From 3c4de50d8f4b1257bfd7427a4a212d19e9020742 Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Tue, 16 Jan 2024 11:30:56 -0800 Subject: [PATCH 1/6] initial updates --- .../audit/database/string-formatted-query.go | 63 ++++++-- .../database/string-formatted-query.yaml | 138 ++++++++++-------- 2 files changed, 133 insertions(+), 68 deletions(-) diff --git a/go/lang/security/audit/database/string-formatted-query.go b/go/lang/security/audit/database/string-formatted-query.go index bf41ed18ce..2c55413478 100644 --- a/go/lang/security/audit/database/string-formatted-query.go +++ b/go/lang/security/audit/database/string-formatted-query.go @@ -57,6 +57,24 @@ func dbQuery3(r *http.Request, username string) { } } +func dbQuery4(r *http.Request, username string) { + // ruleid: string-formatted-query + query := fmt.Sprintf("%s AND INSERT into users (username, password)", username) + _, err = db.Exec(query) + if err != nil { + http.Error("mistake") + } +} + +func dbQuery5(r *http.Request, username string, password string) { + // ruleid: string-formatted-query + query := fmt.Sprintf("INSERT into users (username, password) VALUES(%s, %s)", username, password) + _, err = db.QueryRow(query) + if err != nil { + http.Error("mistake") + } +} + func okDbQuery1(r *http.Request) { // ok: string-formatted-query _, err = db.Exec("INSERT into users (username, password) VALUES(" + "username" + ", " + "smth)") @@ -110,9 +128,9 @@ func dbQueryRowContext(r *http.Request) { func dbExecFmt(r *http.Request) { customerId := r.URL.Query().Get("id") - // ruleid: string-formatted-query query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.Exec(query) } @@ -136,31 +154,49 @@ func dbQueryFmt(r *http.Request) { row, _ := db.Query(query) } -func dbQueryContextFmt(r *http.Request) { +func dbQueryContextFmtReassign(r *http.Request) { ctx := context.Background() customerId := r.URL.Query().Get("id") - // ruleid: string-formatted-query query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.QueryContext(ctx, query) } -func dbQueryRowFmt(r *http.Request) { + +func dbQueryContextFmt(r *http.Request) { + ctx := context.Background() customerId := r.URL.Query().Get("id") // ruleid: string-formatted-query + query := fmt.Sprintf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId) + row, _ := db.QueryContext(ctx, query) +} + +func dbQueryRowFmt(r *http.Request) { + customerId := r.URL.Query().Get("id") query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.QueryRow(query) } +func dbQueryRowContextReassign(r *http.Request) { + ctx := context.Background() + customerId := r.URL.Query().Get("id") + query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) + + row, _ := db.QueryRowContext(ctx, query) +} + func dbQueryRowContextFmt(r *http.Request) { ctx := context.Background() customerId := r.URL.Query().Get("id") // ruleid: string-formatted-query - query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + query := fmt.Sprintf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId) row, _ := db.QueryRowContext(ctx, query) } @@ -200,6 +236,15 @@ func postgresBadDirectQueryFmt(r *http.Request) { row, _ := postgresDb.QueryRow(ctx, fmt.Printf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId)) } +func postgresQueryFmt(r *http.Request) { + ctx := context.Background() + customerId := r.URL.Query().Get("id") + // ruleid: string-formatted-query + query := fmt.Sprintf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId) + + row, _ := postgresDb.QueryRow(ctx, query) +} + package main import ( diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index 91864da625..27c2794049 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -55,12 +55,12 @@ rules: - pattern: $OBJ.QueryRow(fmt.$P("...", ...)) - pattern: $OBJ.QueryRow($CTX, fmt.$P("...", ...)) - pattern: $OBJ.QueryRowContext($CTX, fmt.$P("...", ...)) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.Exec($QUERY, ...) + # - pattern: | + # $QUERY = "..." + # ... + # $QUERY = $FXN(..., $QUERY, ...) + # ... + # $OBJ.Exec($QUERY, ...) - pattern: | $QUERY = "..." ... @@ -73,36 +73,36 @@ rules: $QUERY = $FXN(..., $QUERY, ...) ... $OBJ.ExecContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRow($QUERY) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRow($CTX, $QUERY) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRowContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.Exec($OTHER, ...) + # - pattern: | + # $QUERY = "..." + # ... + # $QUERY = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryContext($CTX, $QUERY, ...) + # - pattern: | + # $QUERY = "..." + # ... + # $QUERY = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryRow($QUERY) + # - pattern: | + # $QUERY = "..." + # ... + # $QUERY = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryRow($CTX, $QUERY) + # - pattern: | + # $QUERY = "..." + # ... + # $QUERY = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryRowContext($CTX, $QUERY, ...) + # - pattern: | + # $QUERY = "..." + # ... + # $OTHER = $FXN(..., $QUERY, ...) + # ... + # $OBJ.Exec($OTHER, ...) - pattern: | $QUERY = "..." ... @@ -115,55 +115,75 @@ rules: $OTHER = $FXN(..., $QUERY, ...) ... $OBJ.ExecContext($CTX, $OTHER, ...) + # - pattern: | + # $QUERY = "..." + # ... + # $OTHER = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryContext($CTX, $OTHER, ...) + # - pattern: | + # $QUERY = "..." + # ... + # $OTHER = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryRow($OTHER) + # - pattern: | + # $QUERY = "..." + # ... + # $OTHER = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryRow($CTX, $OTHER) + # - pattern: | + # $QUERY = "..." + # ... + # $OTHER = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryRowContext($CTX, $OTHER, ...) - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) + $QUERY = $X + ... ... - $OBJ.QueryContext($CTX, $OTHER, ...) + $OBJ.Exec($QUERY, ...) - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) + $QUERY = $X + ... ... - $OBJ.QueryRow($OTHER) + $OBJ.Query($QUERY, ...) - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) + $QUERY = $X + ... ... - $OBJ.QueryRow($CTX, $OTHER) + $OBJ.ExecContext($CTX, $QUERY, ...) - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) + $QUERY = $X + ... ... - $OBJ.QueryRowContext($CTX, $OTHER, ...) + $OBJ.QueryContext($CTX, $QUERY, ...) - pattern: | $QUERY = $X + ... ... - $OBJ.Exec($QUERY, ...) + $OBJ.QueryRow($QUERY) - pattern: | $QUERY = $X + ... ... - $OBJ.Query($QUERY, ...) + $OBJ.QueryRow($CTX, $QUERY) - pattern: | $QUERY = $X + ... ... - $OBJ.ExecContext($CTX, $QUERY, ...) + $OBJ.QueryRowContext($CTX, $QUERY, ...) - pattern: | - $QUERY = $X + ... + $QUERY = fmt.$F("...", ...) ... $OBJ.QueryContext($CTX, $QUERY, ...) - pattern: | - $QUERY = $X + ... + $QUERY = fmt.$F("...", ...) ... $OBJ.QueryRow($QUERY) - pattern: | - $QUERY = $X + ... + $QUERY = fmt.$F("...", ...) + ... + $OBJ.Exec($QUERY) + - pattern: | + $QUERY = fmt.$F("...", ...) ... $OBJ.QueryRow($CTX, $QUERY) - pattern: | - $QUERY = $X + ... + $QUERY = fmt.$F("...", ...) ... $OBJ.QueryRowContext($CTX, $QUERY, ...) From f8baff9ea88c20df70ece6ef536169e3b5c68aa9 Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Tue, 16 Jan 2024 11:32:53 -0800 Subject: [PATCH 2/6] t/s duplicates --- .../database/string-formatted-query.yaml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index 27c2794049..e3cc72a834 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -91,12 +91,12 @@ rules: # $QUERY = $FXN(..., $QUERY, ...) # ... # $OBJ.QueryRow($CTX, $QUERY) - # - pattern: | - # $QUERY = "..." - # ... - # $QUERY = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryRowContext($CTX, $QUERY, ...) + - pattern: | + $QUERY = "..." + ... + $QUERY = $FXN(..., $QUERY, ...) + ... + $OBJ.QueryRowContext($CTX, $QUERY, ...) # - pattern: | # $QUERY = "..." # ... @@ -133,12 +133,12 @@ rules: # $OTHER = $FXN(..., $QUERY, ...) # ... # $OBJ.QueryRow($CTX, $OTHER) - # - pattern: | - # $QUERY = "..." - # ... - # $OTHER = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryRowContext($CTX, $OTHER, ...) + - pattern: | + $QUERY = "..." + ... + $OTHER = $FXN(..., $QUERY, ...) + ... + $OBJ.QueryRowContext($CTX, $OTHER, ...) - pattern: | $QUERY = $X + ... ... From ff5e3a2650919b3d13c310798d26350b0309de0b Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Tue, 16 Jan 2024 12:26:36 -0800 Subject: [PATCH 3/6] removed redundant rules --- .../database/string-formatted-query.yaml | 72 ------------------- 1 file changed, 72 deletions(-) diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index e3cc72a834..8772707ec4 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -55,12 +55,6 @@ rules: - pattern: $OBJ.QueryRow(fmt.$P("...", ...)) - pattern: $OBJ.QueryRow($CTX, fmt.$P("...", ...)) - pattern: $OBJ.QueryRowContext($CTX, fmt.$P("...", ...)) - # - pattern: | - # $QUERY = "..." - # ... - # $QUERY = $FXN(..., $QUERY, ...) - # ... - # $OBJ.Exec($QUERY, ...) - pattern: | $QUERY = "..." ... @@ -73,72 +67,6 @@ rules: $QUERY = $FXN(..., $QUERY, ...) ... $OBJ.ExecContext($CTX, $QUERY, ...) - # - pattern: | - # $QUERY = "..." - # ... - # $QUERY = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryContext($CTX, $QUERY, ...) - # - pattern: | - # $QUERY = "..." - # ... - # $QUERY = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryRow($QUERY) - # - pattern: | - # $QUERY = "..." - # ... - # $QUERY = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryRow($CTX, $QUERY) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRowContext($CTX, $QUERY, ...) - # - pattern: | - # $QUERY = "..." - # ... - # $OTHER = $FXN(..., $QUERY, ...) - # ... - # $OBJ.Exec($OTHER, ...) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.Query($OTHER, ...) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.ExecContext($CTX, $OTHER, ...) - # - pattern: | - # $QUERY = "..." - # ... - # $OTHER = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryContext($CTX, $OTHER, ...) - # - pattern: | - # $QUERY = "..." - # ... - # $OTHER = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryRow($OTHER) - # - pattern: | - # $QUERY = "..." - # ... - # $OTHER = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryRow($CTX, $OTHER) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRowContext($CTX, $OTHER, ...) - pattern: | $QUERY = $X + ... ... From f54889dace7d3e7493120528a38979689c911508 Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Fri, 19 Jan 2024 09:29:57 -0800 Subject: [PATCH 4/6] refectored string-formatted-query for go --- .../audit/database/string-formatted-query.go | 8 +- .../database/string-formatted-query.yaml | 91 ++++++------------- 2 files changed, 34 insertions(+), 65 deletions(-) diff --git a/go/lang/security/audit/database/string-formatted-query.go b/go/lang/security/audit/database/string-formatted-query.go index 2c55413478..4197bde809 100644 --- a/go/lang/security/audit/database/string-formatted-query.go +++ b/go/lang/security/audit/database/string-formatted-query.go @@ -138,18 +138,18 @@ func dbExecFmt(r *http.Request) { func dbExecContextFmt(r *http.Request) { ctx := context.Background() customerId := r.URL.Query().Get("id") - // ruleid: string-formatted-query query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.ExecContext(ctx, query) } func dbQueryFmt(r *http.Request) { customerId := r.URL.Query().Get("id") - // ruleid: string-formatted-query query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.Query(query) } diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index 8772707ec4..d0a497e17f 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -53,65 +53,34 @@ rules: - pattern: $OBJ.Query(fmt.$P("...", ...)) - pattern: $OBJ.QueryContext($CTX, fmt.$P("...", ...)) - pattern: $OBJ.QueryRow(fmt.$P("...", ...)) - - pattern: $OBJ.QueryRow($CTX, fmt.$P("...", ...)) + - pattern: $OBJ.QueryRow($CTX, fmt.$U("...", ...)) - pattern: $OBJ.QueryRowContext($CTX, fmt.$P("...", ...)) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.Query($QUERY, ...) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.ExecContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.Exec($QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.Query($QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.ExecContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.QueryContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.QueryRow($QUERY) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.QueryRow($CTX, $QUERY) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.QueryRowContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = fmt.$F("...", ...) - ... - $OBJ.QueryContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = fmt.$F("...", ...) - ... - $OBJ.QueryRow($QUERY) - - pattern: | - $QUERY = fmt.$F("...", ...) - ... - $OBJ.Exec($QUERY) - - pattern: | - $QUERY = fmt.$F("...", ...) - ... - $OBJ.QueryRow($CTX, $QUERY) - - pattern: | - $QUERY = fmt.$F("...", ...) - ... - $OBJ.QueryRowContext($CTX, $QUERY, ...) + - patterns: + - pattern-either: + - pattern: $QUERY = fmt.Fprintf($F, "$SQLSTR", ...) + - pattern: $QUERY = fmt.Sprintf("$SQLSTR", ...) + - pattern: $QUERY = fmt.Printf("$SQLSTR", ...) + - pattern: $QUERY = $X + ... + - pattern-either: + - pattern-inside: | + ... + $OBJ.Query($QUERY, ...) + - pattern-inside: | + ... + $OBJ.ExecContext($CTX, $QUERY, ...) + - pattern-inside: | + ... + $OBJ.Exec($QUERY, ...) + - pattern-inside: | + ... + $OBJ.QueryRow($CTX, $QUERY) + - pattern-inside: | + ... + $OBJ.QueryRow($QUERY) + - pattern-inside: | + ... + $OBJ.QueryContext($CTX, $QUERY) + - pattern-inside: | + ... + $OBJ.QueryRowContext($CTX, $QUERY, ...) + \ No newline at end of file From 5211fd7bb916b0d88302e77530e7db9e738c6e5a Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Thu, 25 Jan 2024 00:12:23 -0800 Subject: [PATCH 5/6] updated string-fromatted-query to avoid performance issues --- .../database/string-formatted-query.yaml | 42 ++++++++++++------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index d0a497e17f..7b65f3044f 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -63,24 +63,38 @@ rules: - pattern: $QUERY = $X + ... - pattern-either: - pattern-inside: | - ... - $OBJ.Query($QUERY, ...) + func $FUNC(...) { + ... + $OBJ.Query($QUERY, ...) + } - pattern-inside: | - ... - $OBJ.ExecContext($CTX, $QUERY, ...) + func $FUNC(...) { + ... + $OBJ.ExecContext($CTX, $QUERY, ...) + } - pattern-inside: | - ... - $OBJ.Exec($QUERY, ...) + func $FUNC(...) { + ... + $OBJ.Exec($QUERY, ...) + } - pattern-inside: | - ... - $OBJ.QueryRow($CTX, $QUERY) + func $FUNC(...) { + ... + $OBJ.QueryRow($CTX, $QUERY) + } - pattern-inside: | - ... - $OBJ.QueryRow($QUERY) + func $FUNC(...) { + ... + $OBJ.QueryRow($QUERY) + } - pattern-inside: | - ... - $OBJ.QueryContext($CTX, $QUERY) + func $FUNC(...) { + ... + $OBJ.QueryContext($CTX, $QUERY) + } - pattern-inside: | - ... - $OBJ.QueryRowContext($CTX, $QUERY, ...) + func $FUNC(...) { + ... + $OBJ.QueryRowContext($CTX, $QUERY, ...) + } \ No newline at end of file From 73a2330e693442c960fc5bd0123a3da4126bde8d Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Fri, 26 Jan 2024 15:54:59 -0800 Subject: [PATCH 6/6] trailing ellipsis added to string-formatted-query --- .../security/audit/database/string-formatted-query.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index 7b65f3044f..7aeb388a60 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -66,35 +66,42 @@ rules: func $FUNC(...) { ... $OBJ.Query($QUERY, ...) + ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.ExecContext($CTX, $QUERY, ...) + ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.Exec($QUERY, ...) + ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.QueryRow($CTX, $QUERY) + ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.QueryRow($QUERY) + ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.QueryContext($CTX, $QUERY) + ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.QueryRowContext($CTX, $QUERY, ...) + ... } \ No newline at end of file