Revert "Convert database/sql/driver sql-injection sinks to MaD"

smowton · smowton · commit b3326babba6f · 2024-08-24T17:42:52.000+01:00
This reverts commit 652dd88.
diff --git a/go/ql/lib/ext/database.sql.driver.model.yml b/go/ql/lib/ext/database.sql.driver.model.yml
@@ -1,14 +1,4 @@
 extensions:
-  - addsTo:
-      pack: codeql/go-all
-      extensible: sinkModel
-    data:
-      - ["database/sql/driver", "Execer", False, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["database/sql/driver", "ExecerContext", False, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
-      - ["database/sql/driver", "Conn", False, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["database/sql/driver", "ConnPrepareContext", False, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
-      - ["database/sql/driver", "Queryer", False, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
-      - ["database/sql/driver", "QueryerContext", False, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel
diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll b/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll
@@ -60,13 +60,36 @@ module DatabaseSql {
     override DataFlow::Node getAResult() { result = this.getResult(0) }
 
     override SQL::QueryString getAQueryString() {
-      result = this.getASyntacticArgument()
+      result = this.getAnArgument()
       or
       this.getTarget().hasQualifiedName("database/sql/driver", "Stmt") and
       result = this.getReceiver().getAPredecessor*().(DataFlow::MethodCallNode).getAnArgument()
     }
   }
 
+  /** A query string used in an API function of the standard `database/sql/driver` package. */
+  private class DriverQueryString extends SQL::QueryString::Range {
+    DriverQueryString() {
+      exists(Method meth, int n |
+        (
+          meth.hasQualifiedName("database/sql/driver", "Execer", "Exec") and n = 0
+          or
+          meth.hasQualifiedName("database/sql/driver", "ExecerContext", "ExecContext") and n = 1
+          or
+          meth.hasQualifiedName("database/sql/driver", "Conn", "Prepare") and n = 0
+          or
+          meth.hasQualifiedName("database/sql/driver", "ConnPrepareContext", "PrepareContext") and
+          n = 1
+          or
+          meth.hasQualifiedName("database/sql/driver", "Queryer", "Query") and n = 0
+          or
+          meth.hasQualifiedName("database/sql/driver", "QueryerContext", "QueryContext") and n = 1
+        ) and
+        this = meth.getACall().getArgument(n)
+      )
+    }
+  }
+
   // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet.
   private class SqlMethodModels extends TaintTracking::FunctionModel, Method {
     FunctionInput inp;
