From eaf16019a9e4f1fb46a8e53e8aae3f7680c85504 Mon Sep 17 00:00:00 2001 From: Martin Vrachev Date: Wed, 13 Feb 2019 12:34:33 +0200 Subject: [PATCH 1/2] Add documentation for rule G201 Introduction + incorrect example + correct example + reference links. Signed-off-by: Martin Vrachev --- .../g201_sql_injection_via_format_string.md | 67 +++++++++++++++++++ website/sidebars.json | 3 +- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 docs/rules/g201_sql_injection_via_format_string.md diff --git a/docs/rules/g201_sql_injection_via_format_string.md b/docs/rules/g201_sql_injection_via_format_string.md new file mode 100644 index 0000000..0c31be8 --- /dev/null +++ b/docs/rules/g201_sql_injection_via_format_string.md @@ -0,0 +1,67 @@ +--- +id: g201 +title: G201: SQL query construction using format stringg +--- + +SQL injection is one of the top security issues develops made and the consequences of this can be enormous. +Using the format string function in the fmt Golang package to dynamically create an SQL query can easily create a possibility for SQL injection. The reason is that the format string function doesn't escape special characters like ' and it's easy to add second SQL command in the format string. + +## Example problematic code: + +``` +package main +import ( + "database/sql" + "fmt" + "os" +) +func main(){ + db, err := sql.Open("sqlite3", ":memory:") + if err != nil { + panic(err) + } + q := fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1]) + rows, err := db.Query(q) + if err != nil { + panic(err) + } + defer rows.Close() +} +``` + +## Gosec command line output + +``` +[examples/main.go:14] - G201: SQL string formatting (Confidence: HIGH, Severity: MEDIUM) + > fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1]) +``` + +## The right way + +Using a static SQL query is always preferred. + +``` +package main +import ( + "database/sql" +) +const staticQuery = "SELECT * FROM foo WHERE age < 32" +func main(){ + db, err := sql.Open("sqlite3", ":memory:") + if err != nil { + panic(err) + } + rows, err := db.Query(staticQuery) + if err != nil { + panic(err) + } + defer rows.Close() +} +``` + +It is highly recommended to use the database/sql package in Golang instead of fmt package for SQL queries. + +## See also + +* https://www.calhoun.io/what-is-sql-injection-and-how-do-i-avoid-it-in-go/ +* https://astaxie.gitbooks.io/build-web-application-with-golang/en/09.4.html diff --git a/website/sidebars.json b/website/sidebars.json index 039774e..783f9ac 100644 --- a/website/sidebars.json +++ b/website/sidebars.json @@ -6,7 +6,8 @@ "rules/g102", "rules/g103", "rules/g104", - "rules/g107" + "rules/g107", + "rules/g201" ] } } From 691b8e7496e29f17f068aa00287b07ef56ca9fda Mon Sep 17 00:00:00 2001 From: Martin Vrachev Date: Mon, 18 Feb 2019 11:23:13 +0200 Subject: [PATCH 2/2] Add documentation about the use of database/sql package I fixed a few typos and added a paragraph about the use of database/sql package. Signed-off-by: Martin Vrachev --- .../g201_sql_injection_via_format_string.md | 38 +++++++++++++++++-- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/docs/rules/g201_sql_injection_via_format_string.md b/docs/rules/g201_sql_injection_via_format_string.md index 0c31be8..e789740 100644 --- a/docs/rules/g201_sql_injection_via_format_string.md +++ b/docs/rules/g201_sql_injection_via_format_string.md @@ -1,9 +1,9 @@ --- id: g201 -title: G201: SQL query construction using format stringg +title: G201: SQL query construction using format string --- -SQL injection is one of the top security issues develops made and the consequences of this can be enormous. +[SQL injection](https://en.wikipedia.org/wiki/SQL_injection) is one of the top security issues developers make and the consequences of this can be severe. Using the format string function in the fmt Golang package to dynamically create an SQL query can easily create a possibility for SQL injection. The reason is that the format string function doesn't escape special characters like ' and it's easy to add second SQL command in the format string. ## Example problematic code: @@ -38,7 +38,9 @@ func main(){ ## The right way -Using a static SQL query is always preferred. +Two of the ways to escape SQL injection when using Golang are: + +1) use static queries ``` package main @@ -59,6 +61,36 @@ func main(){ } ``` +2) use the database/sql +By using the database/sql package along with argument placeholders you are able to construct SQL statements that are automatically escaped properly. +The key distinction here is that you aren’t trying to construct the SQL statement yourself, but instead you are providing arguments that can be easily escaped. The underlying driver for database/sql will ultimately be aware of what special characters it needs to handle and will escape them for you, preventing any nefarious SQL from running. + + +``` +package main +import ( + "database/sql" + "bufio" + +) +func main(){ + db, err := sql.Open("sqlite3", ":memory:") + if err != nil { + panic(err) + } + in := bufio.NewReader(os.Stdin) + name, err := in.ReadString('\n') + if err != nil { + panic(err) + } + rows, err := db.Query("SELECT * FROM foo WHERE name = ?", name) + if err != nil { + panic(err) + } + defer rows.Close() +} +``` + It is highly recommended to use the database/sql package in Golang instead of fmt package for SQL queries. ## See also