Skip to content
This repository has been archived by the owner on Jan 5, 2023. It is now read-only.

Commit

Permalink
Browse files Browse the repository at this point in the history
Add a few variants to test.
  • Loading branch information
Max Schaefer committed Jan 21, 2020
1 parent 6671b61 commit baeae0f
Show file tree
Hide file tree
Showing 2 changed files with 85 additions and 1 deletion.
57 changes: 57 additions & 0 deletions ql/test/query-tests/Security/CWE-089/SqlInjection.expected
Expand Up @@ -10,6 +10,33 @@ edges
| main.go:33:3:33:13 | RequestData [pointer, Category] | main.go:33:3:33:13 | implicit dereference [Category] : slice type |
| main.go:33:3:33:13 | implicit dereference [Category] : slice type | main.go:33:3:33:22 | selection of Category : slice type |
| main.go:33:3:33:22 | selection of Category : slice type | main.go:34:11:34:11 | q |
| main.go:38:2:38:12 | definition of RequestData [pointer, Category] | main.go:39:2:39:12 | RequestData [pointer, Category] |
| main.go:38:2:38:12 | definition of RequestData [pointer, Category] | main.go:42:3:42:13 | RequestData [pointer, Category] |
| main.go:39:2:39:12 | RequestData [pointer, Category] | main.go:39:2:39:12 | implicit dereference [Category] : slice type |
| main.go:39:2:39:12 | implicit dereference [Category] : slice type | main.go:38:2:38:12 | definition of RequestData [pointer, Category] |
| main.go:39:25:39:31 | selection of URL : pointer type | main.go:39:25:39:51 | index expression : slice type |
| main.go:39:25:39:51 | index expression : slice type | main.go:39:2:39:12 | implicit dereference [Category] : slice type |
| main.go:42:3:42:13 | RequestData [pointer, Category] | main.go:42:3:42:13 | implicit dereference [Category] : slice type |
| main.go:42:3:42:13 | implicit dereference [Category] : slice type | main.go:42:3:42:22 | selection of Category : slice type |
| main.go:42:3:42:22 | selection of Category : slice type | main.go:43:11:43:11 | q |
| main.go:47:2:47:12 | definition of RequestData [pointer, Category] | main.go:48:4:48:14 | RequestData [pointer, Category] |
| main.go:47:2:47:12 | definition of RequestData [pointer, Category] | main.go:51:3:51:13 | RequestData [pointer, Category] |
| main.go:48:3:48:14 | star expression [Category] : slice type | main.go:47:2:47:12 | definition of RequestData [pointer, Category] |
| main.go:48:4:48:14 | RequestData [pointer, Category] | main.go:48:3:48:14 | star expression [Category] : slice type |
| main.go:48:28:48:34 | selection of URL : pointer type | main.go:48:28:48:54 | index expression : slice type |
| main.go:48:28:48:54 | index expression : slice type | main.go:48:3:48:14 | star expression [Category] : slice type |
| main.go:51:3:51:13 | RequestData [pointer, Category] | main.go:51:3:51:13 | implicit dereference [Category] : slice type |
| main.go:51:3:51:13 | implicit dereference [Category] : slice type | main.go:51:3:51:22 | selection of Category : slice type |
| main.go:51:3:51:22 | selection of Category : slice type | main.go:52:11:52:11 | q |
| main.go:56:2:56:12 | definition of RequestData [pointer, Category] | main.go:57:4:57:14 | RequestData [pointer, Category] |
| main.go:56:2:56:12 | definition of RequestData [pointer, Category] | main.go:60:5:60:15 | RequestData [pointer, Category] |
| main.go:57:3:57:14 | star expression [Category] : slice type | main.go:56:2:56:12 | definition of RequestData [pointer, Category] |
| main.go:57:4:57:14 | RequestData [pointer, Category] | main.go:57:3:57:14 | star expression [Category] : slice type |
| main.go:57:28:57:34 | selection of URL : pointer type | main.go:57:28:57:54 | index expression : slice type |
| main.go:57:28:57:54 | index expression : slice type | main.go:57:3:57:14 | star expression [Category] : slice type |
| main.go:60:3:60:25 | selection of Category : slice type | main.go:61:11:61:11 | q |
| main.go:60:4:60:15 | star expression [Category] : slice type | main.go:60:3:60:25 | selection of Category : slice type |
| main.go:60:5:60:15 | RequestData [pointer, Category] | main.go:60:4:60:15 | star expression [Category] : slice type |
nodes
| SqlInjection.go:11:3:11:9 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
| SqlInjection.go:12:11:12:11 | q | semmle.label | q |
Expand All @@ -27,9 +54,39 @@ nodes
| main.go:33:3:33:13 | implicit dereference [Category] : slice type | semmle.label | implicit dereference [Category] : slice type |
| main.go:33:3:33:22 | selection of Category : slice type | semmle.label | selection of Category : slice type |
| main.go:34:11:34:11 | q | semmle.label | q |
| main.go:38:2:38:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
| main.go:39:2:39:12 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
| main.go:39:2:39:12 | implicit dereference [Category] : slice type | semmle.label | implicit dereference [Category] : slice type |
| main.go:39:25:39:31 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
| main.go:39:25:39:51 | index expression : slice type | semmle.label | index expression : slice type |
