From e19f47634129e48a468fa87a794e538eabc15a85 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Mon, 27 Jul 2020 12:08:55 +0100 Subject: [PATCH] Add test for Sqlx --- .../semmle/go/frameworks/SQL/Sqlx/go.mod | 7 + .../go/frameworks/SQL/Sqlx/sqlx.expected | 12 + .../semmle/go/frameworks/SQL/Sqlx/sqlx.go | 30 + .../semmle/go/frameworks/SQL/Sqlx/sqlx.ql | 4 + .../vendor/github.com/jmoiron/sqlx/stub.go | 581 ++++++++++++++++++ .../go/frameworks/SQL/Sqlx/vendor/modules.txt | 3 + 6 files changed, 637 insertions(+) create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/go.mod create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.expected create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.ql create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/vendor/github.com/jmoiron/sqlx/stub.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/vendor/modules.txt diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/go.mod b/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/go.mod new file mode 100644 index 00000000..991ce37d --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/go.mod @@ -0,0 +1,7 @@ +module gormtest + +go 1.14 + +require ( + github.com/jmoiron/sqlx v1.2.0 +) diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.expected b/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.expected new file mode 100644 index 00000000..0540a78f --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.expected @@ -0,0 +1,12 @@ +| sqlx.go:15:17:15:25 | untrusted | +| sqlx.go:16:14:16:22 | untrusted | +| sqlx.go:17:14:17:22 | untrusted | +| sqlx.go:18:12:18:20 | untrusted | +| sqlx.go:19:15:19:23 | untrusted | +| sqlx.go:20:16:20:24 | untrusted | +| sqlx.go:23:17:23:25 | untrusted | +| sqlx.go:24:14:24:22 | untrusted | +| sqlx.go:25:14:25:22 | untrusted | +| sqlx.go:26:12:26:20 | untrusted | +| sqlx.go:27:15:27:23 | untrusted | +| sqlx.go:28:16:28:24 | untrusted | diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.go b/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.go new file mode 100644 index 00000000..edc29c4d --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.go @@ -0,0 +1,30 @@ +package sqlxtest + +import ( + "github.com/jmoiron/sqlx" +) + +func getUntrustedString() string { + return "trouble" +} + +func main() { + + db := sqlx.DB{} + untrusted := getUntrustedString() + db.Select(nil, untrusted) + db.Get(nil, untrusted) + db.MustExec(untrusted) + db.Queryx(untrusted) + db.NamedExec(untrusted, nil) + db.NamedQuery(untrusted, nil) + + tx := sqlx.Tx{} + tx.Select(nil, untrusted) + tx.Get(nil, untrusted) + tx.MustExec(untrusted) + tx.Queryx(untrusted) + tx.NamedExec(untrusted, nil) + tx.NamedQuery(untrusted, nil) + +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.ql b/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.ql new file mode 100644 index 00000000..7b56fd97 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.ql @@ -0,0 +1,4 @@ +import go + +from SQL::QueryString qs +select qs diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/vendor/github.com/jmoiron/sqlx/stub.go b/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/vendor/github.com/jmoiron/sqlx/stub.go new file mode 100644 index 00000000..e4a15105 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/vendor/github.com/jmoiron/sqlx/stub.go @@ -0,0 +1,581 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/jmoiron/sqlx, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/jmoiron/sqlx (exports: DB,Tx; functions: ) + +// Package sqlx is a stub of github.com/jmoiron/sqlx, generated by depstubber. +package sqlx + +import ( + context "context" + sql "database/sql" + driver "database/sql/driver" + time "time" +) + +type DB struct { + DB *sql.DB + Mapper interface{} +} + +func (_ DB) Begin() (*sql.Tx, error) { + return nil, nil +} + +func (_ DB) BeginTx(_ context.Context, _ *sql.TxOptions) (*sql.Tx, error) { + return