From baec4adbb1fd8c0550091517f9eb59cb3d94de0a Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Thu, 9 Jan 2025 21:54:00 -0500 Subject: [PATCH 1/7] beego models --- ...ithub.com.beego.beego.client.orm.model.yml | 15 + .../local/database/test_beego_orm.go | 29 ++ .../beego/beego/v2/client/orm/stub.go | 300 ++++++++++++++++++ 3 files changed, 344 insertions(+) create mode 100644 go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go create mode 100644 go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/beego/beego/v2/client/orm/stub.go diff --git a/go/ql/lib/ext/github.com.beego.beego.client.orm.model.yml b/go/ql/lib/ext/github.com.beego.beego.client.orm.model.yml index 08c0572b894a..d5dbfa4c1747 100644 --- a/go/ql/lib/ext/github.com.beego.beego.client.orm.model.yml +++ b/go/ql/lib/ext/github.com.beego.beego.client.orm.model.yml @@ -6,6 +6,20 @@ extensions: - ["beego-orm", "github.com/beego/beego/client/orm"] - ["beego-orm", "github.com/astaxie/beego/orm"] - ["beego-orm", "github.com/beego/beego/orm"] + - addsTo: + pack: codeql/go-all + extensible: sourceModel + data: + - ["group:beego-orm", "DB", True, "Query", "", "", "ReturnValue[0]", "database", "manual"] + - ["group:beego-orm", "DB", True, "QueryContext", "", "", "ReturnValue[0]", "database", "manual"] + - ["group:beego-orm", "DB", True, "QueryRow", "", "", "ReturnValue", "database", "manual"] + - ["group:beego-orm", "DB", True, "QueryRowContext", "", "", "ReturnValue", "database", "manual"] + - ["group:beego-orm", "DQL", True, "Read", "", "", "Argument[0]", "database", "manual"] + - ["group:beego-orm", "DQL", True, "ReadWithCtx", "", "", "Argument[1]", "database", "manual"] + - ["group:beego-orm", "DQL", True, "ReadForUpdate", "", "", "Argument[0]", "database", "manual"] + - ["group:beego-orm", "DQL", True, "ReadForUpdateWithCtx", "", "", "Argument[1]", "database", "manual"] + - ["group:beego-orm", "DQL", True, "ReadOrCreate", "", "", "Argument[0]", "database", "manual"] + - ["group:beego-orm", "DQL", True, "ReadOrCreateWithCtx", "", "", "Argument[1]", "database", "manual"] - addsTo: pack: codeql/go-all extensible: sinkModel @@ -40,3 +54,4 @@ extensions: - ["group:beego-orm", "QueryBuilder", True, "Values", "", "", "Argument[0]", "sql-injection", "manual"] - ["group:beego-orm", "QueryBuilder", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"] - ["group:beego-orm", "QuerySeter", True, "FilterRaw", "", "", "Argument[1]", "sql-injection", "manual"] + diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go new file mode 100644 index 000000000000..1f85aa2fdfd0 --- /dev/null +++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go @@ -0,0 +1,29 @@ +package test + +import ( + "github.com/beego/beego/v2/client/orm" +) + +func test_DB(db orm.DB) { + rows, err := db.Query("SELECT * FROM users") // $ source + ignore(rows, err) + + rows, err = db.QueryContext(nil, "SELECT * FROM users") // $ source + ignore(rows, err) + + row := db.QueryRow("SELECT * FROM users") // $ source + ignore(row) + + row = db.QueryRowContext(nil, "SELECT * FROM users") // $ source + ignore(row) +} + +func test_DQL() { + o := orm.NewOrm() + o.Read(&User{}) // $ source + o.ReadWithCtx(nil, &User{}) // $ source + o.ReadForUpdate(&User{}) // $ source + o.ReadForUpdateWithCtx(nil, &User{}) // $ source + o.ReadOrCreate(&User{}, "name") // $ source + o.ReadOrCreateWithCtx(nil, &User{}, "name") // $ source +} diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/beego/beego/v2/client/orm/stub.go