Skip to content

Commit b3326ba

Browse files
committed
Revert "Convert database/sql/driver sql-injection sinks to MaD"
This reverts commit 652dd88.
1 parent c33568b commit b3326ba

File tree

2 files changed

+24
-11
lines changed

2 files changed

+24
-11
lines changed

go/ql/lib/ext/database.sql.driver.model.yml

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,4 @@
11
extensions:
2-
- addsTo:
3-
pack: codeql/go-all
4-
extensible: sinkModel
5-
data:
6-
- ["database/sql/driver", "Execer", False, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
7-
- ["database/sql/driver", "ExecerContext", False, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
8-
- ["database/sql/driver", "Conn", False, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
9-
- ["database/sql/driver", "ConnPrepareContext", False, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
10-
- ["database/sql/driver", "Queryer", False, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
11-
- ["database/sql/driver", "QueryerContext", False, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
122
- addsTo:
133
pack: codeql/go-all
144
extensible: summaryModel

go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,13 +60,36 @@ module DatabaseSql {
6060
override DataFlow::Node getAResult() { result = this.getResult(0) }
6161

6262
override SQL::QueryString getAQueryString() {
63-
result = this.getASyntacticArgument()
63+
result = this.getAnArgument()
6464
or
6565
this.getTarget().hasQualifiedName("database/sql/driver", "Stmt") and
6666
result = this.getReceiver().getAPredecessor*().(DataFlow::MethodCallNode).getAnArgument()
6767
}
6868
}
6969

70+
/** A query string used in an API function of the standard `database/sql/driver` package. */
71+
private class DriverQueryString extends SQL::QueryString::Range {
72+
DriverQueryString() {
73+
exists(Method meth, int n |
74+
(
75+
meth.hasQualifiedName("database/sql/driver", "Execer", "Exec") and n = 0
76+
or
77+
meth.hasQualifiedName("database/sql/driver", "ExecerContext", "ExecContext") and n = 1
78+
or
79+
meth.hasQualifiedName("database/sql/driver", "Conn", "Prepare") and n = 0
80+
or
81+
meth.hasQualifiedName("database/sql/driver", "ConnPrepareContext", "PrepareContext") and
82+
n = 1
83+
or
84+
meth.hasQualifiedName("database/sql/driver", "Queryer", "Query") and n = 0
85+
or
86+
meth.hasQualifiedName("database/sql/driver", "QueryerContext", "QueryContext") and n = 1
87+
) and
88+
this = meth.getACall().getArgument(n)
89+
)
90+
}
91+
}
92+
7093
// These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet.
7194
private class SqlMethodModels extends TaintTracking::FunctionModel, Method {
7295
FunctionInput inp;

0 commit comments

Comments
 (0)