mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Fix false negatives for SQL injection in multi-line queries
This commit is contained in:
parent
4c1afaa492
commit
9d66b0d346
3 changed files with 24 additions and 3 deletions
|
@ -364,7 +364,7 @@ func main() {
|
|||
if err != nil {
|
||||
logger.Fatal(err)
|
||||
}
|
||||
// get a bug
|
||||
|
||||
ruleList := loadRules(includeRules, excludeRules)
|
||||
if len(ruleList.Rules) == 0 {
|
||||
logger.Fatal("No rules are configured")
|
||||
|
|
|
@ -282,7 +282,7 @@ func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
|||
noIssueQuoted: gosec.NewCallList(),
|
||||
sqlStatement: sqlStatement{
|
||||
patterns: []*regexp.Regexp{
|
||||
regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
|
||||
regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE)( |\n|\r|\t)"),
|
||||
regexp.MustCompile("%[^bdoxXfFp]"),
|
||||
},
|
||||
MetaData: gosec.MetaData{
|
||||
|
|
|
@ -1168,7 +1168,28 @@ import (
|
|||
|
||||
func main(){
|
||||
fmt.Sprintln()
|
||||
}`}, 0, gosec.NewConfig()},
|
||||
}`}, 0, gosec.NewConfig()}, {[]string{`
|
||||
// Format string with \n\r
|
||||
package main
|
||||
|
||||
import (
|
||||
"database/sql"
|
||||
"fmt"
|
||||
"os"
|
||||
)
|
||||
|
||||
func main(){
|
||||
db, err := sql.Open("sqlite3", ":memory:")
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
q := fmt.Sprintf("SELECT * FROM foo where\n name = '%s'", os.Args[1])
|
||||
rows, err := db.Query(q)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
defer rows.Close()
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG202 - SQL query string building via string concatenation
|
||||
|
|
Loading…
Reference in a new issue