Upgrade and convert gorqlite sql-injection sinks to MaD

Author: owen-mc

go/ql/lib/ext/github.com.rqlite.gorqlite.model.yml

@@ -0,0 +1,35 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: packageGrouping
+    data:
+      - ["gorqlite", "github.com/rqlite/gorqlite"]
+      - ["gorqlite", "github.com/raindog308/gorqlite"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:gorqlite", "Connection", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOne", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "Queue", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueOne", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueOneContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueOneParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueOneParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueueParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "Write", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteOne", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteOneContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteOneParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteOneParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorqlite", "Connection", True, "WriteParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]

go/ql/lib/semmle/go/frameworks/SQL.qll

@@ -85,11 +85,6 @@ module SQL {
     /** A string that might identify package `go-pg/pg/orm` or a specific version of it. */
     private string gopgorm() { result = package("github.com/go-pg/pg", "orm") }
 
-    /** A string that might identify package `github.com/rqlite/gorqlite` or `github.com/raindog308/gorqlite` or a specific version of it. */
-    private string gorqlite() {
-      result = package(["github.com/rqlite/gorqlite", "github.com/raindog308/gorqlite"], "")
-    }
-
     /** A string that might identify package `github.com/gogf/gf/database/gdb` or a specific version of it. */
     private string gogf() { result = package("github.com/gogf/gf", "database/gdb") }
 
@@ -158,25 +153,6 @@ module SQL {
       }
     }
 
-    /**
-     * A string argument to an API of `github.com/rqlite/gorqlite`, or a specific version of it, that is directly interpreted as SQL without
-     * taking syntactic structure into account.
-     */
-    private class GorqliteQueryString extends Range {
-      GorqliteQueryString() {
-        // func (conn *Connection) Query(sqlStatements []string) (results []QueryResult, err error)
-        // func (conn *Connection) QueryOne(sqlStatement string) (qr QueryResult, err error)
-        // func (conn *Connection) Queue(sqlStatements []string) (seq int64, err error)
-        // func (conn *Connection) QueueOne(sqlStatement string) (seq int64, err error)
-        // func (conn *Connection) Write(sqlStatements []string) (results []WriteResult, err error)
-        // func (conn *Connection) WriteOne(sqlStatement string) (wr WriteResult, err error)
-        exists(Method m, string name | m.hasQualifiedName(gorqlite(), "Connection", name) |
-          name = ["Query", "QueryOne", "Queue", "QueueOne", "Write", "WriteOne"] and
-          this = m.getACall().getArgument(0)
-        )
-      }
-    }
-
     /**
      * A string argument to an API of `github.com/gogf/gf/database/gdb`, or a specific version of it, that is directly interpreted as SQL without
      * taking syntactic structure into account.

go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/QueryString.expected

@@ -0,0 +1,3 @@
+testFailures
+invalidModelRow
+failures

go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/QueryString.ql

@@ -0,0 +1,60 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import TestUtilities.InlineExpectationsTest
+
+module SqlTest implements TestSig {
+  string getARelevantTag() { result = "query" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "query" and
+    exists(SQL::Query q, SQL::QueryString qs | qs = q.getAQueryString() |
+      q.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = q.toString() and
+      value = qs.toString()
+    )
+  }
+}
+
+module QueryString implements TestSig {
+  string getARelevantTag() { result = "querystring" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "querystring" and
+    element = "" and
+    exists(SQL::QueryString qs | not exists(SQL::Query q | qs = q.getAQueryString()) |
+      qs.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      value = qs.toString()
+    )
+  }
+}
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLit }
+
+  predicate isSink(DataFlow::Node n) {
+    n = any(DataFlow::CallNode cn | cn.getTarget().getName() = "sink").getAnArgument()
+  }
+}
+
+module Flow = TaintTracking::Global<Config>;
+
+module TaintFlow implements TestSig {
+  string getARelevantTag() { result = "flowfrom" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "flowfrom" and
+    element = "" and
+    exists(DataFlow::Node fromNode, DataFlow::Node toNode |
+      toNode
+          .hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+            location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      Flow::flow(fromNode, toNode) and
+      value = fromNode.asExpr().(StringLit).getValue()
+    )
+  }
+}
+
+import MakeTest<MergeTests3<SqlTest, QueryString, TaintFlow>>

go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/go.mod

@@ -2,4 +2,4 @@ module main
 
 go 1.18
 
-require github.com/rqlite/gorqlite v0.0.0-20220528150909-c4e99ae96be6
+require github.com/rqlite/gorqlite v0.0.0-20240808172217-12ae7d03ef19

go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/gorqlite.expected

@@ -1,20 +1,49 @@
 package main
 
-//go:generate depstubber -vendor github.com/rqlite/gorqlite Connection Open
+//go:generate depstubber -vendor github.com/rqlite/gorqlite Connection,ParameterizedStatement Open
 
 import (
+	"context"
+
 	"github.com/rqlite/gorqlite"
 )
 
-func gorqlitetest(sql string, sqls []string) {
+func gorqlitetest(sql string, sqls []string, param_sql gorqlite.ParameterizedStatement, param_sqls []gorqlite.ParameterizedStatement, ctx context.Context) {
 	conn, _ := gorqlite.Open("dbUrl")
-	conn.Query(sqls)   // $ querystring=sqls
-	conn.Queue(sqls)   // $ querystring=sqls
-	conn.Write(sqls)   // $ querystring=sqls
+
+	conn.Query(sqls) // $ querystring=sqls
+	conn.Queue(sqls) // $ querystring=sqls
+	conn.Write(sqls) // $ querystring=sqls
+
 	conn.QueryOne(sql) // $ querystring=sql
 	conn.QueueOne(sql) // $ querystring=sql
 	conn.WriteOne(sql) // $ querystring=sql
+
+	conn.QueryParameterized(param_sqls) // $ querystring=param_sqls
+	conn.QueueParameterized(param_sqls) // $ querystring=param_sqls
+	conn.WriteParameterized(param_sqls) // $ querystring=param_sqls
+
+	conn.QueryOneParameterized(param_sql) // $ querystring=param_sql
+	conn.QueueOneParameterized(param_sql) // $ querystring=param_sql
+	conn.WriteOneParameterized(param_sql) // $ querystring=param_sql
+
+	conn.QueryContext(ctx, sqls) // $ querystring=sqls
+	conn.QueueContext(ctx, sqls) // $ querystring=sqls
+	conn.WriteContext(ctx, sqls) // $ querystring=sqls
+
+	conn.QueryOneContext(ctx, sql) // $ querystring=sql
+	conn.QueueOneContext(ctx, sql) // $ querystring=sql
+	conn.WriteOneContext(ctx, sql) // $ querystring=sql
+
+	conn.QueryParameterizedContext(ctx, param_sqls) // $ querystring=param_sqls
+	conn.QueueParameterizedContext(ctx, param_sqls) // $ querystring=param_sqls
+	conn.WriteParameterizedContext(ctx, param_sqls) // $ querystring=param_sqls
+
+	conn.QueryOneParameterizedContext(ctx, param_sql) // $ querystring=param_sql
+	conn.QueueOneParameterizedContext(ctx, param_sql) // $ querystring=param_sql
+	conn.WriteOneParameterizedContext(ctx, param_sql) // $ querystring=param_sql
 }
+
 func main() {
 	return
 }

go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/gorqlite.go

@@ -1,3 +1,3 @@
-# github.com/rqlite/gorqlite v0.0.0-20220528150909-c4e99ae96be6
+# github.com/rqlite/gorqlite v0.0.0-20240808172217-12ae7d03ef19
 ## explicit
 github.com/rqlite/gorqlite