Merge pull request #3304 from semgrep/merge-develop-to-release

Merge Develop into Release
semgrep · Feb 12, 2024 · 0a3063a · 0a3063a
2 parents 1aec993 + b7c74f4
commit 0a3063a
Show file tree

Hide file tree

Showing 2 changed files with 109 additions and 126 deletions.
diff --git a/go/lang/security/audit/database/string-formatted-query.go b/go/lang/security/audit/database/string-formatted-query.go
@@ -57,6 +57,24 @@ func dbQuery3(r *http.Request, username string) {
     }
 }
 
+func dbQuery4(r *http.Request, username string) {
+    // ruleid: string-formatted-query
+    query := fmt.Sprintf("%s AND INSERT into users (username, password)", username)
+    _, err = db.Exec(query)
+    if err != nil {
+        http.Error("mistake")
+    }
+}
+
+func dbQuery5(r *http.Request, username string, password string) {
+	// ruleid: string-formatted-query
+	query := fmt.Sprintf("INSERT into users (username, password) VALUES(%s, %s)", username, password)
+	_, err = db.QueryRow(query)
+	if err != nil {
+		http.Error("mistake")
+	}
+}
+
 func okDbQuery1(r *http.Request) {
     // ok: string-formatted-query
     _, err = db.Exec("INSERT into users (username, password) VALUES(" + "username" + ", " + "smth)")
@@ -110,57 +128,75 @@ func dbQueryRowContext(r *http.Request) {
 
 func dbExecFmt(r *http.Request) {
 	customerId := r.URL.Query().Get("id")
-	// ruleid: string-formatted-query
 	query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s"
-    	query = fmt.Printf(query, customerId)
+	// ruleid: string-formatted-query
+    query = fmt.Printf(query, customerId)
 
 	row, _ := db.Exec(query)
 }
 
 func dbExecContextFmt(r *http.Request) {
 	ctx := context.Background()
 	customerId := r.URL.Query().Get("id")
-	// ruleid: string-formatted-query
 	query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s"
-    	query = fmt.Printf(query, customerId)
+	// ruleid: string-formatted-query
+    query = fmt.Printf(query, customerId)
 
 	row, _ := db.ExecContext(ctx, query)
 }
 
 func dbQueryFmt(r *http.Request) {
 	customerId := r.URL.Query().Get("id")
-	// ruleid: string-formatted-query
 	query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s"
-    	query = fmt.Printf(query, customerId)
+	// ruleid: string-formatted-query
+    query = fmt.Printf(query, customerId)
 
 	row, _ := db.Query(query)
 }
 
-func dbQueryContextFmt(r *http.Request) {
+func dbQueryContextFmtReassign(r *http.Request) {
 	ctx := context.Background()
 	customerId := r.URL.Query().Get("id")
-	// ruleid: string-formatted-query
 	query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s"
-    	query = fmt.Printf(query, customerId)
+	// ruleid: string-formatted-query
+    query = fmt.Printf(query, customerId)
 
 	row, _ := db.QueryContext(ctx, query)
 }
 
-func dbQueryRowFmt(r *http.Request) {
+
+func dbQueryContextFmt(r *http.Request) {
+	ctx := context.Background()
 	customerId := r.URL.Query().Get("id")
 	// ruleid: string-formatted-query
+	query := fmt.Sprintf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId)
+	row, _ := db.QueryContext(ctx, query)
+}
+
+func dbQueryRowFmt(r *http.Request) {
+	customerId := r.URL.Query().Get("id")
 	query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s"
-    	query = fmt.Printf(query, customerId)
+		// ruleid: string-formatted-query
+	query = fmt.Printf(query, customerId)
 
 	row, _ := db.QueryRow(query)
 }
 
+func dbQueryRowContextReassign(r *http.Request) {
+	ctx := context.Background()
+	customerId := r.URL.Query().Get("id")
+	query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s"
+	// ruleid: string-formatted-query
+    query = fmt.Printf(query, customerId)
+
+	row, _ := db.QueryRowContext(ctx, query)
+}
+
 func dbQueryRowContextFmt(r *http.Request) {
 	ctx := context.Background()
 	customerId := r.URL.Query().Get("id")
 	// ruleid: string-formatted-query
-	query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s"
-    	query = fmt.Printf(query, customerId)
+	query := fmt.Sprintf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId)
 
 	row, _ := db.QueryRowContext(ctx, query)
 }
@@ -200,6 +236,15 @@ func postgresBadDirectQueryFmt(r *http.Request) {
     row, _ := postgresDb.QueryRow(ctx, fmt.Printf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId))
 }
 
