	selectBuilder.GroupBy(querypart)            // $ querystring=[]type{args}
 	selectBuilder.InnerJoin(querypart)          // $ querystring=querypart
 	selectBuilder.LeftJoin(querypart)           // $ querystring=querypart
 	selectBuilder.RightJoin(querypart)          // $ querystring=querypart
 
 	updateBuilder := squirrel.Update(querypart) // $ querystring=querypart
 	updateBuilder.From(querypart)               // $ querystring=querypart
-	updateBuilder.OrderBy(querypart)            // $ querystring=querypart
+	updateBuilder.OrderBy(querypart)            // $ querystring=[]type{args}
 	updateBuilder.Prefix(querypart)             // $ querystring=querypart
 	updateBuilder.Suffix(querypart)             // $ querystring=querypart
 	updateBuilder.Where(querypart)              // $ querystring=querypart
