github
/
codeql-go
зеркало из https://github.com/github/codeql-go.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #748 from github/revert-682-patch-1 

Revert #682
This commit is contained in:
yo-h 2022-09-06 11:12:38 -04:00 коммит произвёл GitHub
Родитель 4e2ec44bc3 c4271b5285
Коммит 2471d3c4da
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
7 изменённых файлов: 9 добавлений и 134 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

11
ql/lib/semmle/go/frameworks/SQL.qll
Просмотреть файл

@ -92,14 +92,11 @@ module SQL {
// first argument to `squirrel.Expr`
fn.hasQualifiedName(sq, "Expr")
or
// first argument `pred`, `sql`, `from` to most methods of one of the `*Builder` classes
// first argument to the `Prefix`, `Suffix` or `Where` method of one of the `*Builder` classes
exists(string builder | builder.matches("%Builder") |
fn.(Method)
.hasQualifiedName(sq, builder,
[
"Prefix", "Column", "From", "JoinClause", "Join", "LeftJoin", "RightJoin",
"InnerJoin", "CrossJoin", "Where", "Having", "OrderByClause", "Suffix"
])
fn.(Method).hasQualifiedName(sq, builder, "Prefix") or
fn.(Method).hasQualifiedName(sq, builder, "Suffix") or
fn.(Method).hasQualifiedName(sq, builder, "Where")
)
) and
this = fn.getACall().getArgument(0) and

2
ql/test/library-tests/semmle/go/frameworks/SQL/go.mod
Просмотреть файл

@ -3,7 +3,7 @@ module semmle.go.frameworks.SQL
go 1.13
require (
github.com/Masterminds/squirrel v1.5.2
github.com/Masterminds/squirrel v1.1.0
github.com/go-pg/pg v8.0.6+incompatible
github.com/go-pg/pg/v9 v9.1.3
github.com/go-sql-driver/mysql v1.6.0 // indirect

10
ql/test/library-tests/semmle/go/frameworks/SQL/main.go
Просмотреть файл

@ -43,18 +43,8 @@ func test(db *sql.DB, ctx context.Context) {
}
func squirrelTest(querypart string) {
squirrel.Select("*").From("users").Prefix(querypart) // $ querystring=querypart
squirrel.Select("*").From("users").Column(querypart) // $ querystring=querypart
squirrel.Select("*").From("users").From(querypart) // $ querystring=querypart
squirrel.Select("*").From("users").JoinClause(querypart) // $ querystring=querypart
squirrel.Select("*").From("users").Join(querypart) // $ querystring=querypart
squirrel.Select("*").From("users").LeftJoin(querypart) // $ querystring=querypart
squirrel.Select("*").From("users").RightJoin(querypart) // $ querystring=querypart
squirrel.Select("*").From("users").InnerJoin(querypart) // $ querystring=querypart
squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) // $ querystring=querypart
squirrel.Select("*").From("users").Where(querypart) // $ querystring=querypart
squirrel.Select("*").From("users").Having(querypart) // $ querystring=querypart
squirrel.Select("*").From("users").OrderByClause(querypart) // $ querystring=querypart
squirrel.Select("*").From("users").Suffix(querypart) // $ querystring=querypart
}

30
ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/Masterminds/squirrel/stub.go сгенерированный поставляемый
Просмотреть файл

@ -17,7 +17,7 @@ type BaseRunner interface {
Query(_ string, _ ...interface{}) (*sql.Rows, error)
}
func Expr(_ string, _ ...interface{}) Sqlizer {
func Expr(_ string, _ ...interface{}) interface{} {
return nil
}
@ -43,10 +43,6 @@ func (_ SelectBuilder) Columns(_ ...string) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) CrossJoin(_ string, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) Distinct() SelectBuilder {
return SelectBuilder{}
}
@ -75,10 +71,6 @@ func (_ SelectBuilder) Having(_ interface{}, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) InnerJoin(_ string, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) Join(_ string, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
@ -111,10 +103,6 @@ func (_ SelectBuilder) OrderBy(_ ...string) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) OrderByClause(_ interface{}, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) PlaceholderFormat(_ PlaceholderFormat) SelectBuilder {
return SelectBuilder{}
}
@ -123,10 +111,6 @@ func (_ SelectBuilder) Prefix(_ string, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) PrefixExpr(_ Sqlizer) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) Query() (*sql.Rows, error) {
return nil, nil
}
@ -147,10 +131,6 @@ func (_ SelectBuilder) RemoveLimit() SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) RemoveOffset() SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) RightJoin(_ string, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
@ -171,10 +151,6 @@ func (_ SelectBuilder) Suffix(_ string, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) SuffixExpr(_ Sqlizer) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) ToSql() (string, []interface{}, error) {
return "", nil, nil
}
@ -182,7 +158,3 @@ func (_ SelectBuilder) ToSql() (string, []interface{}, error) {
func (_ SelectBuilder) Where(_ interface{}, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
type Sqlizer interface {
ToSql() (string, []interface{}, error)
}