nil, nil +} + +func (_ DB) Close() error { + return nil +} + +func (_ DB) Conn(_ context.Context) (*sql.Conn, error) { + return nil, nil +} + +func (_ DB) Driver() driver.Driver { + return nil +} + +func (_ DB) Exec(_ string, _ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ DB) ExecContext(_ context.Context, _ string, _ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ DB) Ping() error { + return nil +} + +func (_ DB) PingContext(_ context.Context) error { + return nil +} + +func (_ DB) Prepare(_ string) (*sql.Stmt, error) { + return nil, nil +} + +func (_ DB) PrepareContext(_ context.Context, _ string) (*sql.Stmt, error) { + return nil, nil +} + +func (_ DB) Query(_ string, _ ...interface{}) (*sql.Rows, error) { + return nil, nil +} + +func (_ DB) QueryContext(_ context.Context, _ string, _ ...interface{}) (*sql.Rows, error) { + return nil, nil +} + +func (_ DB) QueryRow(_ string, _ ...interface{}) *sql.Row { + return nil +} + +func (_ DB) QueryRowContext(_ context.Context, _ string, _ ...interface{}) *sql.Row { + return nil +} + +func (_ DB) SetConnMaxLifetime(_ time.Duration) {} + +func (_ DB) SetMaxIdleConns(_ int) {} + +func (_ DB) SetMaxOpenConns(_ int) {} + +func (_ DB) Stats() sql.DBStats { + return sql.DBStats{} +} + +func (_ *DB) BeginTxx(_ context.Context, _ *sql.TxOptions) (*Tx, error) { + return nil, nil +} + +func (_ *DB) Beginx() (*Tx, error) { + return nil, nil +} + +func (_ *DB) BindNamed(_ string, _ interface{}) (string, []interface{}, error) { + return "", nil, nil +} + +func (_ *DB) DriverName() string { + return "" +} + +func (_ *DB) Get(_ interface{}, _ string, _ ...interface{}) error { + return nil +} + +func (_ *DB) GetContext(_ context.Context, _ interface{}, _ string, _ ...interface{}) error { + return nil +} + +func (_ *DB) MapperFunc(_ func(string) string) {} + +func (_ *DB) MustBegin() *Tx { + return nil +} + +func (_ *DB) MustBeginTx(_ context.Context, _ *sql.TxOptions) *Tx { + return nil +} + +func (_ *DB) MustExec(_ string, _ ...interface{}) sql.Result { + return nil +} + +func (_ *DB) MustExecContext(_ context.Context, _ string, _ ...interface{}) sql.Result { + return nil +} + +func (_ *DB) NamedExec(_ string, _ interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *DB) NamedExecContext(_ context.Context, _ string, _ interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *DB) NamedQuery(_ string, _ interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *DB) NamedQueryContext(_ context.Context, _ string, _ interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *DB) PrepareNamed(_ string) (*NamedStmt, error) { + return nil, nil +} + +func (_ *DB) PrepareNamedContext(_ context.Context, _ string) (*NamedStmt, error) { + return nil, nil +} + +func (_ *DB) Preparex(_ string) (*Stmt, error) { + return nil, nil +} + +func (_ *DB) PreparexContext(_ context.Context, _ string) (*Stmt, error) { + return nil, nil +} + +func (_ *DB) QueryRowx(_ string, _ ...interface{}) *Row { + return nil +} + +func (_ *DB) QueryRowxContext(_ context.Context, _ string, _ ...interface{}) *Row { + return nil +} + +func (_ *DB) Queryx(_ string, _ ...interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *DB) QueryxContext(_ context.Context, _ string, _ ...interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *DB) Rebind(_ string) string { + return "" +} + +func (_ *DB) Select(_ interface{}, _ string, _ ...interface{}) error { + return nil +} + +func (_ *DB) SelectContext(_ context.Context, _ interface{}, _ string, _ ...interface{}) error { + return nil +} + +func (_ *DB) Unsafe() *DB { + return nil +} + +type NamedStmt struct { + Params []string + QueryString string + Stmt *Stmt +} + +func (_ *NamedStmt) Close() error { + return nil +} + +func (_ *NamedStmt) Exec(_ interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *NamedStmt) ExecContext(_ context.Context, _ interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *NamedStmt) Get(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *NamedStmt) GetContext(_ context.Context, _ interface{}, _ interface{}) error { + return nil +} + +func (_ *NamedStmt) MustExec(_ interface{}) sql.Result { + return nil +} + +func (_ *NamedStmt) MustExecContext(_ context.Context, _ interface{}) sql.Result { + return nil +} + +func (_ *NamedStmt) Query(_ interface{}) (*sql.Rows, error) { + return nil, nil +} + +func (_ *NamedStmt) QueryContext(_ context.Context, _ interface{}) (*sql.Rows, error) { + return nil, nil +} + +func (_ *NamedStmt) QueryRow(_ interface{}) *Row { + return nil +} + +func (_ *NamedStmt) QueryRowContext(_ context.Context, _ interface{}) *Row { + return nil +} + +func (_ *NamedStmt) QueryRowx(_ interface{}) *Row { + return nil +} + +func (_ *NamedStmt) QueryRowxContext(_ context.Context, _ interface{}) *Row { + return nil +} + +func (_ *NamedStmt) Queryx(_ interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *NamedStmt) QueryxContext(_ context.Context, _ interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *NamedStmt) Select(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *NamedStmt) SelectContext(_ context.Context, _ interface{}, _ interface{}) error { + return nil +} + +func (_ *NamedStmt) Unsafe() *NamedStmt { + return nil +} + +type Row struct { + Mapper interface{} +} + +func (_ *Row) ColumnTypes() ([]*sql.ColumnType, error) { + return nil, nil +} + +func (_ *Row) Columns() ([]string, error) { + return nil, nil +} + +func (_ *Row) Err() error { + return nil +} + +func (_ *Row) MapScan(_ map[string]interface{}) error { + return nil +} + +func (_ *Row) Scan(_ ...interface{}) error { + return nil +} + +func (_ *Row) SliceScan() ([]interface{}, error) { + return nil, nil +} + +func (_ *Row) StructScan(_ interface{}) error { + return nil +} + +type Rows struct { + Rows *sql.Rows + Mapper interface{} +} + +func (_ Rows) Close() error { + return nil +} + +func (_ Rows) ColumnTypes() ([]*sql.ColumnType, error) { + return nil, nil +} + +func (_ Rows) Columns() ([]string, error) { + return nil, nil +} + +func (_ Rows) Err() error { + return nil +} + +func (_ Rows) Next() bool { + return false +} + +func (_ Rows) NextResultSet() bool { + return false +} + +func (_ Rows) Scan(_ ...interface{}) error { + return nil +} + +func (_ *Rows) MapScan(_ map[string]interface{}) error { + return nil +} + +func (_ *Rows) SliceScan() ([]interface{}, error) { + return nil, nil +} + +func (_ *Rows) StructScan(_ interface{}) error { + return nil +} + +type Stmt struct { + Stmt *sql.Stmt + Mapper interface{} +} + +func (_ Stmt) Close() error { + return nil +} + +func (_ Stmt) Exec(_ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ Stmt) ExecContext(_ context.Context, _ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ Stmt) Query(_ ...interface{}) (*sql.Rows, error) { + return nil, nil +} + +func (_ Stmt) QueryContext(_ context.Context, _ ...interface{}) (*sql.Rows, error) { + return nil, nil +} + +func (_ Stmt) QueryRow(_ ...interface{}) *sql.Row { + return nil +} + +func (_ Stmt) QueryRowContext(_ context.Context, _ ...interface{}) *sql.Row { + return nil +} + +func (_ *Stmt) Get(_ interface{}, _ ...interface{}) error { + return nil +} + +func (_ *Stmt) GetContext(_ context.Context, _ interface{}, _ ...interface{}) error { + return nil +} + +func (_ *Stmt) MustExec(_ ...interface{}) sql.Result { + return nil +} + +func (_ *Stmt) MustExecContext(_ context.Context, _ ...interface{}) sql.Result { + return nil +} + +func (_ *Stmt) QueryRowx(_ ...interface{}) *Row { + return nil +} + +func (_ *Stmt) QueryRowxContext(_ context.Context, _ ...interface{}) *Row { + return nil +} + +func (_ *Stmt) Queryx(_ ...interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *Stmt) QueryxContext(_ context.Context, _ ...interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *Stmt) Select(_ interface{}, _ ...interface{}) error { + return nil +} + +func (_ *Stmt) SelectContext(_ context.Context, _ interface{}, _ ...interface{}) error { + return nil +} + +func (_ *Stmt) Unsafe() *Stmt { + return nil +} + +type Tx struct { + Tx *sql.Tx + Mapper interface{} +} + +func (_ Tx) Commit() error { + return nil +} + +func (_ Tx) Exec(_ string, _ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ Tx) ExecContext(_ context.Context, _ string, _ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ Tx) Prepare(_ string) (*sql.Stmt, error) { + return nil, nil +} + +func (_ Tx) PrepareContext(_ context.Context, _ string) (*sql.Stmt, error) { + return nil, nil +} + +func (_ Tx) Query(_ string, _ ...interface{}) (*sql.Rows, error) { + return nil, nil +} + +func (_ Tx) QueryContext(_ context.Context, _ string, _ ...interface{}) (*sql.Rows, error) { + return nil, nil +} + +func (_ Tx) QueryRow(_ string, _ ...interface{}) *sql.Row { + return nil +} + +func (_ Tx) QueryRowContext(_ context.Context, _ string, _ ...interface{}) *sql.Row { + return nil +} + +func (_ Tx) Rollback() error { + return nil +} + +func (_ Tx) Stmt(_ *sql.Stmt) *sql.Stmt { + return nil +} + +func (_ Tx) StmtContext(_ context.Context, _ *sql.Stmt) *sql.Stmt { + return nil +} + +func (_ *Tx) BindNamed(_ string, _ interface{}) (string, []interface{}, error) { + return "", nil, nil +} + +func (_ *Tx) DriverName() string { + return "" +} + +func (_ *Tx) Get(_ interface{}, _ string, _ ...interface{}) error { + return nil +} + +func (_ *Tx) GetContext(_ context.Context, _ interface{}, _ string, _ ...interface{}) error { + return nil +} + +func (_ *Tx) MustExec(_ string, _ ...interface{}) sql.Result { + return nil +} + +func (_ *Tx) MustExecContext(_ context.Context, _ string, _ ...interface{}) sql.Result { + return nil +} + +func (_ *Tx) NamedExec(_ string, _ interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *Tx) NamedExecContext(_ context.Context, _ string, _ interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *Tx) NamedQuery(_ string, _ interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *Tx) NamedStmt(_ *NamedStmt) *NamedStmt { + return nil +} + +func (_ *Tx) NamedStmtContext(_ context.Context, _ *NamedStmt) *NamedStmt { + return nil +} + +func (_ *Tx) PrepareNamed(_ string) (*NamedStmt, error) { + return nil, nil +} + +func (_ *Tx) PrepareNamedContext(_ context.Context, _ string) (*NamedStmt, error) { + return nil, nil +} + +func (_ *Tx) Preparex(_ string) (*Stmt, error) { + return nil, nil +} + +func (_ *Tx) PreparexContext(_ context.Context, _ string) (*Stmt, error) { + return nil, nil +} + +func (_ *Tx) QueryRowx(_ string, _ ...interface{}) *Row { + return nil +} + +func (_ *Tx) QueryRowxContext(_ context.Context, _ string, _ ...interface{}) *Row { + return nil +} + +func (_ *Tx) Queryx(_ string, _ ...interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *Tx) QueryxContext(_ context.Context, _ string, _ ...interface{}) (*Rows, error) { + return nil, nil +} + +func (_ *Tx) Rebind(_ string) string { + return "" +} + +func (_ *Tx) Select(_ interface{}, _ string, _ ...interface{}) error { + return nil +} + +func (_ *Tx) SelectContext(_ context.Context, _ interface{}, _ string, _ ...interface{}) error { + return nil +} + +func (_ *Tx) Stmtx(_ interface{}) *Stmt { + return nil +} + +func (_ *Tx) StmtxContext(_ context.Context, _ interface{}) *Stmt { + return nil +} + +func (_ *Tx) Unsafe() *Tx { + return nil +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/vendor/modules.txt b/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/vendor/modules.txt new file mode 100644 index 00000000..4b671d77 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/vendor/modules.txt @@ -0,0 +1,3 @@ +# github.com/jmoiron/sqlx v1.2.0 +## explicit +github.com/jmoiron/sqlx