add test cases for G201,G202

securego · Jan 16, 2022 · 407051f · 407051f
1 parent e07e291
commit 407051f
Showing 1 changed file with 161 additions and 1 deletion.
diff --git a/testutils/source.go b/testutils/source.go
@@ -1255,7 +1255,103 @@ func main() {
 		panic(err)
 	}
 	defer db.Close()
-}`}, 1, gosec.NewConfig()},
+}`}, 1, gosec.NewConfig()}, {[]string{`
+// SQLI by db.Prepare(some)
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"log"
+	"os"
+)
+
+const Table = "foo"
+
+func main() {
+	var album string
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT name FROM users where '%s' = ?", os.Args[1])
+	stmt, err := db.Prepare(q)
+	if err != nil {
+		log.Fatal(err)
+	}
+	stmt.QueryRow(fmt.Sprintf("%s", os.Args[2])).Scan(&album)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			log.Fatal(err)
+		}
+	}
+	defer stmt.Close()
+}
+`}, 1, gosec.NewConfig()}, {[]string{`
+// SQLI by db.PrepareContext(some)
+package main
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"log"
+	"os"
+)
+
+const Table = "foo"
+
+func main() {
+	var album string
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT name FROM users where '%s' = ?", os.Args[1])
+	stmt, err := db.PrepareContext(context.Background(), q)
+	if err != nil {
+		log.Fatal(err)
+	}
+	stmt.QueryRow(fmt.Sprintf("%s", os.Args[2])).Scan(&album)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			log.Fatal(err)
+		}
+	}
+	defer stmt.Close()
+}
+`}, 1, gosec.NewConfig()}, {[]string{`
+// false positive
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"log"
+	"os"
+)
+
+const Table = "foo"
+
+func main() {
+	var album string
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	stmt, err := db.Prepare("SELECT * FROM album WHERE id = ?")
+	if err != nil {
+		log.Fatal(err)
+	}
+	stmt.QueryRow(fmt.Sprintf("%s", os.Args[1])).Scan(&album)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			log.Fatal(err)
+		}
+	}
+	defer stmt.Close()
+}
+`}, 0, gosec.NewConfig()},
 	}
 
 	// SampleCodeG202 - SQL query string building via string concatenation
@@ -1431,6 +1527,70 @@ func main(){
 		}
 		defer rows.Close()
 }
+`}, 0, gosec.NewConfig()}, {[]string{`
+// ExecContext match
+package main
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main() {
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	result, err := db.ExecContext(context.Background(), "select * from foo where name = "+os.Args[1])
+	if err != nil {
+		panic(err)
+	}
+	fmt.Println(result)
+}`}, 1, gosec.NewConfig()}, {[]string{`
+// Exec match
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main() {
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	result, err := db.Exec("select * from foo where name = " + os.Args[1])
+	if err != nil {
+		panic(err)
+	}
+	fmt.Println(result)
+}`}, 1, gosec.NewConfig()}, {[]string{`
+package main
+
+import (
+	"database/sql"
+	"fmt"
+)
+const gender = "M"
+const age = "32"
+
+var staticQuery = "SELECT * FROM foo WHERE age < "
+
+func main() {
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	result, err := db.Exec("SELECT * FROM foo WHERE gender = " + gender)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Println(result)
+}
 `}, 0, gosec.NewConfig()},
 	}