github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Revert "Convert mongodb nosql-injection sinks to MaD" 

This reverts commit ec9d88b364.
This commit is contained in:
Chris Smowton 2024-08-24 17:42:49 +01:00
Родитель 437df5c2a5
Коммит c33568b602
3 изменённых файлов: 137 добавлений и 170 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

19
go/ql/lib/ext/go.mongodb.org.mongo-driver.mongo.model.yml
Просмотреть файл

@ -1,19 +0,0 @@
extensions:
- addsTo:
pack: codeql/go-all
extensible: sinkModel
data:
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "CountDocuments", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "DeleteMany", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "DeleteOne", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Distinct", "", "", "Argument[2]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Find", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOne", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOneAndDelete", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOneAndReplace", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOneAndUpdate", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "ReplaceOne", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "UpdateMany", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "UpdateOne", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Watch", "", "", "Argument[1]", "nosql-injection", "manual"]
- ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Aggregate", "", "", "Argument[1]", "nosql-injection", "manual"]

154
go/ql/lib/semmle/go/frameworks/NoSQL.qll
Просмотреть файл

@ -31,82 +31,84 @@ module NoSql {
)
}
}
// /**
// * Holds if method `name` of struct `Collection` from package
// * [go.mongodb.org/mongo-driver/mongo](https://pkg.go.dev/go.mongodb.org/mongo-driver/mongo)
// * interprets parameter `n` as a query.
// */
// private predicate mongoDbCollectionMethod(string name, int n) {
// // func (coll *Collection) CountDocuments(ctx context.Context, filter interface{},
// // opts ...*options.CountOptions) (int64, error)
// name = "CountDocuments" and n = 1
// or
// // func (coll *Collection) DeleteMany(ctx context.Context, filter interface{},
// // opts ...*options.DeleteOptions) (*DeleteResult, error)
// name = "DeleteMany" and n = 1
// or
// // func (coll *Collection) DeleteOne(ctx context.Context, filter interface{},
// // opts ...*options.DeleteOptions) (*DeleteResult, error)
// name = "DeleteOne" and n = 1
// or
// // func (coll *Collection) Distinct(ctx context.Context, fieldName string, filter interface{},
// // ...) ([]interface{}, error)
// name = "Distinct" and n = 2
// or
// // func (coll *Collection) Find(ctx context.Context, filter interface{},
// // opts ...*options.FindOptions) (*Cursor, error)
// name = "Find" and n = 1
// or
// // func (coll *Collection) FindOne(ctx context.Context, filter interface{},
// // opts ...*options.FindOneOptions) *SingleResult
// name = "FindOne" and n = 1
// or
// // func (coll *Collection) FindOneAndDelete(ctx context.Context, filter interface{}, ...)
// // *SingleResult
// name = "FindOneAndDelete" and n = 1
// or
// // func (coll *Collection) FindOneAndReplace(ctx context.Context, filter interface{},
// // replacement interface{}, ...) *SingleResult
// name = "FindOneAndReplace" and n = 1
// or
// // func (coll *Collection) FindOneAndUpdate(ctx context.Context, filter interface{},
// // update interface{}, ...) *SingleResult
// name = "FindOneAndUpdate" and n = 1
// or
// // func (coll *Collection) ReplaceOne(ctx context.Context, filter interface{},
// // replacement interface{}, ...) (*UpdateResult, error)
// name = "ReplaceOne" and n = 1
// or
// // func (coll *Collection) UpdateMany(ctx context.Context, filter interface{},
// // update interface{}, ...) (*UpdateResult, error)
// name = "UpdateMany" and n = 1
// or
// // func (coll *Collection) UpdateOne(ctx context.Context, filter interface{},
// // update interface{}, ...) (*UpdateResult, error)
// name = "UpdateOne" and n = 1
// or
// // func (coll *Collection) Watch(ctx context.Context, pipeline interface{}, ...)
// // (*ChangeStream, error)
// name = "Watch" and n = 1
// or
// // func (coll *Collection) Aggregate(ctx context.Context, pipeline interface{},
// // opts ...*options.AggregateOptions) (*Cursor, error)
// name = "Aggregate" and n = 1
// }
// /**
// * A query used in an API function acting on a `Collection` struct of package
// * [go.mongodb.org/mongo-driver/mongo](https://pkg.go.dev/go.mongodb.org/mongo-driver/mongo).
