Merge pull request github#9779 from porcupineyhairs/goSqlInjection

Golang : Add SQL sinks for `gorqlite` and `GoFrame` frameworks

Author: smowton

go/ql/lib/change-notes/2022-12-03-gorqlite-goframe.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Queries that care about SQL, such as `go/sql-injection`, now recognise SQL-consuming functions belonging to the `gorqlite` and `GoFrame` packages.

go/ql/lib/semmle/go/frameworks/SQL.qll

@@ -103,6 +103,14 @@ module SQL {
     /** A string that might identify package `go-pg/pg/orm` or a specific version of it. */
     private string gopgorm() { result = package("github.com/go-pg/pg", "orm") }
 
+    /** A string that might identify package `github.com/rqlite/gorqlite` or `github.com/raindog308/gorqlite` or a specific version of it. */
+    private string gorqlite() {
+      result = package(["github.com/rqlite/gorqlite", "github.com/raindog308/gorqlite"], "")
+    }
+
+    /** A string that might identify package `github.com/gogf/gf/database/gdb` or a specific version of it. */
+    private string gogf() { result = package("github.com/gogf/gf", "database/gdb") }
+
     /**
      * A string argument to an API of `go-pg/pg` that is directly interpreted as SQL without
      * taking syntactic structure into account.
@@ -152,6 +160,65 @@ module SQL {
       }
     }
 
+    /**
+     * A string argument to an API of `github.com/rqlite/gorqlite`, or a specific version of it, that is directly interpreted as SQL without
+     * taking syntactic structure into account.
+     */
+    private class GorqliteQueryString extends Range {
+      GorqliteQueryString() {
+        // func (conn *Connection) Query(sqlStatements []string) (results []QueryResult, err error)
+        // func (conn *Connection) QueryOne(sqlStatement string) (qr QueryResult, err error)
+        // func (conn *Connection) Queue(sqlStatements []string) (seq int64, err error)
+        // func (conn *Connection) QueueOne(sqlStatement string) (seq int64, err error)
+        // func (conn *Connection) Write(sqlStatements []string) (results []WriteResult, err error)
+        // func (conn *Connection) WriteOne(sqlStatement string) (wr WriteResult, err error)
+        exists(Method m, string name | m.hasQualifiedName(gorqlite(), "Connection", name) |
+          name = ["Query", "QueryOne", "Queue", "QueueOne", "Write", "WriteOne"] and
+          this = m.getACall().getArgument(0)
+        )
+      }
+    }
+
+    /**
+     * A string argument to an API of `github.com/gogf/gf/database/gdb`, or a specific version of it, that is directly interpreted as SQL without
+     * taking syntactic structure into account.
+     */
+    private class GogfQueryString extends Range {
+      GogfQueryString() {
+        exists(Method m, string name | m.implements(gogf(), ["DB", "Core", "TX"], name) |
+          // func (c *Core) Exec(sql string, args ...interface{}) (result sql.Result, err error)
+          // func (c *Core) GetAll(sql string, args ...interface{}) (Result, error)
+          // func (c *Core) GetArray(sql string, args ...interface{}) ([]Value, error)
+          // func (c *Core) GetCount(sql string, args ...interface{}) (int, error)
+          // func (c *Core) GetOne(sql string, args ...interface{}) (Record, error)
+          // func (c *Core) GetValue(sql string, args ...interface{}) (Value, error)
+          // func (c *Core) Prepare(sql string, execOnMaster ...bool) (*Stmt, error)
+          // func (c *Core) Query(sql string, args ...interface{}) (rows *sql.Rows, err error)
+          // func (c *Core) Raw(rawSql string, args ...interface{}) *Model
+          name =
+            [
+              "Query", "Exec", "Prepare", "GetAll", "GetOne", "GetValue", "GetArray", "GetCount",
+              "Raw"
+            ] and
+          this = m.getACall().getArgument(0)
+          or
+          // func (c *Core) GetScan(pointer interface{}, sql string, args ...interface{}) error
+          // func (c *Core) GetStruct(pointer interface{}, sql string, args ...interface{}) error
+          // func (c *Core) GetStructs(pointer interface{}, sql string, args ...interface{}) error
+          name = ["GetScan", "GetStruct", "GetStructs"] and
+          this = m.getACall().getArgument(1)
+          or
+          // func (c *Core) DoCommit(ctx context.Context, link Link, sql string, args []interface{}) (newSql string, newArgs []interface{}, err error)
+          // func (c *Core) DoExec(ctx context.Context, link Link, sql string, args ...interface{}) (result sql.Result, err error)
+          // func (c *Core) DoGetAll(ctx context.Context, link Link, sql string, args ...interface{}) (result Result, err error)
+          // func (c *Core) DoPrepare(ctx context.Context, link Link, sql string) (*Stmt, error)
+          // func (c *Core) DoQuery(ctx context.Context, link Link, sql string, args ...interface{}) (rows *sql.Rows, err error)
+          name = ["DoGetAll", "DoQuery", "DoExec", "DoCommit", "DoPrepare"] and
+          this = m.getACall().getArgument(2)
+        )
+      }
+    }
+
     /** A taint model for various methods on the struct `Formatter` of `go-pg/pg/orm`. */
     private class PgOrmFormatterFunction extends TaintTracking::FunctionModel, Method {
       FunctionInput i;

go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/go.mod

@@ -0,0 +1,26 @@
+module main
+
+go 1.19
+
+require github.com/gogf/gf v1.16.9
+
+require (
+	github.com/BurntSushi/toml v0.3.1 // indirect
+	github.com/clbanning/mxj v1.8.5-0.20200714211355-ff02cfb8ea28 // indirect
+	github.com/fatih/color v1.12.0 // indirect
+	github.com/fsnotify/fsnotify v1.4.9 // indirect
+	github.com/go-sql-driver/mysql v1.6.0 // indirect
+	github.com/gomodule/redigo v1.8.5 // indirect
+	github.com/gorilla/websocket v1.4.2 // indirect
+	github.com/grokify/html-strip-tags-go v0.0.1 // indirect
+	github.com/mattn/go-colorable v0.1.8 // indirect
+	github.com/mattn/go-isatty v0.0.12 // indirect
+	github.com/mattn/go-runewidth v0.0.9 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	go.opentelemetry.io/otel v1.0.0 // indirect
+	go.opentelemetry.io/otel/trace v1.0.0 // indirect
+	golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 // indirect
+	golang.org/x/sys v0.0.0-20210423082822-04245dca01da // indirect
+	golang.org/x/text v0.3.6 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+)

go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/gogf.expected

@@ -0,0 +1,47 @@
+| gogf.go:12:9:12:11 | sql |
+| gogf.go:13:11:13:13 | sql |
+| gogf.go:14:13:14:15 | sql |
+| gogf.go:15:13:15:15 | sql |
+| gogf.go:16:11:16:13 | sql |
+| gogf.go:17:13:17:15 | sql |
+| gogf.go:18:12:18:14 | sql |
+| gogf.go:19:10:19:12 | sql |
+| gogf.go:20:8:20:10 | sql |
+| gogf.go:21:17:21:19 | sql |
+| gogf.go:22:19:22:21 | sql |
+| gogf.go:23:20:23:22 | sql |
+| gogf.go:24:23:24:25 | sql |
+| gogf.go:25:21:25:23 | sql |
+| gogf.go:26:23:26:25 | sql |
+| gogf.go:27:22:27:24 | sql |
+| gogf.go:28:24:28:26 | sql |
+| gogf.go:32:9:32:11 | sql |
+| gogf.go:33:11:33:13 | sql |
+| gogf.go:34:13:34:15 | sql |
+| gogf.go:35:13:35:15 | sql |
+| gogf.go:36:11:36:13 | sql |
+| gogf.go:37:13:37:15 | sql |
+| gogf.go:38:12:38:14 | sql |
+| gogf.go:39:10:39:12 | sql |
+| gogf.go:40:8:40:10 | sql |
+| gogf.go:41:17:41:19 | sql |
+| gogf.go:42:23:42:25 | sql |
+| gogf.go:43:21:43:23 | sql |
+| gogf.go:44:23:44:25 | sql |
+| gogf.go:45:22:45:24 | sql |
+| gogf.go:46:24:46:26 | sql |
+| gogf.go:51:9:51:11 | sql |
+| gogf.go:52:11:52:13 | sql |
+| gogf.go:53:13:53:15 | sql |
+| gogf.go:54:13:54:15 | sql |
+| gogf.go:55:11:55:13 | sql |
+| gogf.go:56:13:56:15 | sql |
+| gogf.go:57:12:57:14 | sql |
+| gogf.go:58:10:58:12 | sql |
+| gogf.go:59:8:59:10 | sql |
+| gogf.go:60:17:60:19 | sql |
+| gogf.go:61:23:61:25 | sql |
+| gogf.go:62:21:62:23 | sql |
+| gogf.go:63:23:63:25 | sql |
+| gogf.go:64:22:64:24 | sql |
+| gogf.go:65:24:65:26 | sql |

