diff --git a/go/lang/security/audit/database/string-formatted-query.go b/go/lang/security/audit/database/string-formatted-query.go index bf41ed18ce..4197bde809 100644 --- a/go/lang/security/audit/database/string-formatted-query.go +++ b/go/lang/security/audit/database/string-formatted-query.go @@ -57,6 +57,24 @@ func dbQuery3(r *http.Request, username string) { } } +func dbQuery4(r *http.Request, username string) { + // ruleid: string-formatted-query + query := fmt.Sprintf("%s AND INSERT into users (username, password)", username) + _, err = db.Exec(query) + if err != nil { + http.Error("mistake") + } +} + +func dbQuery5(r *http.Request, username string, password string) { + // ruleid: string-formatted-query + query := fmt.Sprintf("INSERT into users (username, password) VALUES(%s, %s)", username, password) + _, err = db.QueryRow(query) + if err != nil { + http.Error("mistake") + } +} + func okDbQuery1(r *http.Request) { // ok: string-formatted-query _, err = db.Exec("INSERT into users (username, password) VALUES(" + "username" + ", " + "smth)") @@ -110,9 +128,9 @@ func dbQueryRowContext(r *http.Request) { func dbExecFmt(r *http.Request) { customerId := r.URL.Query().Get("id") - // ruleid: string-formatted-query query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.Exec(query) } @@ -120,47 +138,65 @@ func dbExecFmt(r *http.Request) { func dbExecContextFmt(r *http.Request) { ctx := context.Background() customerId := r.URL.Query().Get("id") - // ruleid: string-formatted-query query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.ExecContext(ctx, query) } func dbQueryFmt(r *http.Request) { customerId := r.URL.Query().Get("id") - // ruleid: string-formatted-query query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.Query(query) } -func dbQueryContextFmt(r *http.Request) { +func dbQueryContextFmtReassign(r *http.Request) { ctx := context.Background() customerId := r.URL.Query().Get("id") - // ruleid: string-formatted-query query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.QueryContext(ctx, query) } -func dbQueryRowFmt(r *http.Request) { + +func dbQueryContextFmt(r *http.Request) { + ctx := context.Background() customerId := r.URL.Query().Get("id") // ruleid: string-formatted-query + query := fmt.Sprintf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId) + row, _ := db.QueryContext(ctx, query) +} + +func dbQueryRowFmt(r *http.Request) { + customerId := r.URL.Query().Get("id") query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.QueryRow(query) } +func dbQueryRowContextReassign(r *http.Request) { + ctx := context.Background() + customerId := r.URL.Query().Get("id") + query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) + + row, _ := db.QueryRowContext(ctx, query) +} + func dbQueryRowContextFmt(r *http.Request) { ctx := context.Background() customerId := r.URL.Query().Get("id") // ruleid: string-formatted-query - query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + query := fmt.Sprintf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId) row, _ := db.QueryRowContext(ctx, query) } @@ -200,6 +236,15 @@ func postgresBadDirectQueryFmt(r *http.Request) { row, _ := postgresDb.QueryRow(ctx, fmt.Printf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId)) } +func postgresQueryFmt(r *http.Request) { + ctx := context.Background() + customerId := r.URL.Query().Get("id") + // ruleid: string-formatted-query + query := fmt.Sprintf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId) + + row, _ := postgresDb.QueryRow(ctx, query) +} + package main import ( diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index 91864da625..7aeb388a60 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -53,117 +53,55 @@ rules: - pattern: $OBJ.Query(fmt.$P("...", ...)) - pattern: $OBJ.QueryContext($CTX, fmt.$P("...", ...)) - pattern: $OBJ.QueryRow(fmt.$P("...", ...)) - - pattern: $OBJ.QueryRow($CTX, fmt.$P("...", ...)) + - pattern: $OBJ.QueryRow($CTX, fmt.$U("...", ...)) - pattern: $OBJ.QueryRowContext($CTX, fmt.$P("...", ...)) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.Exec($QUERY, ...) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.Query($QUERY, ...) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.ExecContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRow($QUERY) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRow($CTX, $QUERY) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRowContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.Exec($OTHER, ...) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.Query($OTHER, ...) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.ExecContext($CTX, $OTHER, ...) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryContext($CTX, $OTHER, ...) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRow($OTHER) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRow($CTX, $OTHER) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRowContext($CTX, $OTHER, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.Exec($QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.Query($QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.ExecContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.QueryContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.QueryRow($QUERY) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.QueryRow($CTX, $QUERY) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.QueryRowContext($CTX, $QUERY, ...) + - patterns: + - pattern-either: + - pattern: $QUERY = fmt.Fprintf($F, "$SQLSTR", ...) + - pattern: $QUERY = fmt.Sprintf("$SQLSTR", ...) + - pattern: $QUERY = fmt.Printf("$SQLSTR", ...) + - pattern: $QUERY = $X + ... + - pattern-either: + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.Query($QUERY, ...) + ... + } + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.ExecContext($CTX, $QUERY, ...) + ... + } + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.Exec($QUERY, ...) + ... + } + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.QueryRow($CTX, $QUERY) + ... + } + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.QueryRow($QUERY) + ... + } + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.QueryContext($CTX, $QUERY) + ... + } + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.QueryRowContext($CTX, $QUERY, ...) + ... + } + \ No newline at end of file