// */
// private class MongoDbCollectionQuery extends Range {
// MongoDbCollectionQuery() {
// exists(Method meth, string methodName, int n |
// mongoDbCollectionMethod(methodName, n) and
// meth.hasQualifiedName(package("go.mongodb.org/mongo-driver", "mongo"), "Collection",
// methodName) and
// this = meth.getACall().getArgument(n)
// )
// }
// }
/**
* Holds if method `name` of struct `Collection` from package
* [go.mongodb.org/mongo-driver/mongo](https://pkg.go.dev/go.mongodb.org/mongo-driver/mongo)
* interprets parameter `n` as a query.
*/
private predicate mongoDbCollectionMethod(string name, int n) {
// func (coll *Collection) CountDocuments(ctx context.Context, filter interface{},
// opts ...*options.CountOptions) (int64, error)
name = "CountDocuments" and n = 1
or
// func (coll *Collection) DeleteMany(ctx context.Context, filter interface{},
// opts ...*options.DeleteOptions) (*DeleteResult, error)
name = "DeleteMany" and n = 1
or
// func (coll *Collection) DeleteOne(ctx context.Context, filter interface{},
// opts ...*options.DeleteOptions) (*DeleteResult, error)
name = "DeleteOne" and n = 1
or
// func (coll *Collection) Distinct(ctx context.Context, fieldName string, filter interface{},
// ...) ([]interface{}, error)
name = "Distinct" and n = 2
or
// func (coll *Collection) Find(ctx context.Context, filter interface{},
// opts ...*options.FindOptions) (*Cursor, error)
name = "Find" and n = 1
or
// func (coll *Collection) FindOne(ctx context.Context, filter interface{},
// opts ...*options.FindOneOptions) *SingleResult
name = "FindOne" and n = 1
or
// func (coll *Collection) FindOneAndDelete(ctx context.Context, filter interface{}, ...)
// *SingleResult
name = "FindOneAndDelete" and n = 1
or
// func (coll *Collection) FindOneAndReplace(ctx context.Context, filter interface{},
// replacement interface{}, ...) *SingleResult
name = "FindOneAndReplace" and n = 1
or
// func (coll *Collection) FindOneAndUpdate(ctx context.Context, filter interface{},
// update interface{}, ...) *SingleResult
name = "FindOneAndUpdate" and n = 1
or
// func (coll *Collection) ReplaceOne(ctx context.Context, filter interface{},
// replacement interface{}, ...) (*UpdateResult, error)
name = "ReplaceOne" and n = 1
or
// func (coll *Collection) UpdateMany(ctx context.Context, filter interface{},
// update interface{}, ...) (*UpdateResult, error)
name = "UpdateMany" and n = 1
or
// func (coll *Collection) UpdateOne(ctx context.Context, filter interface{},
// update interface{}, ...) (*UpdateResult, error)
name = "UpdateOne" and n = 1
or
// func (coll *Collection) Watch(ctx context.Context, pipeline interface{}, ...)
// (*ChangeStream, error)
name = "Watch" and n = 1
or
// func (coll *Collection) Aggregate(ctx context.Context, pipeline interface{},
// opts ...*options.AggregateOptions) (*Cursor, error)
name = "Aggregate" and n = 1
}
/**
* A query used in an API function acting on a `Collection` struct of package
* [go.mongodb.org/mongo-driver/mongo](https://pkg.go.dev/go.mongodb.org/mongo-driver/mongo).
