mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 12:05:52 +00:00
Fix false negatives for SQL injection in multi-line queries
This commit is contained in:
parent
4c1afaa492
commit
9d66b0d346
3 changed files with 24 additions and 3 deletions
|
@ -364,7 +364,7 @@ func main() {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Fatal(err)
|
logger.Fatal(err)
|
||||||
}
|
}
|
||||||
// get a bug
|
|
||||||
ruleList := loadRules(includeRules, excludeRules)
|
ruleList := loadRules(includeRules, excludeRules)
|
||||||
if len(ruleList.Rules) == 0 {
|
if len(ruleList.Rules) == 0 {
|
||||||
logger.Fatal("No rules are configured")
|
logger.Fatal("No rules are configured")
|
||||||
|
|
|
@ -282,7 +282,7 @@ func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
||||||
noIssueQuoted: gosec.NewCallList(),
|
noIssueQuoted: gosec.NewCallList(),
|
||||||
sqlStatement: sqlStatement{
|
sqlStatement: sqlStatement{
|
||||||
patterns: []*regexp.Regexp{
|
patterns: []*regexp.Regexp{
|
||||||
regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
|
regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE)( |\n|\r|\t)"),
|
||||||
regexp.MustCompile("%[^bdoxXfFp]"),
|
regexp.MustCompile("%[^bdoxXfFp]"),
|
||||||
},
|
},
|
||||||
MetaData: gosec.MetaData{
|
MetaData: gosec.MetaData{
|
||||||
|
|
|
@ -1168,7 +1168,28 @@ import (
|
||||||
|
|
||||||
func main(){
|
func main(){
|
||||||
fmt.Sprintln()
|
fmt.Sprintln()
|
||||||
}`}, 0, gosec.NewConfig()},
|
}`}, 0, gosec.NewConfig()}, {[]string{`
|
||||||
|
// Format string with \n\r
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"database/sql"
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main(){
|
||||||
|
db, err := sql.Open("sqlite3", ":memory:")
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
q := fmt.Sprintf("SELECT * FROM foo where\n name = '%s'", os.Args[1])
|
||||||
|
rows, err := db.Query(q)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
defer rows.Close()
|
||||||
|
}`}, 1, gosec.NewConfig()},
|
||||||
}
|
}
|
||||||
|
|
||||||
// SampleCodeG202 - SQL query string building via string concatenation
|
// SampleCodeG202 - SQL query string building via string concatenation
|
||||||
|
|
Loading…
Reference in a new issue