Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix false negative for SQL injection when using DB.QueryRow.Scan() #759

Merged
merged 3 commits into from
Jan 12, 2022

Conversation

kaiili
Copy link
Contributor

@kaiili kaiili commented Jan 11, 2022

Problem
fixes #713

Details :
can be seen in #713.
G201 regexp only match callexpr once.
If there is a sqlquery like the following, there will be problems with matching.

func main() {
var name string
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT name FROM users where id = '%s'", os.Args[1])
err = db.QueryRow(q).Scan(&name)
if err != nil {
panic(err)
}
defer db.Close()
}

Solution
Add an extra check befor checkQuery.

Copy link
Member

@ccojocar ccojocar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank for rebasing the pull request. I left a few review comments. It would be great if you could have a look at them. Please could you also check the tests, there is one test failing. Thanks again!

rules/sql.go Outdated Show resolved Hide resolved
rules/sql.go Outdated Show resolved Hide resolved
testutils/source.go Outdated Show resolved Hide resolved
testutils/source.go Outdated Show resolved Hide resolved
testutils/source.go Outdated Show resolved Hide resolved
rules/sql.go Outdated Show resolved Hide resolved
rules/sql.go Outdated Show resolved Hide resolved
@ccojocar ccojocar merged commit 75cc7dc into securego:master Jan 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

False negative for SQL injection when using DB.QueryRow.Scan()
2 participants