*/
private class MongoDbCollectionQuery extends Range {
MongoDbCollectionQuery() {
exists(Method meth, string methodName, int n |
mongoDbCollectionMethod(methodName, n) and
meth.hasQualifiedName(package("go.mongodb.org/mongo-driver", "mongo"), "Collection",
methodName) and
this = meth.getACall().getArgument(n)
)
}
}
}
/**

134
go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
Просмотреть файл

@ -25,53 +25,53 @@
| mongoDB.go:80:22:80:27 | filter | mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:80:22:80:27 | filter | This query depends on a $@. | mongoDB.go:40:20:40:30 | call to Referer | user-provided value |
| mongoDB.go:81:18:81:25 | pipeline | mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:81:18:81:25 | pipeline | This query depends on a $@. | mongoDB.go:40:20:40:30 | call to Referer | user-provided value |
edges
| SqlInjection.go:10:7:11:30 | []type{args} [array] | SqlInjection.go:10:7:11:30 | call to Sprintf | provenance | MaD:4 |
| SqlInjection.go:10:7:11:30 | call to Sprintf | SqlInjection.go:12:11:12:11 | q | provenance | Sink:MaD:1 |
| SqlInjection.go:11:3:11:9 | selection of URL | SqlInjection.go:11:3:11:17 | call to Query | provenance | Src:MaD:25 MaD:26 |
| SqlInjection.go:10:7:11:30 | []type{args} [array] | SqlInjection.go:10:7:11:30 | call to Sprintf | provenance | MaD:2 |
| SqlInjection.go:10:7:11:30 | call to Sprintf | SqlInjection.go:12:11:12:11 | q | provenance | |
| SqlInjection.go:11:3:11:9 | selection of URL | SqlInjection.go:11:3:11:17 | call to Query | provenance | Src:MaD:9 MaD:10 |
| SqlInjection.go:11:3:11:17 | call to Query | SqlInjection.go:11:3:11:29 | index expression | provenance | |
| SqlInjection.go:11:3:11:29 | index expression | SqlInjection.go:10:7:11:30 | []type{args} [array] | provenance | |
| SqlInjection.go:11:3:11:29 | index expression | SqlInjection.go:10:7:11:30 | call to Sprintf | provenance | FunctionModel |
| issue48.go:17:2:17:33 | ... := ...[0] | issue48.go:18:17:18:17 | b | provenance | |
| issue48.go:17:25:17:32 | selection of Body | issue48.go:17:2:17:33 | ... := ...[0] | provenance | Src:MaD:22 MaD:19 |
| issue48.go:18:17:18:17 | b | issue48.go:18:20:18:39 | &... | provenance | MaD:3 |
| issue48.go:17:25:17:32 | selection of Body | issue48.go:17:2:17:33 | ... := ...[0] | provenance | Src:MaD:6 MaD:3 |
| issue48.go:18:17:18:17 | b | issue48.go:18:20:18:39 | &... | provenance | MaD:1 |
| issue48.go:18:20:18:39 | &... | issue48.go:21:3:21:33 | index expression | provenance | |
| issue48.go:20:8:21:34 | []type{args} [array] | issue48.go:20:8:21:34 | call to Sprintf | provenance | MaD:4 |
| issue48.go:20:8:21:34 | call to Sprintf | issue48.go:22:11:22:12 | q3 | provenance | Sink:MaD:1 |
| issue48.go:20:8:21:34 | []type{args} [array] | issue48.go:20:8:21:34 | call to Sprintf | provenance | MaD:2 |
| issue48.go:20:8:21:34 | call to Sprintf | issue48.go:22:11:22:12 | q3 | provenance | |
| issue48.go:21:3:21:33 | index expression | issue48.go:20:8:21:34 | []type{args} [array] | provenance | |
| issue48.go:21:3:21:33 | index expression | issue48.go:20:8:21:34 | call to Sprintf | provenance | FunctionModel |
| issue48.go:27:2:27:34 | ... := ...[0] | issue48.go:28:17:28:18 | b2 | provenance | |
| issue48.go:27:26:27:33 | selection of Body | issue48.go:27:2:27:34 | ... := ...[0] | provenance | Src:MaD:22 MaD:19 |
| issue48.go:28:17:28:18 | b2 | issue48.go:28:21:28:41 | &... | provenance | MaD:3 |
| issue48.go:27:26:27:33 | selection of Body | issue48.go:27:2:27:34 | ... := ...[0] | provenance | Src:MaD:6 MaD:3 |
| issue48.go:28:17:28:18 | b2 | issue48.go:28:21:28:41 | &... | provenance | MaD:1 |
| issue48.go:28:21:28:41 | &... | issue48.go:31:3:31:31 | selection of Category | provenance | |
| issue48.go:30:8:31:32 | []type{args} [array] | issue48.go:30:8:31:32 | call to Sprintf | provenance | MaD:4 |
| issue48.go:30:8:31:32 | call to Sprintf | issue48.go:32:11:32:12 | q4 | provenance | Sink:MaD:1 |
| issue48.go:30:8:31:32 | []type{args} [array] | issue48.go:30:8:31:32 | call to Sprintf | provenance | MaD:2 |
| issue48.go:30:8:31:32 | call to Sprintf | issue48.go:32:11:32:12 | q4 | provenance | |
