Merge pull request github#13601 from pwntester/ruby/add_bun_support

Go: Add support for Bun library

Author: owen-mc

go/ql/lib/change-notes/2023-06-28--add-support-for-bun-framework.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Support for the [Bun framework](https://bun.uptrace.dev/) has been added.
+

go/ql/lib/semmle/go/frameworks/SQL.qll

@@ -289,3 +289,47 @@ module Xorm {
     }
   }
 }
+
+/**
+ * Provides classes for working with the [Bun](https://bun.uptrace.dev/) package.
+ */
+module Bun {
+  /** Gets the package name for Bun package. */
+  private string packagePath() { result = package("github.com/uptrace/bun", "") }
+
+  /** A model for sinks of Bun. */
+  private class BunSink extends SQL::QueryString::Range {
+    BunSink() {
+      exists(Function f, string m, int arg | this = f.getACall().getArgument(arg) |
+        f.hasQualifiedName(packagePath(), m) and
+        m = "NewRawQuery" and
+        arg = 1
+      )
+      or
+      exists(Method f, string tp, string m, int arg | this = f.getACall().getArgument(arg) |
+        f.hasQualifiedName(packagePath(), tp, m) and
+        (
+          tp = ["DB", "Conn"] and
+          m = ["ExecContext", "PrepareContext", "QueryContext", "QueryRowContext"] and
+          arg = 1
+          or
+          tp = ["DB", "Conn"] and
+          m = ["Exec", "NewRaw", "Prepare", "Query", "QueryRow", "Raw"] and
+          arg = 0
+          or
+          tp.matches("%Query") and
+          m =
+            [
+              "ColumnExpr", "DistinctOn", "For", "GroupExpr", "Having", "ModelTableExpr",
+              "OrderExpr", "TableExpr", "Where", "WhereOr"
+            ] and
+          arg = 0
+          or
+          tp = "RawQuery" and
+          m = "NewRaw" and
+          arg = 0
+        )
+      )
+    }
+  }
+}

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/bun.expected

@@ -0,0 +1,21 @@
+| bun.go:25:22:25:30 | untrusted | github.com/uptrace/bun | NewRawQuery |
+| bun.go:27:22:27:30 | untrusted | github.com/uptrace/bun.DB | ExecContext |
+| bun.go:28:25:28:33 | untrusted | github.com/uptrace/bun.DB | PrepareContext |
+| bun.go:29:23:29:31 | untrusted | github.com/uptrace/bun.DB | QueryContext |
+| bun.go:30:26:30:34 | untrusted | github.com/uptrace/bun.DB | QueryRowContext |
+| bun.go:32:10:32:18 | untrusted | github.com/uptrace/bun.DB | Exec |
+| bun.go:33:12:33:20 | untrusted | github.com/uptrace/bun.DB | NewRaw |
+| bun.go:34:13:34:21 | untrusted | github.com/uptrace/bun.DB | Prepare |
+| bun.go:35:11:35:19 | untrusted | github.com/uptrace/bun.DB | Query |
+| bun.go:36:14:36:22 | untrusted | github.com/uptrace/bun.DB | QueryRow |
+| bun.go:37:9:37:17 | untrusted | github.com/uptrace/bun.DB | Raw |
+| bun.go:39:28:39:36 | untrusted | github.com/uptrace/bun.SelectQuery | ColumnExpr |
+| bun.go:40:28:40:36 | untrusted | github.com/uptrace/bun.SelectQuery | DistinctOn |
+| bun.go:41:21:41:29 | untrusted | github.com/uptrace/bun.SelectQuery | For |
+| bun.go:42:27:42:35 | untrusted | github.com/uptrace/bun.SelectQuery | GroupExpr |
+| bun.go:43:24:43:32 | untrusted | github.com/uptrace/bun.SelectQuery | Having |
+| bun.go:44:32:44:40 | untrusted | github.com/uptrace/bun.SelectQuery | ModelTableExpr |
+| bun.go:45:27:45:35 | untrusted | github.com/uptrace/bun.SelectQuery | OrderExpr |
+| bun.go:46:27:46:35 | untrusted | github.com/uptrace/bun.SelectQuery | TableExpr |
+| bun.go:47:23:47:31 | untrusted | github.com/uptrace/bun.SelectQuery | Where |
+| bun.go:48:25:48:33 | untrusted | github.com/uptrace/bun.SelectQuery | WhereOr |

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/bun.go

@@ -0,0 +1,49 @@
+package main
+
+import (
+	"context"
+	"database/sql"
+
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/dialect/sqlitedialect"
+	"github.com/uptrace/bun/driver/sqliteshim"
+)
+
+func getUntrustedString() string {
+	return "trouble"
+}
+
+func main() {
+	untrusted := getUntrustedString()
+
+	ctx := context.Background()
+	sqlite, err := sql.Open(sqliteshim.ShimName, "file::memory:?cache=shared")
+	if err != nil {
+		panic(err)
+	}
+	db := bun.NewDB(sqlite, sqlitedialect.New())
+	bun.NewRawQuery(db, untrusted)
+
+	db.ExecContext(ctx, untrusted)
+	db.PrepareContext(ctx, untrusted)
+	db.QueryContext(ctx, untrusted)
+	db.QueryRowContext(ctx, untrusted)
+
+	db.Exec(untrusted)
+	db.NewRaw(untrusted)
+	db.Prepare(untrusted)
+	db.Query(untrusted)
+	db.QueryRow(untrusted)
+	db.Raw(untrusted)
+
+	db.NewSelect().ColumnExpr(untrusted)
+	db.NewSelect().DistinctOn(untrusted)
+	db.NewSelect().For(untrusted)
+	db.NewSelect().GroupExpr(untrusted)
+	db.NewSelect().Having(untrusted)
+	db.NewSelect().ModelTableExpr(untrusted)
+	db.NewSelect().OrderExpr(untrusted)
+	db.NewSelect().TableExpr(untrusted)
+	db.NewSelect().Where(untrusted)
+	db.NewSelect().WhereOr(untrusted)
+}

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/bun.ql

@@ -0,0 +1,7 @@
+import go
+
+from SQL::QueryString qs, Function func, string a, string b
+where
+  func.hasQualifiedName(a, b) and
+  qs = func.getACall().getSyntacticArgument(_)
+select qs, a, b

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/go.mod

@@ -0,0 +1,35 @@
+module pwntester/bun
+
+go 1.19
+
+require (
+	github.com/uptrace/bun v1.1.14
+	github.com/uptrace/bun/dialect/sqlitedialect v1.1.14
+	github.com/uptrace/bun/driver/sqliteshim v1.1.14
+)
+
+require (
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/jinzhu/inflection v1.0.0 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/mattn/go-sqlite3 v1.14.16 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/tmthrgd/go-hex v0.0.0-20190904060850-447a3041c3bc // indirect
+	github.com/vmihailenco/msgpack/v5 v5.3.5 // indirect
+	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
+	golang.org/x/mod v0.10.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/tools v0.9.1 // indirect
+	lukechampine.com/uint128 v1.3.0 // indirect
+	modernc.org/cc/v3 v3.40.0 // indirect
+	modernc.org/ccgo/v3 v3.16.13 // indirect
+	modernc.org/libc v1.22.6 // indirect
+	modernc.org/mathutil v1.5.0 // indirect
+	modernc.org/memory v1.5.0 // indirect
+	modernc.org/opt v0.1.3 // indirect
+	modernc.org/sqlite v1.22.1 // indirect
+	modernc.org/strutil v1.1.3 // indirect
+	modernc.org/token v1.1.0 // indirect
+)