b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/beego/beego/v2/client/orm/stub.go new file mode 100644 index 000000000000..4dfcd2aefc85 --- /dev/null +++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/beego/beego/v2/client/orm/stub.go @@ -0,0 +1,300 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/beego/beego/v2/client/orm, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/beego/beego/v2/client/orm (exports: DQL,DB,Ormer; functions: NewOrm) + +// Package orm is a stub of github.com/beego/beego/v2/client/orm, generated by depstubber. +package orm + +import ( + context "context" + sql "database/sql" + sync "sync" +) + +type Condition struct{} + +func (_ Condition) And(_ string, _ ...interface{}) *Condition { + return nil +} + +func (_ Condition) AndNot(_ string, _ ...interface{}) *Condition { + return nil +} + +func (_ Condition) Or(_ string, _ ...interface{}) *Condition { + return nil +} + +func (_ Condition) OrNot(_ string, _ ...interface{}) *Condition { + return nil +} + +func (_ Condition) Raw(_ string, _ string) *Condition { + return nil +} + +func (_ *Condition) AndCond(_ *Condition) *Condition { + return nil +} + +func (_ *Condition) AndNotCond(_ *Condition) *Condition { + return nil +} + +func (_ *Condition) IsEmpty() bool { + return false +} + +func (_ *Condition) OrCond(_ *Condition) *Condition { + return nil +} + +func (_ *Condition) OrNotCond(_ *Condition) *Condition { + return nil +} + +type DB struct { + RWMutex *sync.RWMutex + DB *sql.DB +} + +func (_ DB) Lock() {} + +func (_ DB) RLock() {} + +func (_ DB) RLocker() sync.Locker { + return nil +} + +func (_ DB) RUnlock() {} + +func (_ DB) TryLock() bool { + return false +} + +func (_ DB) TryRLock() bool { + return false +} + +func (_ DB) Unlock() {} + +func (_ *DB) Begin() (*sql.Tx, error) { + return nil, nil +} + +func (_ *DB) BeginTx(_ context.Context, _ *sql.TxOptions) (*sql.Tx, error) { + return nil, nil +} + +func (_ *DB) Exec(_ string, _ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *DB) ExecContext(_ context.Context, _ string, _ ...interface{}) (sql.Result, error) { + return nil, nil +} + +func (_ *DB) Prepare(_ string) (*sql.Stmt, error) { + return nil, nil +} + +func (_ *DB) PrepareContext(_ context.Context, _ string) (*sql.Stmt, error) { + return nil, nil +} + +func (_ *DB) Query(_ string, _ ...interface{}) (*sql.Rows, error) { + return nil, nil +} + +func (_ *DB) QueryContext(_ context.Context, _ string, _ ...interface{}) (*sql.Rows, error) { + return nil, nil +} + +func (_ *DB) QueryRow(_ string, _ ...interface{}) *sql.Row { + return nil +} + +func (_ *DB) QueryRowContext(_ context.Context, _ string, _ ...interface{}) *sql.Row { + return nil +} + +type DQL interface { + DBStats() *sql.DBStats + LoadRelated(_ interface{}, _ string, _ ...interface{}) (int64, error) + LoadRelatedWithCtx(_ context.Context, _ interface{}, _ string, _ ...interface{}) (int64, error) + QueryM2M(_ interface{}, _ string) QueryM2Mer + QueryM2MWithCtx(_ context.Context, _ interface{}, _ string) QueryM2Mer + QueryTable(_ interface{}) QuerySeter + QueryTableWithCtx(_ context.Context, _ interface{}) QuerySeter + Read(_ interface{}, _ ...string) error + ReadForUpdate(_ interface{}, _ ...string) error + ReadForUpdateWithCtx(_ context.Context, _ interface{}, _ ...string) error + ReadOrCreate(_ interface{}, _ string, _ ...string) (bool, int64, error) + ReadOrCreateWithCtx(_ context.Context, _ interface{}, _ string, _ ...string) (bool, int64, error) + ReadWithCtx(_ context.Context, _ interface{}, _ ...string) error +} + +type Driver interface { + Name() string + Type() DriverType +} + +type DriverType int + +type Inserter interface { + Close() error + Insert(_ interface{}) (int64, error) + InsertWithCtx(_ context.Context, _ interface{}) (int64, error) +} + +func NewOrm() Ormer { + return nil +} + +type Ormer interface { + Begin() (TxOrmer, error) + BeginWithCtx(_ context.Context) (TxOrmer, error) + BeginWithCtxAndOpts(_ context.Context, _ *sql.TxOptions) (TxOrmer, error) + BeginWithOpts(_ *sql.TxOptions) (TxOrmer, error) + DBStats() *sql.DBStats + Delete(_ interface{}, _ ...string) (int64, error) + DeleteWithCtx(_ context.Context, _ interface{}, _ ...string) (int64, error) + DoTx(_ func(context.Context, TxOrmer) error) error + DoTxWithCtx(_ context.Context, _ func(context.Context, TxOrmer) error) error + DoTxWithCtxAndOpts(_ context.Context, _ *sql.TxOptions, _ func(context.Context, TxOrmer) error) error + DoTxWithOpts(_ *sql.TxOptions, _ func(context.Context, TxOrmer) error) error + Driver() Driver + Insert(_ interface{}) (int64, error) + InsertMulti(_ int, _ interface{}) (int64, error) + InsertMultiWithCtx(_ context.Context, _ int, _ interface{}) (int64, error) + InsertOrUpdate(_ interface{}, _ ...string) (int64, error) + InsertOrUpdateWithCtx(_ context.Context, _ interface{}, _ ...string) (int64, error) + InsertWithCtx(_ context.Context, _ interface{}) (int64, error) + LoadRelated(_ interface{}, _ string, _ ...interface{}) (int64, error) + LoadRelatedWithCtx(_ context.Context, _ interface{}, _ string, _ ...interface{}) (int64, error) + QueryM2M(_ interface{}, _ string) QueryM2Mer + QueryM2MWithCtx(_ context.Context, _ interface{}, _ string) QueryM2Mer + QueryTable(_ interface{}) QuerySeter + QueryTableWithCtx(_ context.Context, _ interface{}) QuerySeter + Raw(_ string, _ ...interface{}) RawSeter + RawWithCtx(_ context.Context, _ string, _ ...interface{}) RawSeter + Read(_ interface{}, _ ...string) error + ReadForUpdate(_ interface{}, _ ...string) error + ReadForUpdateWithCtx(_ context.Context, _ interface{}, _ ...string) error + ReadOrCreate(_ interface{}, _ string, _ ...string) (bool, int64, error) + ReadOrCreateWithCtx(_ context.Context, _ interface{}, _ string, _ ...string) (bool, int64, error) + ReadWithCtx(_ context.Context, _ interface{}, _ ...string) error + Update(_ interface{}, _ ...string) (int64, error) + UpdateWithCtx(_ context.Context, _ interface{}, _ ...string) (int64, error) +} + +type Params map[string]interface{} + +type ParamsList []interface{} + +type QueryM2Mer interface { + Add(_ ...interface{}) (int64, error) + AddWithCtx(_ context.Context, _ ...interface{}) (int64, error) + Clear() (int64, error) + ClearWithCtx(_ context.Context) (int64, error) + Count() (int64, error) + CountWithCtx(_ context.Context) (int64, error) + Exist(_ interface{}) bool + ExistWithCtx(_ context.Context, _ interface{}) bool + Remove(_ ...interface{}) (int64, error) + RemoveWithCtx(_ context.Context, _ ...interface{}) (int64, error) +} + +type QuerySeter interface { + Aggregate(_ string) QuerySeter + All(_ interface{}, _ ...string) (int64, error) + AllWithCtx(_ context.Context, _ interface{}, _ ...string) (int64, error) + Count() (int64, error) + CountWithCtx(_ context.Context) (int64, error) + Delete() (int64, error) + DeleteWithCtx(_ context.Context) (int64, error) + Distinct() QuerySeter + Exclude(_ string, _ ...interface{}) QuerySeter + Exist() bool + ExistWithCtx(_ context.Context) bool + Filter(_ string, _ ...interface{}) QuerySeter + FilterRaw(_ string, _ string) QuerySeter + ForUpdate() QuerySeter + ForceIndex(_ ...string) QuerySeter + GetCond() *Condition + GroupBy(_ ...string) QuerySeter + IgnoreIndex(_ ...string) QuerySeter + Limit(_ interface{}, _ ...interface{}) QuerySeter + Offset(_ interface{}) QuerySeter + One(_ interface{}, _ ...string) error + OneWithCtx(_ context.Context, _ interface{}, _ ...string) error + OrderBy(_ ...string) QuerySeter + OrderClauses(_ ...interface{}) QuerySeter + PrepareInsert() (Inserter, error) + PrepareInsertWithCtx(_ context.Context) (Inserter, error) + RelatedSel(_ ...interface{}) QuerySeter + RowsToMap(_ *Params, _ string, _ string) (int64, error) + RowsToStruct(_ interface{}, _ string, _ string) (int64, error) + SetCond(_ *Condition) QuerySeter + Update(_ Params) (int64, error) + UpdateWithCtx(_ context.Context, _ Params) (int64, error) + UseIndex(_ ...string) QuerySeter + Values(_ *[]Params, _ ...string) (int64, error) + ValuesFlat(_ *ParamsList, _ string) (int64, error) + ValuesFlatWithCtx(_ context.Context, _ *ParamsList, _ string) (int64, error) + ValuesList(_ *[]ParamsList, _ ...string) (int64, error) + ValuesListWithCtx(_ context.Context, _ *[]ParamsList, _ ...string) (int64, error) + ValuesWithCtx(_ context.Context, _ *[]Params, _ ...string) (int64, error) +} + +type RawPreparer interface { + Close() error + Exec(_ ...interface{}) (sql.Result, error) +} + +type RawSeter interface { + Exec() (sql.Result, error) + Prepare() (RawPreparer, error) + QueryRow(_ ...interface{}) error + QueryRows(_ ...interface{}) (int64, error) + RowsToMap(_ *Params, _ string, _ string) (int64, error) + RowsToStruct(_ interface{}, _ string, _ string) (int64, error) + SetArgs(_ ...interface{}) RawSeter + Values(_ *[]Params, _ ...string) (int64, error) + ValuesFlat(_ *ParamsList, _ ...string) (int64, error) + ValuesList(_ *[]ParamsList, _ ...string) (int64, error) +} + +type TxOrmer interface { + Commit() error + DBStats() *sql.DBStats + Delete(_ interface{}, _ ...string) (int64, error) + DeleteWithCtx(_ context.Context, _ interface{}, _ ...string) (int64, error) + Driver() Driver + Insert(_ interface{}) (int64, error) + InsertMulti(_ int, _ interface{}) (int64, error) + InsertMultiWithCtx(_ context.Context, _ int, _ interface{}) (int64, error) + InsertOrUpdate(_ interface{}, _ ...string) (int64, error) + InsertOrUpdateWithCtx(_ context.Context, _ interface{}, _ ...string) (int64, error) + InsertWithCtx(_ context.Context, _ interface{}) (int64, error) + LoadRelated(_ interface{}, _ string, _ ...interface{}) (int64, error) + LoadRelatedWithCtx(_ context.Context, _ interface{}, _ string, _ ...interface{}) (int64, error) + QueryM2M(_ interface{}, _ string) QueryM2Mer + QueryM2MWithCtx(_ context.Context, _ interface{}, _ string) QueryM2Mer + QueryTable(_ interface{}) QuerySeter + QueryTableWithCtx(_ context.Context, _ interface{}) QuerySeter + Raw(_ string, _ ...interface{}) RawSeter + RawWithCtx(_ context.Context, _ string, _ ...interface{}) RawSeter + Read(_ interface{}, _ ...string) error + ReadForUpdate(_ interface{}, _ ...string) error + ReadForUpdateWithCtx(_ context.Context, _ interface{}, _ ...string) error + ReadOrCreate(_ interface{}, _ string, _ ...string) (bool, int64, error) + ReadOrCreateWithCtx(_ context.Context, _ interface{}, _ string, _ ...string) (bool, int64, error) + ReadWithCtx(_ context.Context, _ interface{}, _ ...string) error + Rollback() error + RollbackUnlessCommit() error + Update(_ interface{}, _ ...string) (int64, error) + UpdateWithCtx(_ context.Context, _ interface{}, _ ...string) (int64, error) +} From 592b46bea80937ca584b4fc6fc4e5715ef171f98 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Thu, 9 Jan 2025 21:55:05 -0500 Subject: [PATCH 2/7] Change note --- go/ql/lib/change-notes/2025-01-09-beego-orm-models.