Skip to content

Fix false positives for SQL string concatenation with constants from another file #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Sep 28, 2018
Merged

Fix false positives for SQL string concatenation with constants from another file #247

merged 8 commits into from
Sep 28, 2018

Conversation

wongherlung
Copy link
Contributor

@wongherlung wongherlung commented Sep 27, 2018
edited
Loading

Fixes #169. Sorry, it's been a while, was busy with work. 😅

This PR aims to handle the following case:

main.go

package main

func main() {
  ...
  rows, err := db.Query("SELECT * FROM foo WHERE gender = " + gender)
  ...
}

constants.go (for example)

package main

...
const gender = "M"
...

Currently, gosec will flag this this out as an issue in main.go as the gender identifier is unresolved.

This PR will add pkg.Files to gosec.context so that we will be able to resolve that identifier if it happens to be in the global scope of that package.

ccojocar
ccojocar approved these changes Sep 27, 2018
View reviewed changes
rules/sql.go
if n.Obj != nil {
return n.Obj.Kind != ast.Var && n.Obj.Kind != ast.Fun
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to have a test for this use case.

Copy link
Contributor Author

@wongherlung wongherlung Sep 27, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 I was thinking so too. But this test case spans across two files and I'm not sure how to do it. Let me try to figure it out.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can extend the sample.Code to support multiple files. The test package is built here:

gosec/rules/rules_test.go

Line 35 in 5f98926

pkg.AddFile(fmt.Sprintf("sample_%d.go", n), sample.Code)

In this file are the code samples defined:
https://github.com/securego/gosec/blob/master/testutils/source.go

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a new value to the CodeSample struct.

type CodeSample struct {
	Code           string
	Errors         int
	SupportingCode bool
}

Snippets that have it set to true will not be processed against the rules, but added to the same pkg as the other snippets to be processed together.

Not sure if this is this most elegant way to allow for testing with multiple files. Feedback will be welcomed!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine. You could have also use a Code []string. To keep multiple files. I will refactoring afterwards.

Thanks for providing the tests.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ahh yes. It's much better to use Code []string. If you are okay, can I help with the refactoring? for https://hacktoberfest.digitalocean.com/ 😂

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I refactored it in the PR #248

ccojocar
ccojocar approved these changes Sep 28, 2018
View reviewed changes
rules/sql.go
if n.Obj != nil {
return n.Obj.Kind != ast.Var && n.Obj.Kind != ast.Fun
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine. You could have also use a Code []string. To keep multiple files. I will refactoring afterwards.

Thanks for providing the tests.

@ccojocar ccojocar merged commit d3f1980 into securego:master Sep 28, 2018
@wongherlung wongherlung deleted the sql-string-concatenation branch September 28, 2018 08:07
@bytheway bytheway mentioned this pull request Jun 12, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ccojocar ccojocar ccojocar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SQL String concatenation with string constants
2 participants
@wongherlung @ccojocar