Skip to content

Commit d37c816

Browse files
owen-mcowen-mc
committed
Model some Xorm methods in QL
1 parent 25cd4d4 commit d37c816

File tree

2 files changed

+18
-9
lines changed

2 files changed

+18
-9
lines changed

go/ql/lib/ext/xorm.io.xorm.model.yml

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -11,17 +11,15 @@ extensions:
1111
data:
1212
- ["group:xorm", "Engine", True, "Alias", "", "", "Argument[0]", "sql-injection", "manual"]
1313
- ["group:xorm", "Engine", True, "And", "", "", "Argument[0]", "sql-injection", "manual"]
14-
- ["group:xorm", "Engine", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
14+
# Engine.Exec has to be modeled in QL to select only the first syntactic argument
1515
- ["group:xorm", "Engine", True, "GroupBy", "", "", "Argument[0]", "sql-injection", "manual"]
1616
- ["group:xorm", "Engine", True, "Having", "", "", "Argument[0]", "sql-injection", "manual"]
1717
- ["group:xorm", "Engine", True, "In", "", "", "Argument[0]", "sql-injection", "manual"]
1818
- ["group:xorm", "Engine", True, "Join", "", "", "Argument[0..2]", "sql-injection", "manual"]
1919
- ["group:xorm", "Engine", True, "NotIn", "", "", "Argument[0]", "sql-injection", "manual"]
2020
- ["group:xorm", "Engine", True, "Or", "", "", "Argument[0]", "sql-injection", "manual"]
2121
- ["group:xorm", "Engine", True, "OrderBy", "", "", "Argument[0]", "sql-injection", "manual"]
22-
- ["group:xorm", "Engine", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
23-
- ["group:xorm", "Engine", True, "QueryString", "", "", "Argument[0]", "sql-injection", "manual"]
24-
- ["group:xorm", "Engine", True, "QueryInterface", "", "", "Argument[0]", "sql-injection", "manual"]
22+
# Engine.Query, Engine.QueryInterface and Engine.QueryString have to be modeled in QL to select only the first syntactic argument
2523
- ["group:xorm", "Engine", True, "Select", "", "", "Argument[0]", "sql-injection", "manual"]
2624
- ["group:xorm", "Engine", True, "SetExpr", "", "", "Argument[0]", "sql-injection", "manual"]
2725
- ["group:xorm", "Engine", True, "SQL", "", "", "Argument[0]", "sql-injection", "manual"]
@@ -32,17 +30,15 @@ extensions:
3230
- ["group:xorm", "Engine", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
3331
- ["group:xorm", "Session", True, "Alias", "", "", "Argument[0]", "sql-injection", "manual"]
3432
- ["group:xorm", "Session", True, "And", "", "", "Argument[0]", "sql-injection", "manual"]
35-
- ["group:xorm", "Session", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
33+
# Session.Exec has to be modeled in QL to select only the first syntactic argument
3634
- ["group:xorm", "Session", True, "GroupBy", "", "", "Argument[0]", "sql-injection", "manual"]
3735
- ["group:xorm", "Session", True, "Having", "", "", "Argument[0]", "sql-injection", "manual"]
3836
- ["group:xorm", "Session", True, "In", "", "", "Argument[0]", "sql-injection", "manual"]
3937
- ["group:xorm", "Session", True, "Join", "", "", "Argument[0..2]", "sql-injection", "manual"]
4038
- ["group:xorm", "Session", True, "NotIn", "", "", "Argument[0]", "sql-injection", "manual"]
4139
- ["group:xorm", "Session", True, "Or", "", "", "Argument[0]", "sql-injection", "manual"]
4240
- ["group:xorm", "Session", True, "OrderBy", "", "", "Argument[0]", "sql-injection", "manual"]
43-
- ["group:xorm", "Session", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
44-
- ["group:xorm", "Session", True, "QueryString", "", "", "Argument[0]", "sql-injection", "manual"]
45-
- ["group:xorm", "Session", True, "QueryInterface", "", "", "Argument[0]", "sql-injection", "manual"]
41+
# Session.Query, Session.QueryInterface and Session.QueryString have to be modeled in QL to select only the first syntactic argument
4642
- ["group:xorm", "Session", True, "Select", "", "", "Argument[0]", "sql-injection", "manual"]
4743
- ["group:xorm", "Session", True, "SetExpr", "", "", "Argument[0]", "sql-injection", "manual"]
4844
- ["group:xorm", "Session", True, "SQL", "", "", "Argument[0]", "sql-injection", "manual"]

go/ql/lib/semmle/go/frameworks/SQL.qll

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -188,7 +188,20 @@ module Gorm {
188188
*/
189189
module Xorm {
190190
/** Gets the package name for Xorm. */
191-
string packagePath() { result = package(["xorm.io/xorm", "github.com/go-xorm/xorm"], "") }
191+
string packagePath() { FlowExtensions::packageGrouping("xorm", result) }
192+
193+
/** A model for sinks of XORM. */
194+
private class XormSink extends SQL::QueryString::Range {
195+
XormSink() {
196+
exists(Method meth, string type, string name |
197+
meth.hasQualifiedName(Xorm::packagePath(), type, name) and
198+
type = ["Engine", "Session"] and
199+
name = ["Exec", "Query", "QueryInterface", "QueryString"]
200+
|
201+
this = meth.getACall().getSyntacticArgument(0)
202+
)
203+
}
204+
}
192205
}
193206

194207
/**

0 commit comments

Comments
 (0)