Convert gogf/gf sql-injection sinks to MaD

Author: owen-mc

go/ql/lib/ext/github.com.gogf.gf.database.gdb.model.yml

@@ -0,0 +1,57 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      # These models are for v1. Some of them hold for v2, but we should model v2 properly.
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "DoCommit", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "DoExec", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "DoGetAll", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "DoQuery", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "DoPrepare", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetAll", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetArray", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetCount", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetOne", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetScan", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetStruct", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetStructs", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetValue", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "DoCommit", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "DoExec", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "DoGetAll", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "DoQuery", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "DoPrepare", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetAll", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetArray", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetCount", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetOne", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetScan", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetStruct", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetStructs", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetValue", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "DoCommit", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "DoExec", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "DoGetAll", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "DoQuery", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "DoPrepare", "", "", "Argument[2]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetAll", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetArray", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetCount", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetOne", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetScan", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetStruct", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetStructs", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "GetValue", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Tx", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]

go/ql/lib/semmle/go/frameworks/SQL.qll

@@ -85,9 +85,6 @@ module SQL {
     /** A string that might identify package `go-pg/pg/orm` or a specific version of it. */
     private string gopgorm() { result = package("github.com/go-pg/pg", "orm") }
 
-    /** A string that might identify package `github.com/gogf/gf/database/gdb` or a specific version of it. */
-    private string gogf() { result = package("github.com/gogf/gf", "database/gdb") }
-
     /**
      * A string argument to an API of `go-pg/pg` that is directly interpreted as SQL without
      * taking syntactic structure into account.
@@ -152,46 +149,6 @@ module SQL {
         )
       }
     }
-
-    /**
-     * A string argument to an API of `github.com/gogf/gf/database/gdb`, or a specific version of it, that is directly interpreted as SQL without
-     * taking syntactic structure into account.
-     */
-    private class GogfQueryString extends Range {
-      GogfQueryString() {
-        exists(Method m, string name | m.implements(gogf(), ["DB", "Core", "TX"], name) |
-          // func (c *Core) Exec(sql string, args ...interface{}) (result sql.Result, err error)
-          // func (c *Core) GetAll(sql string, args ...interface{}) (Result, error)
-          // func (c *Core) GetArray(sql string, args ...interface{}) ([]Value, error)
-          // func (c *Core) GetCount(sql string, args ...interface{}) (int, error)
-          // func (c *Core) GetOne(sql string, args ...interface{}) (Record, error)
-          // func (c *Core) GetValue(sql string, args ...interface{}) (Value, error)
-          // func (c *Core) Prepare(sql string, execOnMaster ...bool) (*Stmt, error)
-          // func (c *Core) Query(sql string, args ...interface{}) (rows *sql.Rows, err error)
-          // func (c *Core) Raw(rawSql string, args ...interface{}) *Model
-          name =
-            [
-              "Query", "Exec", "Prepare", "GetAll", "GetOne", "GetValue", "GetArray", "GetCount",
-              "Raw"
-            ] and
-          this = m.getACall().getArgument(0)
-          or
-          // func (c *Core) GetScan(pointer interface{}, sql string, args ...interface{}) error
-          // func (c *Core) GetStruct(pointer interface{}, sql string, args ...interface{}) error
-          // func (c *Core) GetStructs(pointer interface{}, sql string, args ...interface{}) error
-          name = ["GetScan", "GetStruct", "GetStructs"] and
-          this = m.getACall().getArgument(1)
-          or
-          // func (c *Core) DoCommit(ctx context.Context, link Link, sql string, args []interface{}) (newSql string, newArgs []interface{}, err error)
-          // func (c *Core) DoExec(ctx context.Context, link Link, sql string, args ...interface{}) (result sql.Result, err error)
-          // func (c *Core) DoGetAll(ctx context.Context, link Link, sql string, args ...interface{}) (result Result, err error)
-          // func (c *Core) DoPrepare(ctx context.Context, link Link, sql string) (*Stmt, error)
-          // func (c *Core) DoQuery(ctx context.Context, link Link, sql string, args ...interface{}) (rows *sql.Rows, err error)
-          name = ["DoGetAll", "DoQuery", "DoExec", "DoCommit", "DoPrepare"] and
-          this = m.getACall().getArgument(2)
-        )
-      }
-    }
   }
 
   /** A model for sinks of GORM. */

go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/QueryString.expected

@@ -0,0 +1,3 @@
+testFailures
+invalidModelRow
+failures

go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/QueryString.ql

@@ -0,0 +1,60 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import TestUtilities.InlineExpectationsTest
+
+module SqlTest implements TestSig {
+  string getARelevantTag() { result = "query" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "query" and
+    exists(SQL::Query q, SQL::QueryString qs | qs = q.getAQueryString() |
+      q.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = q.toString() and
+      value = qs.toString()
+    )
+  }
+}
+
+module QueryString implements TestSig {
+  string getARelevantTag() { result = "querystring" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "querystring" and
+    element = "" and
+    exists(SQL::QueryString qs | not exists(SQL::Query q | qs = q.getAQueryString()) |
+      qs.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      value = qs.toString()
+    )
+  }
+}
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLit }
+
+  predicate isSink(DataFlow::Node n) {
+    n = any(DataFlow::CallNode cn | cn.getTarget().getName() = "sink").getAnArgument()
+  }
+}
+
+module Flow = TaintTracking::Global<Config>;
+
+module TaintFlow implements TestSig {
+  string getARelevantTag() { result = "flowfrom" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "flowfrom" and
+    element = "" and
+    exists(DataFlow::Node fromNode, DataFlow::Node toNode |
+      toNode
+          .hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+            location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      Flow::flow(fromNode, toNode) and
+      value = fromNode.asExpr().(StringLit).getValue()
+    )
+  }
+}
+
+import MakeTest<MergeTests3<SqlTest, QueryString, TaintFlow>>

