Fix false negatives for SQL injection in multi-line queries

securego · Jan 5, 2022 · 9d66b0d · 9d66b0d
1 parent 4c1afaa
commit 9d66b0d
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 3 deletions.
diff --git a/cmd/gosec/main.go b/cmd/gosec/main.go
@@ -364,7 +364,7 @@ func main() {
 	if err != nil {
 		logger.Fatal(err)
 	}
-	// get a bug
+
 	ruleList := loadRules(includeRules, excludeRules)
 	if len(ruleList.Rules) == 0 {
 		logger.Fatal("No rules are configured")

diff --git a/rules/sql.go b/rules/sql.go
@@ -282,7 +282,7 @@ func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
 		noIssueQuoted: gosec.NewCallList(),
 		sqlStatement: sqlStatement{
 			patterns: []*regexp.Regexp{
-				regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
+				regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE)( |\n|\r|\t)"),
 				regexp.MustCompile("%[^bdoxXfFp]"),
 			},
 			MetaData: gosec.MetaData{

diff --git a/testutils/source.go b/testutils/source.go
@@ -1168,7 +1168,28 @@ import (
 
 func main(){
 	fmt.Sprintln()
-}`}, 0, gosec.NewConfig()},
+}`}, 0, gosec.NewConfig()}, {[]string{`
+// Format string with \n\r
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT * FROM foo where\n name = '%s'", os.Args[1])
+	rows, err := db.Query(q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+}`}, 1, gosec.NewConfig()},
 	}
 
 	// SampleCodeG202 - SQL query string building via string concatenation