+func postgresQueryFmt(r *http.Request) {
+    ctx := context.Background()
+    customerId := r.URL.Query().Get("id")
+	// ruleid: string-formatted-query
+	query := fmt.Sprintf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId)
+
+    row, _ := postgresDb.QueryRow(ctx, query)
+}
+
 package main
 
 import (

diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml
@@ -53,117 +53,55 @@ rules:
     - pattern: $OBJ.Query(fmt.$P("...", ...))
     - pattern: $OBJ.QueryContext($CTX, fmt.$P("...", ...))
     - pattern: $OBJ.QueryRow(fmt.$P("...", ...))
-    - pattern: $OBJ.QueryRow($CTX, fmt.$P("...", ...))
+    - pattern: $OBJ.QueryRow($CTX, fmt.$U("...", ...))
     - pattern: $OBJ.QueryRowContext($CTX, fmt.$P("...", ...))
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $QUERY = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.Exec($QUERY, ...)
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $QUERY = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.Query($QUERY, ...)
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $QUERY = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.ExecContext($CTX, $QUERY, ...)
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $QUERY = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.QueryContext($CTX, $QUERY, ...)
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $QUERY = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.QueryRow($QUERY)
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $QUERY = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.QueryRow($CTX, $QUERY)
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $QUERY = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.QueryRowContext($CTX, $QUERY, ...)
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $OTHER = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.Exec($OTHER, ...)
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $OTHER = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.Query($OTHER, ...)
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $OTHER = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.ExecContext($CTX, $OTHER, ...)
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $OTHER = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.QueryContext($CTX, $OTHER, ...)
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $OTHER = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.QueryRow($OTHER)
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $OTHER = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.QueryRow($CTX, $OTHER)
-    - pattern: |
-        $QUERY = "..."
-        ...
-        $OTHER = $FXN(..., $QUERY, ...)
-        ...
-        $OBJ.QueryRowContext($CTX, $OTHER, ...)
-    - pattern: |
-        $QUERY = $X + ...
-        ...
-        $OBJ.Exec($QUERY, ...)
-    - pattern: |
-        $QUERY = $X + ...
-        ...
-        $OBJ.Query($QUERY, ...)
-    - pattern: |
-        $QUERY = $X + ...
-        ...
-        $OBJ.ExecContext($CTX, $QUERY, ...)
-    - pattern: |
-        $QUERY = $X + ...
-        ...
-        $OBJ.QueryContext($CTX, $QUERY, ...)
-    - pattern: |
-        $QUERY = $X + ...
-        ...
-        $OBJ.QueryRow($QUERY)
-    - pattern: |
-        $QUERY = $X + ...
-        ...
-        $OBJ.QueryRow($CTX, $QUERY)
-    - pattern: |
-        $QUERY = $X + ...
-        ...
-        $OBJ.QueryRowContext($CTX, $QUERY, ...)
+    - patterns:
+        - pattern-either:
+            - pattern: $QUERY = fmt.Fprintf($F, "$SQLSTR", ...)
+            - pattern: $QUERY = fmt.Sprintf("$SQLSTR", ...)
+            - pattern: $QUERY = fmt.Printf("$SQLSTR", ...)
+            - pattern: $QUERY = $X + ...
+        - pattern-either:
+            - pattern-inside: |
+                func $FUNC(...) {
+                    ...
+                    $OBJ.Query($QUERY, ...)
+                    ...
+                }
+            - pattern-inside: |
+                func $FUNC(...) {
+                    ...
+                    $OBJ.ExecContext($CTX, $QUERY, ...)
+                    ...
+                }
+            - pattern-inside: |
+                func $FUNC(...) {
+                    ...
+                    $OBJ.Exec($QUERY, ...)
+                    ...
+                }
+            - pattern-inside: |
+                func $FUNC(...) {
+                    ...
+                    $OBJ.QueryRow($CTX, $QUERY)
+                    ...
+                }
+            - pattern-inside: |
+                func $FUNC(...) {
+                    ...
+                    $OBJ.QueryRow($QUERY)
+                    ...
+                }
+            - pattern-inside: |
+                func $FUNC(...) {
+                    ...
+                    $OBJ.QueryContext($CTX, $QUERY)
+                    ...
+                }
+            - pattern-inside: |
+                func $FUNC(...) {
+                    ...
+                    $OBJ.QueryRowContext($CTX, $QUERY, ...)
+                    ...
+                }
+