| issue48.go:31:3:31:31 | selection of Category | issue48.go:30:8:31:32 | []type{args} [array] | provenance | |
| issue48.go:31:3:31:31 | selection of Category | issue48.go:30:8:31:32 | call to Sprintf | provenance | FunctionModel |
| issue48.go:37:17:37:50 | type conversion | issue48.go:37:53:37:73 | &... | provenance | MaD:3 |
| issue48.go:37:24:37:30 | selection of URL | issue48.go:37:24:37:38 | call to Query | provenance | Src:MaD:25 MaD:26 |
| issue48.go:37:17:37:50 | type conversion | issue48.go:37:53:37:73 | &... | provenance | MaD:1 |
| issue48.go:37:24:37:30 | selection of URL | issue48.go:37:24:37:38 | call to Query | provenance | Src:MaD:9 MaD:10 |
| issue48.go:37:24:37:38 | call to Query | issue48.go:37:17:37:50 | type conversion | provenance | |
| issue48.go:37:53:37:73 | &... | issue48.go:40:3:40:31 | selection of Category | provenance | |
| issue48.go:39:8:40:32 | []type{args} [array] | issue48.go:39:8:40:32 | call to Sprintf | provenance | MaD:4 |
| issue48.go:39:8:40:32 | call to Sprintf | issue48.go:41:11:41:12 | q5 | provenance | Sink:MaD:1 |
| issue48.go:39:8:40:32 | []type{args} [array] | issue48.go:39:8:40:32 | call to Sprintf | provenance | MaD:2 |
| issue48.go:39:8:40:32 | call to Sprintf | issue48.go:41:11:41:12 | q5 | provenance | |
| issue48.go:40:3:40:31 | selection of Category | issue48.go:39:8:40:32 | []type{args} [array] | provenance | |
| issue48.go:40:3:40:31 | selection of Category | issue48.go:39:8:40:32 | call to Sprintf | provenance | FunctionModel |
| main.go:11:11:11:16 | selection of Form | main.go:11:11:11:28 | index expression | provenance | Src:MaD:23 Sink:MaD:1 |
| main.go:15:11:15:84 | []type{args} [array] | main.go:15:11:15:84 | call to Sprintf | provenance | MaD:4 Sink:MaD:2 |
| main.go:15:63:15:67 | selection of URL | main.go:15:63:15:75 | call to Query | provenance | Src:MaD:25 MaD:26 |
| main.go:11:11:11:16 | selection of Form | main.go:11:11:11:28 | index expression | provenance | Src:MaD:7 |
| main.go:15:11:15:84 | []type{args} [array] | main.go:15:11:15:84 | call to Sprintf | provenance | MaD:2 |
| main.go:15:63:15:67 | selection of URL | main.go:15:63:15:75 | call to Query | provenance | Src:MaD:9 MaD:10 |
| main.go:15:63:15:75 | call to Query | main.go:15:63:15:83 | index expression | provenance | |
| main.go:15:63:15:83 | index expression | main.go:15:11:15:84 | []type{args} [array] | provenance | |
| main.go:15:63:15:83 | index expression | main.go:15:11:15:84 | call to Sprintf | provenance | FunctionModel Sink:MaD:2 |
| main.go:16:11:16:85 | []type{args} [array] | main.go:16:11:16:85 | call to Sprintf | provenance | MaD:4 Sink:MaD:2 |
| main.go:16:63:16:70 | selection of Header | main.go:16:63:16:84 | call to Get | provenance | Src:MaD:24 MaD:20 |
| main.go:15:63:15:83 | index expression | main.go:15:11:15:84 | call to Sprintf | provenance | FunctionModel |
| main.go:16:11:16:85 | []type{args} [array] | main.go:16:11:16:85 | call to Sprintf | provenance | MaD:2 |
| main.go:16:63:16:70 | selection of Header | main.go:16:63:16:84 | call to Get | provenance | Src:MaD:8 MaD:4 |
| main.go:16:63:16:84 | call to Get | main.go:16:11:16:85 | []type{args} [array] | provenance | |
| main.go:16:63:16:84 | call to Get | main.go:16:11:16:85 | call to Sprintf | provenance | FunctionModel Sink:MaD:2 |
| main.go:16:63:16:84 | call to Get | main.go:16:11:16:85 | call to Sprintf | provenance | FunctionModel |
| main.go:28:17:31:2 | &... [pointer, Category] | main.go:34:3:34:13 | RequestData [pointer, Category] | provenance | |
| main.go:28:18:31:2 | struct literal [Category] | main.go:28:17:31:2 | &... [pointer, Category] | provenance | |
| main.go:30:13:30:19 | selection of URL | main.go:30:13:30:27 | call to Query | provenance | Src:MaD:25 MaD:26 |
| main.go:30:13:30:19 | selection of URL | main.go:30:13:30:27 | call to Query | provenance | Src:MaD:9 MaD:10 |
| main.go:30:13:30:27 | call to Query | main.go:30:13:30:39 | index expression | provenance | |
| main.go:30:13:30:39 | index expression | main.go:28:18:31:2 | struct literal [Category] | provenance | |
| main.go:33:7:34:23 | []type{args} [array] | main.go:33:7:34:23 | call to Sprintf | provenance | MaD:4 |