2
ql/test/query-tests/Security/CWE-089/go.mod
Просмотреть файл

@ -3,6 +3,6 @@ module Security.CWE-089
go 1.14
require (
github.com/Masterminds/squirrel v1.5.2
github.com/Masterminds/squirrel v1.1.0
go.mongodb.org/mongo-driver v1.3.3
)

86
ql/test/query-tests/Security/CWE-089/vendor/github.com/Masterminds/squirrel/stub.go сгенерированный поставляемый
Просмотреть файл

@ -35,10 +35,6 @@ func (_ DeleteBuilder) Limit(_ uint64) DeleteBuilder {
return DeleteBuilder{}
}
func (_ DeleteBuilder) MustSql() (string, []interface{}) {
return "", nil
}
func (_ DeleteBuilder) Offset(_ uint64) DeleteBuilder {
return DeleteBuilder{}
}
@ -55,38 +51,18 @@ func (_ DeleteBuilder) Prefix(_ string, _ ...interface{}) DeleteBuilder {
return DeleteBuilder{}
}
func (_ DeleteBuilder) PrefixExpr(_ Sqlizer) DeleteBuilder {
return DeleteBuilder{}
}
func (_ DeleteBuilder) Query() (*sql.Rows, error) {
return nil, nil
}
func (_ DeleteBuilder) QueryContext(_ context.Context) (*sql.Rows, error) {
return nil, nil
}
func (_ DeleteBuilder) QueryRowContext(_ context.Context) RowScanner {
return nil
}
func (_ DeleteBuilder) RunWith(_ BaseRunner) DeleteBuilder {
return DeleteBuilder{}
}
func (_ DeleteBuilder) ScanContext(_ context.Context, _ ...interface{}) error {
return nil
}
func (_ DeleteBuilder) Suffix(_ string, _ ...interface{}) DeleteBuilder {
return DeleteBuilder{}
}
func (_ DeleteBuilder) SuffixExpr(_ Sqlizer) DeleteBuilder {
return DeleteBuilder{}
}
func (_ DeleteBuilder) ToSql() (string, []interface{}, error) {
return "", nil, nil
}
@ -95,7 +71,7 @@ func (_ DeleteBuilder) Where(_ interface{}, _ ...interface{}) DeleteBuilder {
return DeleteBuilder{}
}
func Expr(_ string, _ ...interface{}) Sqlizer {
func Expr(_ string, _ ...interface{}) interface{} {
return nil
}
@ -117,10 +93,6 @@ func (_ InsertBuilder) Into(_ string) InsertBuilder {
return InsertBuilder{}
}
func (_ InsertBuilder) MustSql() (string, []interface{}) {
return "", nil
}
func (_ InsertBuilder) Options(_ ...string) InsertBuilder {
return InsertBuilder{}
}
@ -133,10 +105,6 @@ func (_ InsertBuilder) Prefix(_ string, _ ...interface{}) InsertBuilder {
return InsertBuilder{}
}
func (_ InsertBuilder) PrefixExpr(_ Sqlizer) InsertBuilder {
return InsertBuilder{}
}
func (_ InsertBuilder) Query() (*sql.Rows, error) {
return nil, nil
}
@ -177,10 +145,6 @@ func (_ InsertBuilder) Suffix(_ string, _ ...interface{}) InsertBuilder {
return InsertBuilder{}
}
func (_ InsertBuilder) SuffixExpr(_ Sqlizer) InsertBuilder {
return InsertBuilder{}
}
func (_ InsertBuilder) ToSql() (string, []interface{}, error) {
return "", nil, nil
}
@ -207,10 +171,6 @@ func (_ SelectBuilder) Columns(_ ...string) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) CrossJoin(_ string, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) Distinct() SelectBuilder {
return SelectBuilder{}
}
@ -239,10 +199,6 @@ func (_ SelectBuilder) Having(_ interface{}, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) InnerJoin(_ string, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) Join(_ string, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
