Improve go-pg support

Author: Alvaro Muñoz

go/ql/lib/change-notes/2023-06-28--improve-support-for-gopg-framework.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Support for the pg-go framework has been improved.
+

go/ql/lib/semmle/go/frameworks/SQL.qll

@@ -145,9 +145,25 @@ module SQL {
           f.hasQualifiedName(gopgorm(), "Q") and
           arg = 0
           or
-          exists(string tp, string m | f.(Method).hasQualifiedName(gopgorm(), tp, m) |
+          exists(string tp, string m | f.(Method).hasQualifiedName([gopgorm(), gopg()], tp, m) |
+            tp = ["DB", "Conn"] and
+            m = ["QueryContext", "QueryOneContext"] and
+            arg = 2
+            or
+            tp = ["DB", "Conn"] and
+            m = ["ExecContext", "ExecOneContext", "PrepareContext", "Query", "QueryOne"] and
+            arg = 1
+            or
+            tp = ["DB", "Conn"] and
+            m = ["Exec", "ExecOne", "Prepare"] and
+            arg = 0
+            or
             tp = "Query" and
-            m = ["ColumnExpr", "For", "Having", "Where", "WhereIn", "WhereInMulti", "WhereOr"] and
+            m =
+              [
+                "ColumnExpr", "For", "GroupExpr", "Having", "Join", "OrderExpr", "TableExpr",
+                "Where", "WhereIn", "WhereInMulti", "WhereOr"
+              ] and
             arg = 0
             or
             tp = "Query" and

go/ql/test/library-tests/semmle/go/frameworks/SQL/go-pg/go-pg.expected

@@ -0,0 +1,10 @@
+| go-pg.go:37:22:37:30 | untrusted | github.com/go-pg/pg/v10 | Conn | ExecContext |
+| go-pg.go:37:22:37:30 | untrusted | github.com/go-pg/pg/v10 | DB | ExecContext |
+| go-pg.go:37:22:37:30 | untrusted | github.com/go-pg/pg/v10 | baseDB | ExecContext |
+| go-pg.go:38:45:38:53 | untrusted | github.com/go-pg/pg/v10 | Conn | QueryOneContext |
+| go-pg.go:38:45:38:53 | untrusted | github.com/go-pg/pg/v10 | DB | QueryOneContext |
+| go-pg.go:38:45:38:53 | untrusted | github.com/go-pg/pg/v10 | baseDB | QueryOneContext |
+| go-pg.go:42:14:42:22 | untrusted | github.com/go-pg/pg/v10/orm | Query | ColumnExpr |
+| go-pg.go:43:8:43:16 | untrusted | github.com/go-pg/pg/v10/orm | Query | Join |
+| go-pg.go:44:9:44:17 | untrusted | github.com/go-pg/pg/v10/orm | Query | Where |
+| go-pg.go:45:13:45:21 | untrusted | github.com/go-pg/pg/v10/orm | Query | OrderExpr |

go/ql/test/library-tests/semmle/go/frameworks/SQL/go-pg/go-pg.go

@@ -0,0 +1,47 @@
+package main
+
+import (
+	"context"
+	pg "github.com/go-pg/pg/v10"
+)
+
+type Profile struct {
+	ID   int
+	Lang string
+}
+
+type User struct {
+	ID        int
+	Name      string
+	ProfileID int
+	Profile   *Profile `pg:"-"`
+}
+
+func getUntrustedString() string {
+	return "trouble"
+}
+
+func main() {
+
+	untrusted := getUntrustedString()
+
+	ctx := context.Background()
+	db := pg.Connect(&pg.Options{
+		Addr:     ":5432",
+		User:     "user",
+		Password: "pass",
+		Database: "db_name",
+	})
+
+	var version string
+	db.ExecContext(ctx, untrusted)
+	db.QueryOneContext(ctx, pg.Scan(&version), untrusted)
+
+	var user User
+	db.Model(&user).
+		ColumnExpr(untrusted).
+		Join(untrusted).
+		Where(untrusted, 123).
+		OrderExpr(untrusted).
+		Select()
+}

go/ql/test/library-tests/semmle/go/frameworks/SQL/go-pg/go-pg.ql

@@ -0,0 +1,5 @@
+import go
+
+from SQL::QueryString qs, Method meth, string a, string b, string c
+where meth.hasQualifiedName(a, b, c) and qs = meth.getACall().getSyntacticArgument(_)
+select qs, a, b, c

go/ql/test/library-tests/semmle/go/frameworks/SQL/go-pg/go.mod

@@ -0,0 +1,17 @@
+module pwntester/go-pg
+
+go 1.19
+
+require (
+	github.com/go-pg/pg/v10 v10.11.0 // indirect
+	github.com/go-pg/zerochecker v0.2.0 // indirect
+	github.com/jinzhu/inflection v1.0.0 // indirect
+	github.com/tmthrgd/go-hex v0.0.0-20190904060850-447a3041c3bc // indirect
+	github.com/vmihailenco/bufpool v0.1.11 // indirect
+	github.com/vmihailenco/msgpack/v5 v5.3.4 // indirect
+	github.com/vmihailenco/tagparser v0.1.2 // indirect
+	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
+	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
+	golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7 // indirect
+	mellium.im/sasl v0.3.1 // indirect
+)