| main.go:33:7:34:23 | call to Sprintf | main.go:35:11:35:11 | q | provenance | Sink:MaD:1 |
| main.go:33:7:34:23 | []type{args} [array] | main.go:33:7:34:23 | call to Sprintf | provenance | MaD:2 |
| main.go:33:7:34:23 | call to Sprintf | main.go:35:11:35:11 | q | provenance | |
| main.go:34:3:34:13 | RequestData [pointer, Category] | main.go:34:3:34:13 | implicit dereference [Category] | provenance | |
| main.go:34:3:34:13 | implicit dereference [Category] | main.go:34:3:34:22 | selection of Category | provenance | |
| main.go:34:3:34:22 | selection of Category | main.go:33:7:34:23 | []type{args} [array] | provenance | |
@ -80,11 +80,11 @@ edges
| main.go:39:2:39:12 | definition of RequestData [pointer, Category] | main.go:43:3:43:13 | RequestData [pointer, Category] | provenance | |
| main.go:40:2:40:12 | RequestData [pointer, Category] | main.go:40:2:40:12 | implicit dereference [Category] | provenance | |
| main.go:40:2:40:12 | implicit dereference [Category] | main.go:39:2:39:12 | definition of RequestData [pointer, Category] | provenance | |
| main.go:40:25:40:31 | selection of URL | main.go:40:25:40:39 | call to Query | provenance | Src:MaD:25 MaD:26 |
| main.go:40:25:40:31 | selection of URL | main.go:40:25:40:39 | call to Query | provenance | Src:MaD:9 MaD:10 |
| main.go:40:25:40:39 | call to Query | main.go:40:25:40:51 | index expression | provenance | |
| main.go:40:25:40:51 | index expression | main.go:40:2:40:12 | implicit dereference [Category] | provenance | |
| main.go:42:7:43:23 | []type{args} [array] | main.go:42:7:43:23 | call to Sprintf | provenance | MaD:4 |
| main.go:42:7:43:23 | call to Sprintf | main.go:44:11:44:11 | q | provenance | Sink:MaD:1 |
| main.go:42:7:43:23 | []type{args} [array] | main.go:42:7:43:23 | call to Sprintf | provenance | MaD:2 |
| main.go:42:7:43:23 | call to Sprintf | main.go:44:11:44:11 | q | provenance | |
| main.go:43:3:43:13 | RequestData [pointer, Category] | main.go:43:3:43:13 | implicit dereference [Category] | provenance | |
| main.go:43:3:43:13 | implicit dereference [Category] | main.go:43:3:43:22 | selection of Category | provenance | |
| main.go:43:3:43:22 | selection of Category | main.go:42:7:43:23 | []type{args} [array] | provenance | |
@ -93,11 +93,11 @@ edges
| main.go:48:2:48:12 | definition of RequestData [pointer, Category] | main.go:52:3:52:13 | RequestData [pointer, Category] | provenance | |
| main.go:49:3:49:14 | star expression [Category] | main.go:48:2:48:12 | definition of RequestData [pointer, Category] | provenance | |
| main.go:49:4:49:14 | RequestData [pointer, Category] | main.go:49:3:49:14 | star expression [Category] | provenance | |
| main.go:49:28:49:34 | selection of URL | main.go:49:28:49:42 | call to Query | provenance | Src:MaD:25 MaD:26 |
| main.go:49:28:49:34 | selection of URL | main.go:49:28:49:42 | call to Query | provenance | Src:MaD:9 MaD:10 |
| main.go:49:28:49:42 | call to Query | main.go:49:28:49:54 | index expression | provenance | |
| main.go:49:28:49:54 | index expression | main.go:49:3:49:14 | star expression [Category] | provenance | |
| main.go:51:7:52:23 | []type{args} [array] | main.go:51:7:52:23 | call to Sprintf | provenance | MaD:4 |
| main.go:51:7:52:23 | call to Sprintf | main.go:53:11:53:11 | q | provenance | Sink:MaD:1 |
| main.go:51:7:52:23 | []type{args} [array] | main.go:51:7:52:23 | call to Sprintf | provenance | MaD:2 |
| main.go:51:7:52:23 | call to Sprintf | main.go:53:11:53:11 | q | provenance | |
| main.go:52:3:52:13 | RequestData [pointer, Category] | main.go:52:3:52:13 | implicit dereference [Category] | provenance | |
| main.go:52:3:52:13 | implicit dereference [Category] | main.go:52:3:52:22 | selection of Category | provenance | |
| main.go:52:3:52:22 | selection of Category | main.go:51:7:52:23 | []type{args} [array] | provenance | |
@ -106,60 +106,44 @@ edges
| main.go:57:2:57:12 | definition of RequestData [pointer, Category] | main.go:61:5:61:15 | RequestData [pointer, Category] | provenance | |
| main.go:58:3:58:14 | star expression [Category] | main.go:57:2:57:12 | definition of RequestData [pointer, Category] | provenance | |
