Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix false negative for SQL injection when using DB.QueryRow.Scan() #757

Closed
wants to merge 17 commits into from
Closed

Fix false negative for SQL injection when using DB.QueryRow.Scan() #757

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
7aa862c
config global option suport exclude rules
justpurekl Dec 19, 2021
19605b1
add include option for config file
Dec 19, 2021
d24be85
fix
kaiili Dec 19, 2021
b62e705
Merge branch 'securego:master' into master
kaiili Dec 29, 2021
099bb8d
remove useless comment
kaiili Dec 29, 2021
7282771
Merge branch 'securego:master' into master
kaiili Jan 4, 2022
a6e1035
fix G201, change regexp to detect \n\r
kaiili Jan 4, 2022
6ad4444
Merge branch 'master' of github.com:kaiili/gosec
kaiili Jan 4, 2022
1a37534
add G201 \n test case
kaiili Jan 5, 2022
551e52a
Delete go.mod
kaiili Jan 5, 2022
8073d88
Delete go.sum
kaiili Jan 5, 2022
a4ddd81
merge branch 'master'
kaiili Jan 5, 2022
cd19e7c
sync go.mod go.sum from master
kaiili Jan 5, 2022
7ecc4eb
add new line in go.mod ,go.sum
kaiili Jan 5, 2022
9eff995
add test from G201
kaiili Jan 6, 2022
fd3fe2a
fix issues/713
kaiili Jan 9, 2022
69735e3
add test case for G201
kaiili Jan 9, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion cmd/gosec/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -364,7 +364,7 @@ func main() {
if err != nil {
logger.Fatal(err)
}
// get a bug

ruleList := loadRules(includeRules, excludeRules)
if len(ruleList.Rules) == 0 {
logger.Fatal("No rules are configured")
Expand Down
17 changes: 16 additions & 1 deletion rules/sql.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,21 @@ func (s *sqlStrFormat) Match(n ast.Node, ctx *gosec.Context) (*gosec.Issue, erro
switch stmt := n.(type) {
case *ast.AssignStmt:
for _, expr := range stmt.Rhs {
// when expr is CallExpr and Call.Fun.X is CallExpr ,check Call.Fun.X
if Call, ok := expr.(*ast.CallExpr); ok {
Selector, ok := Call.Fun.(*ast.SelectorExpr)
if !ok {
continue
}
sqlQueryCall, ok := Selector.X.(*ast.CallExpr)
// checkQuery when success get sqlQuery CallExpr and Selector contains Callexpr
if ok && s.ContainsCallExpr(sqlQueryCall, ctx) != nil {
issue, err := s.checkQuery(sqlQueryCall, ctx)
if err == nil && issue != nil {
return issue, err
}
}
}
if sqlQueryCall, ok := expr.(*ast.CallExpr); ok && s.ContainsCallExpr(expr, ctx) != nil {
return s.checkQuery(sqlQueryCall, ctx)
}
Expand All @@ -282,7 +297,7 @@ func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
noIssueQuoted: gosec.NewCallList(),
sqlStatement: sqlStatement{
patterns: []*regexp.Regexp{
regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE)( |\n|\r|\t)"),
regexp.MustCompile("%[^bdoxXfFp]"),
},
MetaData: gosec.MetaData{
Expand Down
89 changes: 88 additions & 1 deletion testutils/source.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1168,7 +1168,94 @@ import (

func main(){
fmt.Sprintln()
}`}, 0, gosec.NewConfig()},
}`}, 0, gosec.NewConfig()}, {[]string{`
// Format string with \n\r
package main

import (
"database/sql"
"fmt"
"os"
)

func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT * FROM foo where\n name = '%s'", os.Args[1])
rows, err := db.Query(q)
if err != nil {
panic(err)
}
defer rows.Close()
}`}, 1, gosec.NewConfig()}, {[]string{`
// Format string with \n\r
package main

import (
"database/sql"
"fmt"
"os"
)

func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT * FROM foo where\nname = '%s'", os.Args[1])
rows, err := db.Query(q)
if err != nil {
panic(err)
}
defer rows.Close()
}`}, 1, gosec.NewConfig()}, {[]string{`
// SQLI by db.Query(some).Scan(&other)
package main

import (
"database/sql"
"fmt"
"os"
)

func main() {
var name string
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT name FROM users where id = '%s'", os.Args[1])
row := db.QueryRow(q)
err = row.Scan(&name)
if err != nil {
panic(err)
}
defer db.Close()
}`}, 1, gosec.NewConfig()}, {[]string{`
// SQLI by db.Query(some).Scan(&other)
package main

import (
"database/sql"
"fmt"
"os"
)

func main() {
var name string
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT name FROM users where id = '%s'", os.Args[1])
err = db.QueryRow(q).Scan(&name)
if err != nil {
panic(err)
}
defer db.Close()
}`}, 1, gosec.NewConfig()},
}

// SampleCodeG202 - SQL query string building via string concatenation
Expand Down