Merge pull request #682 from lyoung-confluent/patch-1

Add Column, From, JoinClause, *Join, Having, OrderByClause methods for squirrel SQLi query

Author: smowton

ql/lib/semmle/go/frameworks/SQL.qll

@@ -92,11 +92,14 @@ module SQL {
             // first argument to `squirrel.Expr`
             fn.hasQualifiedName(sq, "Expr")
             or
-            // first argument to the `Prefix`, `Suffix` or `Where` method of one of the `*Builder` classes
+            // first argument `pred`, `sql`, `from` to most methods of one of the `*Builder` classes
             exists(string builder | builder.matches("%Builder") |
-              fn.(Method).hasQualifiedName(sq, builder, "Prefix") or
-              fn.(Method).hasQualifiedName(sq, builder, "Suffix") or
-              fn.(Method).hasQualifiedName(sq, builder, "Where")
+              fn.(Method)
+                  .hasQualifiedName(sq, builder,
+                    [
+                      "Prefix", "Column", "From", "JoinClause", "Join", "LeftJoin", "RightJoin",
+                      "InnerJoin", "CrossJoin", "Where", "Having", "OrderByClause", "Suffix"
+                    ])
             )
           ) and
           this = fn.getACall().getArgument(0) and

ql/test/library-tests/semmle/go/frameworks/SQL/go.mod

@@ -3,7 +3,7 @@ module semmle.go.frameworks.SQL
 go 1.13
 
 require (
-	github.com/Masterminds/squirrel v1.1.0
+	github.com/Masterminds/squirrel v1.5.2
 	github.com/go-pg/pg v8.0.6+incompatible
 	github.com/go-pg/pg/v9 v9.1.3
 	github.com/go-sql-driver/mysql v1.6.0 // indirect

ql/test/library-tests/semmle/go/frameworks/SQL/main.go

@@ -43,8 +43,18 @@ func test(db *sql.DB, ctx context.Context) {
 }
 
 func squirrelTest(querypart string) {
+	squirrel.Select("*").From("users").Prefix(querypart)               // $ querystring=querypart
+	squirrel.Select("*").From("users").Column(querypart)               // $ querystring=querypart
+	squirrel.Select("*").From("users").From(querypart)                 // $ querystring=querypart
+	squirrel.Select("*").From("users").JoinClause(querypart)           // $ querystring=querypart
+	squirrel.Select("*").From("users").Join(querypart)                 // $ querystring=querypart
+	squirrel.Select("*").From("users").LeftJoin(querypart)             // $ querystring=querypart
+	squirrel.Select("*").From("users").RightJoin(querypart)            // $ querystring=querypart
+	squirrel.Select("*").From("users").InnerJoin(querypart)            // $ querystring=querypart
 	squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) // $ querystring=querypart
 	squirrel.Select("*").From("users").Where(querypart)                // $ querystring=querypart
+	squirrel.Select("*").From("users").Having(querypart)               // $ querystring=querypart
+	squirrel.Select("*").From("users").OrderByClause(querypart)        // $ querystring=querypart
 	squirrel.Select("*").From("users").Suffix(querypart)               // $ querystring=querypart
 }
 

ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/Masterminds/squirrel/stub.go

@@ -3,6 +3,6 @@ module Security.CWE-089
 go 1.14
 
 require (
-	github.com/Masterminds/squirrel v1.1.0
+	github.com/Masterminds/squirrel v1.5.2
 	go.mongodb.org/mongo-driver v1.3.3
 )

ql/test/query-tests/Security/CWE-089/go.mod

@@ -1,4 +1,4 @@
-# github.com/Masterminds/squirrel v1.1.0
+# github.com/Masterminds/squirrel v1.5.2
 ## explicit
 github.com/Masterminds/squirrel
 # go.mongodb.org/mongo-driver v1.3.3