mirror of
https://github.com/securego/gosec.git
synced 2025-03-01 04:33:29 +00:00
Fix false negative for SQL injection when using DB.QueryRow.Scan() (#759)
This commit is contained in:
kaiili
GitHub
parent
58058af0c8
commit
75cc7dcd51
2 changed files with 79 additions and 0 deletions
13
rules/sql.go
13
rules/sql.go
|
|
@ -261,6 +261,19 @@ func (s *sqlStrFormat) Match(n ast.Node, ctx *gosec.Context) (*gosec.Issue, erro
|
||||||
switch stmt := n.(type) {
|
switch stmt := n.(type) {
|
||||||
case *ast.AssignStmt:
|
case *ast.AssignStmt:
|
||||||
for _, expr := range stmt.Rhs {
|
for _, expr := range stmt.Rhs {
|
||||||
|
if call, ok := expr.(*ast.CallExpr); ok {
|
||||||
|
selector, ok := call.Fun.(*ast.SelectorExpr)
|
||||||
|
if !ok {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
sqlQueryCall, ok := selector.X.(*ast.CallExpr)
|
||||||
|
if ok && s.ContainsCallExpr(sqlQueryCall, ctx) != nil {
|
||||||
|
issue, err := s.checkQuery(sqlQueryCall, ctx)
|
||||||
|
if err == nil && issue != nil {
|
||||||
|
return issue, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
if sqlQueryCall, ok := expr.(*ast.CallExpr); ok && s.ContainsCallExpr(expr, ctx) != nil {
|
if sqlQueryCall, ok := expr.(*ast.CallExpr); ok && s.ContainsCallExpr(expr, ctx) != nil {
|
||||||
return s.checkQuery(sqlQueryCall, ctx)
|
return s.checkQuery(sqlQueryCall, ctx)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1189,6 +1189,72 @@ func main(){
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
defer rows.Close()
|
defer rows.Close()
|
||||||
|
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||||
|
// Format string with \n\r
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"database/sql"
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main(){
|
||||||
|
db, err := sql.Open("sqlite3", ":memory:")
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
q := fmt.Sprintf("SELECT * FROM foo where\nname = '%s'", os.Args[1])
|
||||||
|
rows, err := db.Query(q)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
defer rows.Close()
|
||||||
|
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||||
|
// SQLI by db.Query(some).Scan(&other)
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"database/sql"
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
var name string
|
||||||
|
db, err := sql.Open("sqlite3", ":memory:")
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
q := fmt.Sprintf("SELECT name FROM users where id = '%s'", os.Args[1])
|
||||||
|
row := db.QueryRow(q)
|
||||||
|
err = row.Scan(&name)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
defer db.Close()
|
||||||
|
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||||
|
// SQLI by db.Query(some).Scan(&other)
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"database/sql"
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
var name string
|
||||||
|
db, err := sql.Open("sqlite3", ":memory:")
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
q := fmt.Sprintf("SELECT name FROM users where id = '%s'", os.Args[1])
|
||||||
|
err = db.QueryRow(q).Scan(&name)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
defer db.Close()
|
||||||
}`}, 1, gosec.NewConfig()},
|
}`}, 1, gosec.NewConfig()},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue