Merge pull request #13599 from pwntester/ruby/gopg_improvements

Go: Improve go-pg support

Author: owen-mc

go/ql/lib/change-notes/2023-06-28--improve-support-for-gopg-framework.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Support for the [go-pg framework](https://github.com/go-pg/pg) has been improved.
+

go/ql/lib/semmle/go/frameworks/SQL.qll

@@ -145,9 +145,25 @@ module SQL {
           f.hasQualifiedName(gopgorm(), "Q") and
           arg = 0
           or
-          exists(string tp, string m | f.(Method).hasQualifiedName(gopgorm(), tp, m) |
+          exists(string tp, string m | f.(Method).hasQualifiedName([gopgorm(), gopg()], tp, m) |
+            tp = ["DB", "Conn"] and
+            m = ["QueryContext", "QueryOneContext"] and
+            arg = 2
+            or
+            tp = ["DB", "Conn"] and
+            m = ["ExecContext", "ExecOneContext", "Query", "QueryOne"] and
+            arg = 1
+            or
+            tp = ["DB", "Conn"] and
+            m = ["Exec", "ExecOne", "Prepare"] and
+            arg = 0
+            or
             tp = "Query" and
-            m = ["ColumnExpr", "For", "Having", "Where", "WhereIn", "WhereInMulti", "WhereOr"] and
+            m =
+              [
+                "ColumnExpr", "For", "GroupExpr", "Having", "Join", "OrderExpr", "TableExpr",
+                "Where", "WhereIn", "WhereInMulti", "WhereOr"
+              ] and
             arg = 0
             or
             tp = "Query" and

go/ql/test/library-tests/semmle/go/frameworks/SQL/go-pg/go-pg.expected

@@ -0,0 +1,20 @@
+| go-pg.go:38:10:38:18 | untrusted | github.com/go-pg/pg/v10 | DB | Exec |
+| go-pg.go:39:13:39:21 | untrusted | github.com/go-pg/pg/v10 | DB | ExecOne |
+| go-pg.go:40:13:40:21 | untrusted | github.com/go-pg/pg/v10 | DB | Prepare |
+| go-pg.go:42:22:42:30 | untrusted | github.com/go-pg/pg/v10 | DB | ExecContext |
+| go-pg.go:43:25:43:33 | untrusted | github.com/go-pg/pg/v10 | DB | ExecOneContext |
+| go-pg.go:44:21:44:29 | untrusted | github.com/go-pg/pg/v10 | DB | Query |
+| go-pg.go:45:24:45:32 | untrusted | github.com/go-pg/pg/v10 | DB | QueryOne |
+| go-pg.go:47:45:47:53 | untrusted | github.com/go-pg/pg/v10 | DB | QueryOneContext |
+| go-pg.go:48:33:48:41 | untrusted | github.com/go-pg/pg/v10 | DB | QueryContext |
+| go-pg.go:52:14:52:22 | untrusted | github.com/go-pg/pg/v10/orm | Query | ColumnExpr |
+| go-pg.go:53:8:53:16 | untrusted | github.com/go-pg/pg/v10/orm | Query | Join |
+| go-pg.go:54:9:54:17 | untrusted | github.com/go-pg/pg/v10/orm | Query | Where |
+| go-pg.go:55:13:55:21 | untrusted | github.com/go-pg/pg/v10/orm | Query | OrderExpr |
+| go-pg.go:56:13:56:21 | untrusted | github.com/go-pg/pg/v10/orm | Query | GroupExpr |
+| go-pg.go:57:13:57:21 | untrusted | github.com/go-pg/pg/v10/orm | Query | TableExpr |
+| go-pg.go:58:11:58:19 | untrusted | github.com/go-pg/pg/v10/orm | Query | WhereIn |
+| go-pg.go:59:16:59:24 | untrusted | github.com/go-pg/pg/v10/orm | Query | WhereInMulti |
+| go-pg.go:60:11:60:19 | untrusted | github.com/go-pg/pg/v10/orm | Query | WhereOr |
+| go-pg.go:61:7:61:15 | untrusted | github.com/go-pg/pg/v10/orm | Query | For |
+| go-pg.go:62:10:62:18 | untrusted | github.com/go-pg/pg/v10/orm | Query | Having |

go/ql/test/library-tests/semmle/go/frameworks/SQL/go-pg/go-pg.go

@@ -0,0 +1,64 @@
+package main
+
+import (
+	"context"
+	pg "github.com/go-pg/pg/v10"
+)
+
+type Profile struct {
+	ID   int
+	Lang string
+}
+
+type User struct {
+	ID        int
+	Name      string
+	ProfileID int
+	Profile   *Profile `pg:"-"`
+}
+
+func getUntrustedString() string {
+	return "trouble"
+}
+
+func main() {
+
+	untrusted := getUntrustedString()
+
+	ctx := context.Background()
+	db := pg.Connect(&pg.Options{
+		Addr:     ":5432",
+		User:     "user",
+		Password: "pass",
+		Database: "db_name",
+	})
+
+	var version string
+
+	db.Exec(untrusted)
+	db.ExecOne(untrusted)
+	db.Prepare(untrusted)
+
+	db.ExecContext(ctx, untrusted)
+	db.ExecOneContext(ctx, untrusted)
+	db.Query(&version, untrusted)
+	db.QueryOne(&version, untrusted)
+
+	db.QueryOneContext(ctx, pg.Scan(&version), untrusted)
+	db.QueryContext(ctx, &version, untrusted)
+
+	var user User
+	db.Model(&user).
+		ColumnExpr(untrusted).
+		Join(untrusted).
+		Where(untrusted, 123).
+		OrderExpr(untrusted).
+		GroupExpr(untrusted).
+		TableExpr(untrusted).
+		WhereIn(untrusted, 1).
+		WhereInMulti(untrusted, 1).
+		WhereOr(untrusted, 1).
+		For(untrusted).
+		Having(untrusted).
+		Select()
+}

go/ql/test/library-tests/semmle/go/frameworks/SQL/go-pg/go-pg.ql

@@ -0,0 +1,5 @@
+import go
+
+from SQL::QueryString qs, Method meth, string a, string b, string c
+where meth.hasQualifiedName(a, b, c) and qs = meth.getACall().getSyntacticArgument(_)
+select qs, a, b, c

go/ql/test/library-tests/semmle/go/frameworks/SQL/go-pg/go.mod

@@ -0,0 +1,20 @@
+module pwntester/go-pg
+
+go 1.19
+
+require github.com/go-pg/pg/v10 v10.11.0
+
+require (
+	github.com/go-pg/zerochecker v0.2.0 // indirect
+	github.com/jinzhu/inflection v1.0.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/tmthrgd/go-hex v0.0.0-20190904060850-447a3041c3bc // indirect
+	github.com/vmihailenco/bufpool v0.1.11 // indirect
+	github.com/vmihailenco/msgpack/v5 v5.3.4 // indirect
+	github.com/vmihailenco/tagparser v0.1.2 // indirect
+	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
+	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
+	golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	mellium.im/sasl v0.3.1 // indirect
+)