go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/gogf.go

@@ -0,0 +1,70 @@
+package main
+
+//go:generate depstubber -vendor github.com/gogf/gf/frame/g "" DB
+//go:generate depstubber -vendor github.com/gogf/gf/database/gdb DB,Core,TX ""
+
+import (
+	"github.com/gogf/gf/database/gdb"
+	"github.com/gogf/gf/frame/g"
+)
+
+func gogfCoreTest(sql string, c *gdb.Core) {
+	c.Exec(sql, nil)               // $ querystring=sql
+	c.GetAll(sql, nil)             // $ querystring=sql
+	c.GetArray(sql, nil)           // $ querystring=sql
+	c.GetCount(sql, nil)           // $ querystring=sql
+	c.GetOne(sql, nil)             // $ querystring=sql
+	c.GetValue(sql, nil)           // $ querystring=sql
+	c.Prepare(sql, true)           // $ querystring=sql
+	c.Query(sql, nil)              // $ querystring=sql
+	c.Raw(sql, nil)                // $ querystring=sql
+	c.GetScan(nil, sql, nil)       // $ querystring=sql
+	c.GetStruct(nil, sql, nil)     // $ querystring=sql
+	c.GetStructs(nil, sql, nil)    // $ querystring=sql
+	c.DoCommit(nil, nil, sql, nil) // $ querystring=sql
+	c.DoExec(nil, nil, sql, nil)   // $ querystring=sql
+	c.DoGetAll(nil, nil, sql, nil) // $ querystring=sql
+	c.DoQuery(nil, nil, sql, nil)  // $ querystring=sql
+	c.DoPrepare(nil, nil, sql)     // $ querystring=sql
+}
+
+func gogfDbtest(sql string, c gdb.DB) {
+	c.Exec(sql, nil)               // $ querystring=sql
+	c.GetAll(sql, nil)             // $ querystring=sql
+	c.GetArray(sql, nil)           // $ querystring=sql
+	c.GetCount(sql, nil)           // $ querystring=sql
+	c.GetOne(sql, nil)             // $ querystring=sql
+	c.GetValue(sql, nil)           // $ querystring=sql
+	c.Prepare(sql, true)           // $ querystring=sql
+	c.Query(sql, nil)              // $ querystring=sql
+	c.Raw(sql, nil)                // $ querystring=sql
+	c.GetScan(nil, sql, nil)       // $ querystring=sql
+	c.DoCommit(nil, nil, sql, nil) // $ querystring=sql
+	c.DoExec(nil, nil, sql, nil)   // $ querystring=sql
+	c.DoGetAll(nil, nil, sql, nil) // $ querystring=sql
+	c.DoQuery(nil, nil, sql, nil)  // $ querystring=sql
+	c.DoPrepare(nil, nil, sql)     // $ querystring=sql
+}
+
+func gogfGTest(sql string) {
+	c := g.DB("ad")
+	c.Exec(sql, nil)               // $ querystring=sql
+	c.GetAll(sql, nil)             // $ querystring=sql
+	c.GetArray(sql, nil)           // $ querystring=sql
+	c.GetCount(sql, nil)           // $ querystring=sql
+	c.GetOne(sql, nil)             // $ querystring=sql
+	c.GetValue(sql, nil)           // $ querystring=sql
+	c.Prepare(sql, true)           // $ querystring=sql
+	c.Query(sql, nil)              // $ querystring=sql
+	c.Raw(sql, nil)                // $ querystring=sql
+	c.GetScan(nil, sql, nil)       // $ querystring=sql
+	c.DoCommit(nil, nil, sql, nil) // $ querystring=sql
+	c.DoExec(nil, nil, sql, nil)   // $ querystring=sql
+	c.DoGetAll(nil, nil, sql, nil) // $ querystring=sql
+	c.DoQuery(nil, nil, sql, nil)  // $ querystring=sql
+	c.DoPrepare(nil, nil, sql)     // $ querystring=sql
+}
+
+func main() {
+	return
+}

go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/gogf.ql

@@ -0,0 +1,4 @@
+import go
+
+from SQL::QueryString qs
+select qs