| main.go:42:3:42:13 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
| main.go:42:3:42:13 | implicit dereference [Category] : slice type | semmle.label | implicit dereference [Category] : slice type |
| main.go:42:3:42:22 | selection of Category : slice type | semmle.label | selection of Category : slice type |
| main.go:43:11:43:11 | q | semmle.label | q |
| main.go:47:2:47:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
| main.go:48:3:48:14 | star expression [Category] : slice type | semmle.label | star expression [Category] : slice type |
| main.go:48:4:48:14 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
| main.go:48:28:48:34 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
| main.go:48:28:48:54 | index expression : slice type | semmle.label | index expression : slice type |
| main.go:51:3:51:13 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
| main.go:51:3:51:13 | implicit dereference [Category] : slice type | semmle.label | implicit dereference [Category] : slice type |
| main.go:51:3:51:22 | selection of Category : slice type | semmle.label | selection of Category : slice type |
| main.go:52:11:52:11 | q | semmle.label | q |
| main.go:56:2:56:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
| main.go:57:3:57:14 | star expression [Category] : slice type | semmle.label | star expression [Category] : slice type |
| main.go:57:4:57:14 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
| main.go:57:28:57:34 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
| main.go:57:28:57:54 | index expression : slice type | semmle.label | index expression : slice type |
| main.go:60:3:60:25 | selection of Category : slice type | semmle.label | selection of Category : slice type |
| main.go:60:4:60:15 | star expression [Category] : slice type | semmle.label | star expression [Category] : slice type |
| main.go:60:5:60:15 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
| main.go:61:11:61:11 | q | semmle.label | q |
#select
| SqlInjection.go:12:11:12:11 | q | SqlInjection.go:11:3:11:9 | selection of URL : pointer type | SqlInjection.go:12:11:12:11 | q | This query depends on $@. | SqlInjection.go:11:3:11:9 | selection of URL | a user-provided value |
| main.go:10:11:10:28 | index expression | main.go:10:11:10:16 | selection of Form : Values | main.go:10:11:10:28 | index expression | This query depends on $@. | main.go:10:11:10:16 | selection of Form | a user-provided value |
| main.go:14:11:14:84 | call to Sprintf | main.go:14:63:14:67 | selection of URL : pointer type | main.go:14:11:14:84 | call to Sprintf | This query depends on $@. | main.go:14:63:14:67 | selection of URL | a user-provided value |
| main.go:15:11:15:85 | call to Sprintf | main.go:15:63:15:84 | call to Get : string | main.go:15:11:15:85 | call to Sprintf | This query depends on $@. | main.go:15:63:15:84 | call to Get | a user-provided value |
| main.go:34:11:34:11 | q | main.go:29:13:29:19 | selection of URL : pointer type | main.go:34:11:34:11 | q | This query depends on $@. | main.go:29:13:29:19 | selection of URL | a user-provided value |
| main.go:43:11:43:11 | q | main.go:39:25:39:31 | selection of URL : pointer type | main.go:43:11:43:11 | q | This query depends on $@. | main.go:39:25:39:31 | selection of URL | a user-provided value |
| main.go:52:11:52:11 | q | main.go:48:28:48:34 | selection of URL : pointer type | main.go:52:11:52:11 | q | This query depends on $@. | main.go:48:28:48:34 | selection of URL | a user-provided value |
| main.go:61:11:61:11 | q | main.go:57:28:57:34 | selection of URL : pointer type | main.go:61:11:61:11 | q | This query depends on $@. | main.go:57:28:57:34 | selection of URL | a user-provided value |
29 changes: 28 additions & 1 deletion ql/test/query-tests/Security/CWE-089/main.go
Expand Up @@ -17,7 +17,7 @@ func test2(tx *sql.Tx, r *http.Request) {

func main() {}

// https://github.com/github/codeql-go/issues/18
// https://github.com/github/codeql-go/issues/18 and variants
type RequestStruct struct {
Id int64 `db:"id"`
Category []string `db:"category"`
Expand All @@ -33,3 +33,30 @@ func handler2(db *sql.DB, req *http.Request) {
RequestData.Category)
db.Query(q)
}

func handler3(db *sql.DB, req *http.Request) {
RequestData := &RequestStruct{}
RequestData.Category = req.URL.Query()["category"]

q := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE",
RequestData.Category)
db.Query(q)
}

func handler4(db *sql.DB, req *http.Request) {
RequestData := &RequestStruct{}
(*RequestData).Category = req.URL.Query()["category"]

q := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE",
RequestData.Category)
db.Query(q)
}

func handler5(db *sql.DB, req *http.Request) {
RequestData := &RequestStruct{}
(*RequestData).Category = req.URL.Query()["category"]

q := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE",
(*RequestData).Category)
db.Query(q)
}

0 comments on commit baeae0f

Please sign in to comment.