| main.go:58:4:58:14 | RequestData [pointer, Category] | main.go:58:3:58:14 | star expression [Category] | provenance | |
| main.go:58:28:58:34 | selection of URL | main.go:58:28:58:42 | call to Query | provenance | Src:MaD:25 MaD:26 |
| main.go:58:28:58:34 | selection of URL | main.go:58:28:58:42 | call to Query | provenance | Src:MaD:9 MaD:10 |
| main.go:58:28:58:42 | call to Query | main.go:58:28:58:54 | index expression | provenance | |
| main.go:58:28:58:54 | index expression | main.go:58:3:58:14 | star expression [Category] | provenance | |
| main.go:60:7:61:26 | []type{args} [array] | main.go:60:7:61:26 | call to Sprintf | provenance | MaD:4 |
| main.go:60:7:61:26 | call to Sprintf | main.go:62:11:62:11 | q | provenance | Sink:MaD:1 |
| main.go:60:7:61:26 | []type{args} [array] | main.go:60:7:61:26 | call to Sprintf | provenance | MaD:2 |
| main.go:60:7:61:26 | call to Sprintf | main.go:62:11:62:11 | q | provenance | |
| main.go:61:3:61:25 | selection of Category | main.go:60:7:61:26 | []type{args} [array] | provenance | |
| main.go:61:3:61:25 | selection of Category | main.go:60:7:61:26 | call to Sprintf | provenance | FunctionModel |
| main.go:61:4:61:15 | star expression [Category] | main.go:61:3:61:25 | selection of Category | provenance | |
| main.go:61:5:61:15 | RequestData [pointer, Category] | main.go:61:4:61:15 | star expression [Category] | provenance | |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:42:28:42:41 | untrustedInput | provenance | Src:MaD:21 |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:42:28:42:41 | untrustedInput | provenance | Src:MaD:5 |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:50:34:50:39 | filter | provenance | |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:61:27:61:32 | filter | provenance | Sink:MaD:6 |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:63:23:63:28 | filter | provenance | Sink:MaD:7 |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:64:22:64:27 | filter | provenance | Sink:MaD:8 |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:66:32:66:37 | filter | provenance | Sink:MaD:9 |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:69:17:69:22 | filter | provenance | Sink:MaD:10 |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:70:20:70:25 | filter | provenance | Sink:MaD:11 |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:71:29:71:34 | filter | provenance | Sink:MaD:12 |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:72:30:72:35 | filter | provenance | Sink:MaD:13 |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:73:29:73:34 | filter | provenance | Sink:MaD:14 |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:78:23:78:28 | filter | provenance | Sink:MaD:15 |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:79:23:79:28 | filter | provenance | Sink:MaD:16 |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:80:22:80:27 | filter | provenance | Sink:MaD:17 |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:61:27:61:32 | filter | provenance | |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:63:23:63:28 | filter | provenance | |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:64:22:64:27 | filter | provenance | |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:66:32:66:37 | filter | provenance | |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:69:17:69:22 | filter | provenance | |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:70:20:70:25 | filter | provenance | |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:71:29:71:34 | filter | provenance | |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:72:30:72:35 | filter | provenance | |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:73:29:73:34 | filter | provenance | |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:78:23:78:28 | filter | provenance | |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:79:23:79:28 | filter | provenance | |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:80:22:80:27 | filter | provenance | |
| mongoDB.go:42:28:42:41 | untrustedInput | mongoDB.go:42:19:42:42 | struct literal | provenance | Config |
| mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:57:22:57:29 | pipeline | provenance | Sink:MaD:5 |
| mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:81:18:81:25 | pipeline | provenance | Sink:MaD:18 |
| mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:57:22:57:29 | pipeline | provenance | |
| mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:81:18:81:25 | pipeline | provenance | |
| mongoDB.go:50:34:50:39 | filter | mongoDB.go:50:23:50:40 | struct literal | provenance | Config |
models
| 1 | Sink: database/sql; DB; false; Query; ; ; Argument[0]; sql-injection; manual |
| 2 | Sink: database/sql; Tx; false; Query; ; ; Argument[0]; sql-injection; manual |
| 3 | Summary: encoding/json; ; false; Unmarshal; ; ; Argument[0]; Argument[1]; taint; manual |
| 4 | Summary: fmt; ; true; Sprintf; ; ; Argument[1].ArrayElement; ReturnValue; taint; manual |
| 5 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; Aggregate; ; ; Argument[1]; nosql-injection; manual |
| 6 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; CountDocuments; ; ; Argument[1]; nosql-injection; manual |
| 7 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; DeleteMany; ; ; Argument[1]; nosql-injection; manual |
| 8 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; DeleteOne; ; ; Argument[1]; nosql-injection; manual |
| 9 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; Distinct; ; ; Argument[2]; nosql-injection; manual |
| 10 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; Find; ; ; Argument[1]; nosql-injection; manual |
| 11 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; FindOne; ; ; Argument[1]; nosql-injection; manual |
| 12 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; FindOneAndDelete; ; ; Argument[1]; nosql-injection; manual |
| 13 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; FindOneAndReplace; ; ; Argument[1]; nosql-injection; manual |
| 14 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; FindOneAndUpdate; ; ; Argument[1]; nosql-injection; manual |
| 15 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; ReplaceOne; ; ; Argument[1]; nosql-injection; manual |
| 16 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; UpdateMany; ; ; Argument[1]; nosql-injection; manual |
| 17 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; UpdateOne; ; ; Argument[1]; nosql-injection; manual |
| 18 | Sink: go.mongodb.org/mongo-driver/mongo; Collection; true; Watch; ; ; Argument[1]; nosql-injection; manual |
| 19 | Summary: io/ioutil; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
| 20 | Summary: net/http; Header; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
| 21 | Source: net/http; Request; true; Referer; ; ; ReturnValue; remote; manual |
| 22 | Source: net/http; Request; true; Body; ; ; ; remote; manual |
| 23 | Source: net/http; Request; true; Form; ; ; ; remote; manual |
| 24 | Source: net/http; Request; true; Header; ; ; ; remote; manual |
| 25 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
| 26 | Summary: net/url; URL; true; Query; ; ; Argument[receiver]; ReturnValue; taint; manual |
| 1 | Summary: encoding/json; ; false; Unmarshal; ; ; Argument[0]; Argument[1]; taint; manual |
| 2 | Summary: fmt; ; true; Sprintf; ; ; Argument[1].ArrayElement; ReturnValue; taint; manual |
| 3 | Summary: io/ioutil; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
| 4 | Summary: net/http; Header; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
| 5 | Source: net/http; Request; true; Referer; ; ; ReturnValue; remote; manual |
| 6 | Source: net/http; Request; true; Body; ; ; ; remote; manual |
| 7 | Source: net/http; Request; true; Form; ; ; ; remote; manual |
| 8 | Source: net/http; Request; true; Header; ; ; ; remote; manual |
| 9 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
| 10 | Summary: net/url; URL; true; Query; ; ; Argument[receiver]; ReturnValue; taint; manual |
nodes
| SqlInjection.go:10:7:11:30 | []type{args} [array] | semmle.label | []type{args} [array] |
| SqlInjection.go:10:7:11:30 | call to Sprintf | semmle.label | call to Sprintf |