go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/gogf.expected

@@ -4,11 +4,13 @@ package main
 //go:generate depstubber -vendor github.com/gogf/gf/database/gdb DB,Core,TX ""
 
 import (
+	"context"
+
 	"github.com/gogf/gf/database/gdb"
 	"github.com/gogf/gf/frame/g"
 )
 
-func gogfCoreTest(sql string, c *gdb.Core) {
+func gogfCoreTest(sql string, c *gdb.Core, ctx context.Context) {
 	c.Exec(sql, nil)               // $ querystring=sql
 	c.GetAll(sql, nil)             // $ querystring=sql
 	c.GetArray(sql, nil)           // $ querystring=sql
@@ -21,14 +23,14 @@ func gogfCoreTest(sql string, c *gdb.Core) {
 	c.GetScan(nil, sql, nil)       // $ querystring=sql
 	c.GetStruct(nil, sql, nil)     // $ querystring=sql
 	c.GetStructs(nil, sql, nil)    // $ querystring=sql
-	c.DoCommit(nil, nil, sql, nil) // $ querystring=sql
-	c.DoExec(nil, nil, sql, nil)   // $ querystring=sql
-	c.DoGetAll(nil, nil, sql, nil) // $ querystring=sql
-	c.DoQuery(nil, nil, sql, nil)  // $ querystring=sql
-	c.DoPrepare(nil, nil, sql)     // $ querystring=sql
+	c.DoCommit(ctx, nil, sql, nil) // $ querystring=sql
+	c.DoExec(ctx, nil, sql, nil)   // $ querystring=sql
+	c.DoGetAll(ctx, nil, sql, nil) // $ querystring=sql
+	c.DoQuery(ctx, nil, sql, nil)  // $ querystring=sql
+	c.DoPrepare(ctx, nil, sql)     // $ querystring=sql
 }
 
-func gogfDbtest(sql string, c gdb.DB) {
+func gogfDbtest(sql string, c gdb.DB, ctx context.Context) {
 	c.Exec(sql, nil)               // $ querystring=sql
 	c.GetAll(sql, nil)             // $ querystring=sql
 	c.GetArray(sql, nil)           // $ querystring=sql
@@ -39,14 +41,14 @@ func gogfDbtest(sql string, c gdb.DB) {
 	c.Query(sql, nil)              // $ querystring=sql
 	c.Raw(sql, nil)                // $ querystring=sql
 	c.GetScan(nil, sql, nil)       // $ querystring=sql
-	c.DoCommit(nil, nil, sql, nil) // $ querystring=sql
-	c.DoExec(nil, nil, sql, nil)   // $ querystring=sql
-	c.DoGetAll(nil, nil, sql, nil) // $ querystring=sql
-	c.DoQuery(nil, nil, sql, nil)  // $ querystring=sql
-	c.DoPrepare(nil, nil, sql)     // $ querystring=sql
+	c.DoCommit(ctx, nil, sql, nil) // $ querystring=sql
+	c.DoExec(ctx, nil, sql, nil)   // $ querystring=sql
+	c.DoGetAll(ctx, nil, sql, nil) // $ querystring=sql
+	c.DoQuery(ctx, nil, sql, nil)  // $ querystring=sql
+	c.DoPrepare(ctx, nil, sql)     // $ querystring=sql
 }
 
-func gogfGTest(sql string) {
+func gogfGTest(sql string, ctx context.Context) {
 	c := g.DB("ad")
 	c.Exec(sql, nil)               // $ querystring=sql
 	c.GetAll(sql, nil)             // $ querystring=sql
@@ -58,11 +60,11 @@ func gogfGTest(sql string) {
 	c.Query(sql, nil)              // $ querystring=sql
 	c.Raw(sql, nil)                // $ querystring=sql
 	c.GetScan(nil, sql, nil)       // $ querystring=sql
-	c.DoCommit(nil, nil, sql, nil) // $ querystring=sql
-	c.DoExec(nil, nil, sql, nil)   // $ querystring=sql
-	c.DoGetAll(nil, nil, sql, nil) // $ querystring=sql
-	c.DoQuery(nil, nil, sql, nil)  // $ querystring=sql
-	c.DoPrepare(nil, nil, sql)     // $ querystring=sql
+	c.DoCommit(ctx, nil, sql, nil) // $ querystring=sql
+	c.DoExec(ctx, nil, sql, nil)   // $ querystring=sql
+	c.DoGetAll(ctx, nil, sql, nil) // $ querystring=sql
+	c.DoQuery(ctx, nil, sql, nil)  // $ querystring=sql
+	c.DoPrepare(ctx, nil, sql)     // $ querystring=sql
 }
 
 func main() {