Fix false negatives for SQL injection in multi-line queries

kaiili · web-flow · commit 9d66b0d34623 · 2022-01-05T12:05:53.000+01:00
diff --git a/cmd/gosec/main.go b/cmd/gosec/main.go
@@ -364,7 +364,7 @@ func main() {
 	if err != nil {
 		logger.Fatal(err)
 	}
-	// get a bug
+
 	ruleList := loadRules(includeRules, excludeRules)
 	if len(ruleList.Rules) == 0 {
 		logger.Fatal("No rules are configured")
diff --git a/rules/sql.go b/rules/sql.go
@@ -282,7 +282,7 @@ func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
 		noIssueQuoted: gosec.NewCallList(),
 		sqlStatement: sqlStatement{
 			patterns: []*regexp.Regexp{
-				regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
+				regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE)( |\n|\r|\t)"),
 				regexp.MustCompile("%[^bdoxXfFp]"),
 			},
 			MetaData: gosec.MetaData{
diff --git a/testutils/source.go b/testutils/source.go
@@ -1168,7 +1168,28 @@ import (
 
 func main(){
 	fmt.Sprintln()
-}`}, 0, gosec.NewConfig()},
+}`}, 0, gosec.NewConfig()}, {[]string{`
+// Format string with \n\r
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT * FROM foo where\n name = '%s'", os.Args[1])
+	rows, err := db.Query(q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+}`}, 1, gosec.NewConfig()},
 	}
 
 	// SampleCodeG202 - SQL query string building via string concatenation

Original file line number	Diff line number	Diff line change
`@@ -364,7 +364,7 @@ func main() {`
`364`	`364`	`if err != nil {`
`365`	`365`	`logger.Fatal(err)`
`366`	`366`	`}`
`367`		`- // get a bug`
	`367`	`+`
`368`	`368`	`ruleList := loadRules(includeRules, excludeRules)`
`369`	`369`	`if len(ruleList.Rules) == 0 {`
`370`	`370`	`logger.Fatal("No rules are configured")`