Convert database/sql/driver sql-injection sinks to MaD

2024-08-15 21:35:07 +01:00 · 2024-08-15 21:35:07 +01:00 · 652dd88c36
--- a/go/ql/lib/ext/database.sql.driver.model.yml
+++ b/go/ql/lib/ext/database.sql.driver.model.yml
@ -1,4 +1,14 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["database/sql/driver", "Execer", False, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql/driver", "ExecerContext", False, "ExecContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql/driver", "Conn", False, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql/driver", "ConnPrepareContext", False, "PrepareContext", "", "", "Argument[1]", "sql-injection", "manual"]
+      - ["database/sql/driver", "Queryer", False, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["database/sql/driver", "QueryerContext", False, "QueryContext", "", "", "Argument[1]", "sql-injection", "manual"]
  - addsTo:
      pack: codeql/go-all
      extensible: summaryModel
--- a/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll
@ -60,36 +60,13 @@ module DatabaseSql {
    override DataFlow::Node getAResult() { result = this.getResult(0) }

    override SQL::QueryString getAQueryString() {
-      result = this.getAnArgument()
+      result = this.getASyntacticArgument()
      or
      this.getTarget().hasQualifiedName("database/sql/driver", "Stmt") and
      result = this.getReceiver().getAPredecessor*().(DataFlow::MethodCallNode).getAnArgument()
    }
  }

-  /** A query string used in an API function of the standard `database/sql/driver` package. */
-  private class DriverQueryString extends SQL::QueryString::Range {
-    DriverQueryString() {
-      exists(Method meth, int n |
-        (
-          meth.hasQualifiedName("database/sql/driver", "Execer", "Exec") and n = 0
-          or
-          meth.hasQualifiedName("database/sql/driver", "ExecerContext", "ExecContext") and n = 1
-          or
-          meth.hasQualifiedName("database/sql/driver", "Conn", "Prepare") and n = 0
-          or
-          meth.hasQualifiedName("database/sql/driver", "ConnPrepareContext", "PrepareContext") and
-          n = 1
-          or
-          meth.hasQualifiedName("database/sql/driver", "Queryer", "Query") and n = 0
-          or
-          meth.hasQualifiedName("database/sql/driver", "QueryerContext", "QueryContext") and n = 1
-        ) and
-        this = meth.getACall().getArgument(n)
-      )
-    }
-  }
-
  // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet.
  private class SqlMethodModels extends TaintTracking::FunctionModel, Method {
    FunctionInput inp;