Fix false negatives for SQL injection in multi-line queries

2024-11-05 19:45:51 +00:00 · 2022-01-05 19:05:53 +08:00 · 2022-01-05 19:05:53 +08:00 · 9d66b0d346
commit 9d66b0d346
parent 4c1afaa492
3 changed files with 24 additions and 3 deletions
--- a/cmd/gosec/main.go
+++ b/cmd/gosec/main.go
@ -364,7 +364,7 @@ func main() {
 	if err != nil {
 		logger.Fatal(err)
 	}
-	// get a bug
+
 	ruleList := loadRules(includeRules, excludeRules)
 	if len(ruleList.Rules) == 0 {
 		logger.Fatal("No rules are configured")
--- a/rules/sql.go
+++ b/rules/sql.go
@ -282,7 +282,7 @@ func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
 		noIssueQuoted: gosec.NewCallList(),
 		sqlStatement: sqlStatement{
 			patterns: []*regexp.Regexp{
-				regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
+				regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE)( |\n|\r|\t)"),
 				regexp.MustCompile("%[^bdoxXfFp]"),
 			},
 			MetaData: gosec.MetaData{
--- a/testutils/source.go
+++ b/testutils/source.go
@ -1168,7 +1168,28 @@ import (

 func main(){
 	fmt.Sprintln()
-}`}, 0, gosec.NewConfig()},
+}`}, 0, gosec.NewConfig()}, {[]string{`
+// Format string with \n\r
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT * FROM foo where\n name = '%s'", os.Args[1])
+	rows, err := db.Query(q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+}`}, 1, gosec.NewConfig()},
 	}

 	// SampleCodeG202 - SQL query string building via string concatenation