Merge pull request #15812 from atorralba/atorralba/go/squirrel-sinks

atorralba · web-flow · commit f4c2e656141f · 2024-03-06T12:09:19.000+01:00
Go: Add SQLi sinks for Squirrel
diff --git a/go/ql/lib/semmle/go/frameworks/SQL.qll b/go/ql/lib/semmle/go/frameworks/SQL.qll
@@ -81,18 +81,28 @@ module SQL {
                   "github.com/lann/squirrel"
                 ], "")
           |
-            // first argument to `squirrel.Expr`
-            fn.hasQualifiedName(sq, "Expr")
+            fn.hasQualifiedName(sq, ["Delete", "Expr", "Insert", "Select", "Update"])
             or
-            // first argument to the `Prefix`, `Suffix` or `Where` method of one of the `*Builder` classes
-            exists(string builder | builder.matches("%Builder") |
-              fn.(Method).hasQualifiedName(sq, builder, "Prefix") or
-              fn.(Method).hasQualifiedName(sq, builder, "Suffix") or
-              fn.(Method).hasQualifiedName(sq, builder, "Where")
+            exists(Method m, string builder | m = fn |
+              builder = ["DeleteBuilder", "InsertBuilder", "SelectBuilder", "UpdateBuilder"] and
+              m.hasQualifiedName(sq, builder,
+                ["Columns", "From", "Options", "OrderBy", "Prefix", "Suffix", "Where"])
+              or
+              builder = "InsertBuilder" and
+              m.hasQualifiedName(sq, builder, ["Replace", "Into"])
+              or
+              builder = "SelectBuilder" and
+              m.hasQualifiedName(sq, builder,
+                ["CrossJoin", "GroupBy", "InnerJoin", "LeftJoin", "RightJoin"])
+              or
+              builder = "UpdateBuilder" and
+              m.hasQualifiedName(sq, builder, ["Set", "Table"])
             )
           ) and
-          this = fn.getACall().getArgument(0) and
-          this.getType().getUnderlyingType() instanceof StringType
+          this = fn.getACall().getArgument(0)
+        |
+          this.getType().getUnderlyingType() instanceof StringType or
+          this.getType().getUnderlyingType().(SliceType).getElementType() instanceof StringType
         )
       }
     }
diff --git a/go/ql/src/change-notes/2024-03-05-squirrel-sqli-sinks.md b/go/ql/src/change-notes/2024-03-05-squirrel-sqli-sinks.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `go/sql-injection` now recognizes more sinks in the package `github.com/Masterminds/squirrel`.
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod b/go/ql/test/library-tests/semmle/go/frameworks/SQL/go.mod
@@ -3,15 +3,21 @@ module semmle.go.frameworks.SQL
 go 1.13
 
 require (
-	github.com/Masterminds/squirrel v1.1.0
+	github.com/Masterminds/squirrel v1.5.4
 	github.com/go-pg/pg v8.0.6+incompatible
 	github.com/go-pg/pg/v9 v9.1.3
 	github.com/go-sql-driver/mysql v1.6.0 // indirect
 	github.com/go-xorm/xorm v0.7.9
 	github.com/kr/text v0.2.0 // indirect
 	github.com/lib/pq v1.10.2 // indirect
-	github.com/uptrace/bun v1.1.14
-	github.com/uptrace/bun/dialect/sqlitedialect v1.1.14
-	github.com/uptrace/bun/driver/sqliteshim v1.1.14
+	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	github.com/stretchr/testify v1.8.1 // indirect
+	golang.org/x/tools v0.9.1 // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
+	lukechampine.com/uint128 v1.3.0 // indirect
+	modernc.org/libc v1.22.6 // indirect
+	modernc.org/sqlite v1.22.1 // indirect
+	modernc.org/token v1.1.0 // indirect
 	xorm.io/xorm v1.1.0
 )
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/main.go b/go/ql/test/library-tests/semmle/go/frameworks/SQL/main.go
@@ -1,6 +1,6 @@
 package main
 
-//go:generate depstubber -vendor github.com/Masterminds/squirrel "" Select,Expr
+//go:generate depstubber -vendor github.com/Masterminds/squirrel DeleteBuilder,InsertBuilder,SelectBuilder,UpdateBuilder Delete,Expr,Insert,Select,Update
 
 import (
 	"context"
@@ -43,9 +43,43 @@ func test(db *sql.DB, ctx context.Context) {
 }
 
 func squirrelTest(querypart string) {
-	squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) // $ querystring=querypart
-	squirrel.Select("*").From("users").Where(querypart)                // $ querystring=querypart
-	squirrel.Select("*").From("users").Suffix(querypart)               // $ querystring=querypart
+	squirrel.Expr(querypart)                    // $ querystring=querypart
+	deleteBuilder := squirrel.Delete(querypart) // $ querystring=querypart
+	deleteBuilder.From(querypart)               // $ querystring=querypart
+	deleteBuilder.OrderBy(querypart)            // $ querystring=[]type{args}
+	deleteBuilder.Prefix(querypart)             // $ querystring=querypart
+	deleteBuilder.Suffix(querypart)             // $ querystring=querypart
+	deleteBuilder.Where(querypart)              // $ querystring=querypart
+
+	insertBuilder := squirrel.Insert(querypart) // $ querystring=querypart
+	insertBuilder.Columns(querypart)            // $ querystring=[]type{args}
+	insertBuilder.Options(querypart)            // $ querystring=[]type{args}
+	insertBuilder.Prefix(querypart)             // $ querystring=querypart
+	insertBuilder.Suffix(querypart)             // $ querystring=querypart
+	insertBuilder.Into(querypart)               // $ querystring=querypart
+
+	selectBuilder := squirrel.Select(querypart) // $ querystring=[]type{args}
+	selectBuilder.Columns(querypart)            // $ querystring=[]type{args}
+	selectBuilder.From(querypart)               // $ querystring=querypart
+	selectBuilder.Options(querypart)            // $ querystring=[]type{args}
+	selectBuilder.OrderBy(querypart)            // $ querystring=[]type{args}
+	selectBuilder.Prefix(querypart)             // $ querystring=querypart
+	selectBuilder.Suffix(querypart)             // $ querystring=querypart
+	selectBuilder.Where(querypart)              // $ querystring=querypart
+	selectBuilder.CrossJoin(querypart)          // $ querystring=querypart
+	selectBuilder.GroupBy(querypart)            // $ querystring=[]type{args}
+	selectBuilder.InnerJoin(querypart)          // $ querystring=querypart
+	selectBuilder.LeftJoin(querypart)           // $ querystring=querypart
+	selectBuilder.RightJoin(querypart)          // $ querystring=querypart
+
+	updateBuilder := squirrel.Update(querypart) // $ querystring=querypart
+	updateBuilder.From(querypart)               // $ querystring=querypart
+	updateBuilder.OrderBy(querypart)            // $ querystring=[]type{args}
+	updateBuilder.Prefix(querypart)             // $ querystring=querypart
+	updateBuilder.Suffix(querypart)             // $ querystring=querypart
+	updateBuilder.Where(querypart)              // $ querystring=querypart
+	updateBuilder.Set(querypart, "")            // $ querystring=querypart
+	updateBuilder.Table(querypart)              // $ querystring=querypart
 }
 
 func test2(tx *sql.Tx, query string, ctx context.Context) {
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/Masterminds/squirrel/stub.go b/go/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/Masterminds/squirrel/stub.go
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/modules.txt b/go/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/modules.txt