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 go/ql/lib/change-notes/2025-01-09-beego-orm-models.md diff --git a/go/ql/lib/change-notes/2025-01-09-beego-orm-models.md b/go/ql/lib/change-notes/2025-01-09-beego-orm-models.md new file mode 100644 index 000000000000..a5eeeeae5ff3 --- /dev/null +++ b/go/ql/lib/change-notes/2025-01-09-beego-orm-models.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* `database` local source models have been added for the `github.com/beego/beego/client/orm` package. From 46f9448043b83d58f21a48b5171f1588000e254e Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Fri, 10 Jan 2025 08:20:26 -0500 Subject: [PATCH 3/7] Add `Ormer` models for v1 of the beego ORM --- ...ithub.com.beego.beego.client.orm.model.yml | 3 + .../local/database/test_beego_orm.go | 8 + .../github.com/astaxie/beego/orm/stub.go | 150 ++++++++++++++++++ 3 files changed, 161 insertions(+) create mode 100644 go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/astaxie/beego/orm/stub.go diff --git a/go/ql/lib/ext/github.com.beego.beego.client.orm.model.yml b/go/ql/lib/ext/github.com.beego.beego.client.orm.model.yml index d5dbfa4c1747..c629191a3668 100644 --- a/go/ql/lib/ext/github.com.beego.beego.client.orm.model.yml +++ b/go/ql/lib/ext/github.com.beego.beego.client.orm.model.yml @@ -20,6 +20,9 @@ extensions: - ["group:beego-orm", "DQL", True, "ReadForUpdateWithCtx", "", "", "Argument[1]", "database", "manual"] - ["group:beego-orm", "DQL", True, "ReadOrCreate", "", "", "Argument[0]", "database", "manual"] - ["group:beego-orm", "DQL", True, "ReadOrCreateWithCtx", "", "", "Argument[1]", "database", "manual"] + - ["group:beego-orm", "Ormer", True, "Read", "", "", "Argument[0]", "database", "manual"] + - ["group:beego-orm", "Ormer", True, "ReadForUpdate", "", "", "Argument[0]", "database", "manual"] + - ["group:beego-orm", "Ormer", True, "ReadOrCreate", "", "", "Argument[0]", "database", "manual"] - addsTo: pack: codeql/go-all extensible: sinkModel diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go index 1f85aa2fdfd0..bfa41855498a 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go @@ -1,6 +1,7 @@ package test import ( + oldOrm "github.com/astaxie/beego/orm" "github.com/beego/beego/v2/client/orm" ) @@ -18,6 +19,13 @@ func test_DB(db orm.DB) { ignore(row) } +func test_Ormer() { + o := oldOrm.NewOrm() + o.Read(&User{}) // $ source + o.ReadForUpdate(&User{}) // $ source + o.ReadOrCreate(&User{}, "name") // $ source +} + func test_DQL() { o := orm.NewOrm() o.Read(&User{}) // $ source diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/astaxie/beego/orm/stub.go b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/astaxie/beego/orm/stub.go new file mode 100644 index 000000000000..75e713a364df --- /dev/null +++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/astaxie/beego/orm/stub.go @@ -0,0 +1,150 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/astaxie/beego/orm, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/astaxie/beego/orm (exports: Ormer; functions: NewOrm) + +// Package orm is a stub of github.com/astaxie/beego/orm, generated by depstubber. +package orm + +import ( + context "context" + sql "database/sql" +) + +type Condition struct{} + +func (_ Condition) And(_ string, _ ...interface{}) *Condition { + return nil +} + +func (_ Condition) AndNot(_ string, _ ...interface{}) *Condition { + return nil +} + +func (_ Condition) Or(_ string, _ ...interface{}) *Condition { + return nil +} + +func (_ Condition) OrNot(_ string, _ ...interface{}) *Condition { + return nil +} + +func (_ Condition) Raw(_ string, _ string) *Condition { + return nil +} + +func (_ *Condition) AndCond(_ *Condition) *Condition { + return nil +} + +func (_ *Condition) AndNotCond(_ *Condition) *Condition { + return nil +} + +func (_ *Condition) IsEmpty() bool { + return false +} + +func (_ *Condition) OrCond(_ *Condition) *Condition { + return nil +} + +func (_ *Condition) OrNotCond(_ *Condition) *Condition { + return nil +} + +type Driver interface { + Name() string + Type() DriverType +} + +type DriverType int + +type Inserter interface { + Close() error + Insert(_ interface{}) (int64, error) +} + +func NewOrm() Ormer { + return nil +} + +type Ormer interface { + Begin() error + BeginTx(_ context.Context, _ *sql.TxOptions) error + Commit() error + DBStats() *sql.DBStats + Delete(_ interface{}, _ ...string) (int64, error) + Driver() Driver + Insert(_ interface{}) (int64, error) + InsertMulti(_ int, _ interface{}) (int64, error) + InsertOrUpdate(_ interface{}, _ ...string) (int64, error) + LoadRelated(_ interface{}, _ string, _ ...interface{}) (int64, error) + QueryM2M(_ interface{}, _ string) QueryM2Mer + QueryTable(_ interface{}) QuerySeter + Raw(_ string, _ ...interface{}) RawSeter + Read(_ interface{}, _ ...string) error + ReadForUpdate(_ interface{}, _ ...string) error + ReadOrCreate(_ interface{}, _ string, _ ...string) (bool, int64, error) + Rollback() error + Update(_ interface{}, _ ...string) (int64, error) + Using(_ string) error +} + +type Params map[string]interface{} + +type ParamsList []interface{} + +type QueryM2Mer interface { + Add(_ ...interface{}) (int64, error) + Clear() (int64, error) + Count() (int64, error) + Exist(_ interface{}) bool + Remove(_ ...interface{}) (int64, error) +} + +type QuerySeter interface { + All(_ interface{}, _ ...string) (int64, error) + Count() (int64, error) + Delete() (int64, error) + Distinct() QuerySeter + Exclude(_ string, _ ...interface{}) QuerySeter + Exist() bool + Filter(_ string, _ ...interface{}) QuerySeter + FilterRaw(_ string, _ string) QuerySeter + ForUpdate() QuerySeter + GetCond() *Condition + GroupBy(_ ...string) QuerySeter + Limit(_ interface{}, _ ...interface{}) QuerySeter + Offset(_ interface{}) QuerySeter + One(_ interface{}, _ ...string) error + OrderBy(_ ...string) QuerySeter + PrepareInsert() (Inserter, error) + RelatedSel(_ ...interface{}) QuerySeter + RowsToMap(_ *Params, _ string, _ string) (int64, error) + RowsToStruct(_ interface{}, _ string, _ string) (int64, error) + SetCond(_ *Condition) QuerySeter + Update(_ Params) (int64, error) + Values(_ *[]Params, _ ...string) (int64, error) + ValuesFlat(_ *ParamsList, _ string) (int64, error) + ValuesList(_ *[]ParamsList, _ ...string) (int64, error) +} + +type RawPreparer interface { + Close() error + Exec(_ ...interface{}) (sql.Result, error) +} + +type RawSeter interface { + Exec() (sql.Result, error) + Prepare() (RawPreparer, error) + QueryRow(_ ...interface{}) error + QueryRows(_ ...interface{}) (int64, error) + RowsToMap(_ *Params, _ string, _ string) (int64, error) + RowsToStruct(_ interface{}, _ string, _ string) (int64, error) + SetArgs(_ ...interface{}) RawSeter + Values(_ *[]Params, _ ...string) (int64, error) + ValuesFlat(_ *ParamsList, _ ...string) (int64, error) + ValuesList(_ *[]ParamsList, _ ...string) (int64, error) +} From 4bd43b4e7087a02cb99928e20280e9bb9a6c6878 Mon Sep 17 00:00:00 2001 From: Edward Minnix III Date: Fri, 10 Jan 2025 08:22:28 -0500 Subject: [PATCH 4/7] Reword change note to be more general Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> --- go/ql/lib/change-notes/2025-01-09-beego-orm-models.