github
diff --git a/‎go/ql/lib/change-notes/2023-06-28--add-support-for-gqlgen-framework.md
Lines changed: 2 additions & 0 deletions b/‎go/ql/lib/change-notes/2023-06-28--add-support-for-gqlgen-framework.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎go/ql/lib/go.qll
Lines changed: 1 addition & 0 deletions b/‎go/ql/lib/go.qll
Lines changed: 1 addition & 0 deletions
diff --git a/‎go/ql/lib/semmle/go/frameworks/Gqlgen.qll
Lines changed: 44 additions & 0 deletions b/‎go/ql/lib/semmle/go/frameworks/Gqlgen.qll
Lines changed: 44 additions & 0 deletions
diff --git a/‎go/ql/test/library-tests/semmle/go/frameworks/gqlgen/go.mod
Lines changed: 24 additions & 0 deletions b/‎go/ql/test/library-tests/semmle/go/frameworks/gqlgen/go.mod
Lines changed: 24 additions & 0 deletions
diff --git a/‎go/ql/test/library-tests/semmle/go/frameworks/gqlgen/gqlgen.ql
Lines changed: 5 additions & 0 deletions b/‎go/ql/test/library-tests/semmle/go/frameworks/gqlgen/gqlgen.ql
Lines changed: 5 additions & 0 deletions
diff --git a/‎go/ql/test/library-tests/semmle/go/frameworks/gqlgen/gqlgen.yml
Lines changed: 87 additions & 0 deletions b/‎go/ql/test/library-tests/semmle/go/frameworks/gqlgen/gqlgen.yml
Lines changed: 87 additions & 0 deletions
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Support for the gqlgen has been added.
@@ -41,6 +41,7 @@ import semmle.go.frameworks.Encoding
 import semmle.go.frameworks.Gin
 import semmle.go.frameworks.Glog
 import semmle.go.frameworks.GoRestfulHttp
+import semmle.go.frameworks.Gqlgen
 import semmle.go.frameworks.K8sIoApimachineryPkgRuntime
 import semmle.go.frameworks.K8sIoApiCoreV1
 import semmle.go.frameworks.K8sIoClientGo
 
@@ -0,0 +1,44 @@
+/** Provides models of commonly used functions and types in the gqlgen packages. */
+
+import go
+
+/** Provides models of commonly used functions and types in the gqlgen packages. */
+module Gqlgen {
+  class GqlgenGeneratedFile extends File {
+    GqlgenGeneratedFile() {
+      exists(DataFlow::CallNode call |
+        call.getReceiver().getType().hasQualifiedName("github.com/99designs/gqlgen/graphql", _) and
+        call.getFile() = this
+      )
+    }
+  }
+
+  class ResolverInterface extends Type {
+    ResolverInterface() {
+      this.getQualifiedName().matches("%Resolver") and
+      this.getEntity().getDeclaration().getFile() instanceof GqlgenGeneratedFile
+    }
+  }
+
+  class ResolverInterfaceMethod extends Method {
+    ResolverInterfaceMethod() {
+      this.getReceiver().getType() instanceof ResolverInterface
+    }
+  }
+
+  class ResolverImplementationMethod extends Method {
+    ResolverImplementationMethod() { this.implements(any(ResolverInterfaceMethod r)) }
+     
+    Parameter getAnUntrustedParameter() {
+      result.getFunction() = this.getFuncDecl() and
+      not result.getType().hasQualifiedName("context", "Context") and
+      result.getIndex() > 0
+    }
+  }
+
+  class ResolverParameter extends UntrustedFlowSource::Range instanceof DataFlow::ParameterNode {
+    ResolverParameter() {
+      this.asParameter() = any(ResolverImplementationMethod h).getAnUntrustedParameter()
+    }
+  }
+}
@@ -0,0 +1,24 @@
+module pwntester/gqlgen-todos
+
+go 1.19
+
+require (
+	github.com/99designs/gqlgen v0.17.34
+	github.com/vektah/gqlparser/v2 v2.5.4
+)
+
+require (
+	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.3 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/urfave/cli/v2 v2.25.5 // indirect
+	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+	golang.org/x/mod v0.10.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/tools v0.9.3 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
@@ -0,0 +1,5 @@
+import go
+import semmle.go.frameworks.Gqlgen
+
+from Gqlgen::ResolverParameter p
+select p
@@ -0,0 +1,87 @@
+# Where are all the schema files located? globs are supported eg  src/**/*.graphqls
+schema:
+  - graph/*.graphqls
+
+# Where should the generated server code go?
+exec:
+  filename: graph/generated.go
+  package: graph
+
+# Uncomment to enable federation
+# federation:
+#   filename: graph/federation.go
+#   package: graph
+
+# Where should any generated models go?
+model:
+  filename: graph/model/models_gen.go
+  package: model
+
+# Where should the resolver implementations go?
+resolver:
+  layout: follow-schema
+  dir: graph
+  package: graph
+  filename_template: "{name}.resolvers.go"
+  # Optional: turn on to not generate template comments above resolvers
+  # omit_template_comment: false
+
+# Optional: turn on use ` + "`" + `gqlgen:"fieldName"` + "`" + ` tags in your models
+# struct_tag: json
+
+# Optional: turn on to use []Thing instead of []*Thing
+# omit_slice_element_pointers: false
+
+# Optional: turn on to omit Is<Name>() methods to interface and unions
+# omit_interface_checks : true
+
+# Optional: turn on to skip generation of ComplexityRoot struct content and Complexity function
+# omit_complexity: false
+
+# Optional: turn on to not generate any file notice comments in generated files
+# omit_gqlgen_file_notice: false
+
+# Optional: turn on to exclude the gqlgen version in the generated file notice. No effect if `omit_gqlgen_file_notice` is true.
+# omit_gqlgen_version_in_file_notice: false
+
+# Optional: turn off to make struct-type struct fields not use pointers
+# e.g. type Thing struct { FieldA OtherThing } instead of { FieldA *OtherThing }
+# struct_fields_always_pointers: true
+
+# Optional: turn off to make resolvers return values instead of pointers for structs
+# resolvers_always_return_pointers: true
+
+# Optional: turn on to return pointers instead of values in unmarshalInput
+# return_pointers_in_unmarshalinput: false
+
+# Optional: wrap nullable input fields with Omittable
+# nullable_input_omittable: true
+
+# Optional: set to speed up generation time by not performing a final validation pass.
+# skip_validation: true
+
+# Optional: set to skip running `go mod tidy` when generating server code
+# skip_mod_tidy: true
+
+# gqlgen will search for any type names in the schema in these go packages
+# if they match it will use them, otherwise it will generate them.
+autobind:
+#  - "pwntester/gqlgen-todos/graph/model"
+
+# This section declares type mapping between the GraphQL and go type systems
+#
+# The first line in each type will be used as defaults for resolver arguments and
+# modelgen, the others will be allowed when binding to fields. Configure them to
+# your liking
+models:
+  ID:
+    model:
+      - github.com/99designs/gqlgen/graphql.ID
+      - github.com/99designs/gqlgen/graphql.Int
+      - github.com/99designs/gqlgen/graphql.Int64
+      - github.com/99designs/gqlgen/graphql.Int32
+  Int:
+    model:
+      - github.com/99designs/gqlgen/graphql.Int
+      - github.com/99designs/gqlgen/graphql.Int64
+      - github.com/99designs/gqlgen/graphql.Int32
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	`+* Support for the gqlgen has been added.`