@ -275,10 +231,6 @@ func (_ SelectBuilder) OrderBy(_ ...string) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) OrderByClause(_ interface{}, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) PlaceholderFormat(_ PlaceholderFormat) SelectBuilder {
return SelectBuilder{}
}
@ -287,10 +239,6 @@ func (_ SelectBuilder) Prefix(_ string, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) PrefixExpr(_ Sqlizer) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) Query() (*sql.Rows, error) {
return nil, nil
}
@ -311,10 +259,6 @@ func (_ SelectBuilder) RemoveLimit() SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) RemoveOffset() SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) RightJoin(_ string, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
@ -335,10 +279,6 @@ func (_ SelectBuilder) Suffix(_ string, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) SuffixExpr(_ Sqlizer) SelectBuilder {
return SelectBuilder{}
}
func (_ SelectBuilder) ToSql() (string, []interface{}, error) {
return "", nil, nil
}
@ -347,10 +287,6 @@ func (_ SelectBuilder) Where(_ interface{}, _ ...interface{}) SelectBuilder {
return SelectBuilder{}
}
type Sqlizer interface {
ToSql() (string, []interface{}, error)
}
var StatementBuilder StatementBuilderType = StatementBuilderType{}
type StatementBuilderType struct{}
@ -367,10 +303,6 @@ func (_ StatementBuilderType) PlaceholderFormat(_ PlaceholderFormat) StatementBu
return StatementBuilderType{}
}
func (_ StatementBuilderType) Replace(_ string) InsertBuilder {
return InsertBuilder{}
}
func (_ StatementBuilderType) RunWith(_ BaseRunner) StatementBuilderType {
return StatementBuilderType{}
}
@ -383,10 +315,6 @@ func (_ StatementBuilderType) Update(_ string) UpdateBuilder {
return UpdateBuilder{}
}
func (_ StatementBuilderType) Where(_ interface{}, _ ...interface{}) StatementBuilderType {
return StatementBuilderType{}
}
type UpdateBuilder struct{}
func (_ UpdateBuilder) Exec() (sql.Result, error) {
@ -401,10 +329,6 @@ func (_ UpdateBuilder) Limit(_ uint64) UpdateBuilder {
return UpdateBuilder{}
}
func (_ UpdateBuilder) MustSql() (string, []interface{}) {
return "", nil
}
func (_ UpdateBuilder) Offset(_ uint64) UpdateBuilder {
return UpdateBuilder{}
}
@ -421,10 +345,6 @@ func (_ UpdateBuilder) Prefix(_ string, _ ...interface{}) UpdateBuilder {
return UpdateBuilder{}
}
func (_ UpdateBuilder) PrefixExpr(_ Sqlizer) UpdateBuilder {
return UpdateBuilder{}
}
func (_ UpdateBuilder) Query() (*sql.Rows, error) {
return nil, nil
}
@ -465,10 +385,6 @@ func (_ UpdateBuilder) Suffix(_ string, _ ...interface{}) UpdateBuilder {
return UpdateBuilder{}
}
func (_ UpdateBuilder) SuffixExpr(_ Sqlizer) UpdateBuilder {
return UpdateBuilder{}
}
func (_ UpdateBuilder) Table(_ string) UpdateBuilder {
return UpdateBuilder{}
}

2
ql/test/query-tests/Security/CWE-089/vendor/modules.txt поставляемый
Просмотреть файл

@ -1,4 +1,4 @@
# github.com/Masterminds/squirrel v1.5.2
# github.com/Masterminds/squirrel v1.1.0
## explicit
github.com/Masterminds/squirrel
# go.mongodb.org/mongo-driver v1.3.3