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/ql/lib/change-notes/2025-01-09-beego-orm-models.md b/go/ql/lib/change-notes/2025-01-09-beego-orm-models.md index a5eeeeae5ff3..e68a5315ff1f 100644 --- a/go/ql/lib/change-notes/2025-01-09-beego-orm-models.md +++ b/go/ql/lib/change-notes/2025-01-09-beego-orm-models.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* `database` local source models have been added for the `github.com/beego/beego/client/orm` package. +* `database` local source models have been added for the Beego ORM package. From bff243367c2a33c074b217a193157b1bf9fc6bee Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Fri, 10 Jan 2025 08:26:07 -0500 Subject: [PATCH 5/7] Rename test functions to include package name --- .../dataflow/flowsources/local/database/test_beego_orm.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go index bfa41855498a..9d456b5409b2 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go @@ -5,7 +5,7 @@ import ( "github.com/beego/beego/v2/client/orm" ) -func test_DB(db orm.DB) { +func test_beego_DB(db orm.DB) { rows, err := db.Query("SELECT * FROM users") // $ source ignore(rows, err) @@ -19,14 +19,14 @@ func test_DB(db orm.DB) { ignore(row) } -func test_Ormer() { +func test_beego_Ormer() { o := oldOrm.NewOrm() o.Read(&User{}) // $ source o.ReadForUpdate(&User{}) // $ source o.ReadOrCreate(&User{}, "name") // $ source } -func test_DQL() { +func test_beego_DQL() { o := orm.NewOrm() o.Read(&User{}) // $ source o.ReadWithCtx(nil, &User{}) // $ source From 43771d8f19dbbb0b016415f866e16c48d5deb7a3 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Fri, 10 Jan 2025 08:50:09 -0500 Subject: [PATCH 6/7] Fix formatting --- .../dataflow/flowsources/local/database/test_beego_orm.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go index 9d456b5409b2..93138c69a580 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_beego_orm.go @@ -21,9 +21,9 @@ func test_beego_DB(db orm.DB) { func test_beego_Ormer() { o := oldOrm.NewOrm() - o.Read(&User{}) // $ source - o.ReadForUpdate(&User{}) // $ source - o.ReadOrCreate(&User{}, "name") // $ source + o.Read(&User{}) // $ source + o.ReadForUpdate(&User{}) // $ source + o.ReadOrCreate(&User{}, "name") // $ source } func test_beego_DQL() { From 0f038355ff9e7c2025f8daf8d4cabcb23ac7c633 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Fri, 10 Jan 2025 09:26:58 -0500 Subject: [PATCH 7/7] Fix provenance in test --- .../semmle/go/frameworks/BeegoOrm/StoredXss.expected | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected index 861e3e97ed14..530034fac918 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected @@ -1,8 +1,8 @@ edges -| test.go:80:13:80:16 | &... | test.go:81:13:81:29 | type conversion | provenance | | -| test.go:80:13:80:16 | &... | test.go:82:13:82:43 | type conversion | provenance | | -| test.go:85:22:85:26 | &... | test.go:86:13:86:30 | type conversion | provenance | | -| test.go:89:21:89:25 | &... | test.go:90:13:90:30 | type conversion | provenance | | +| test.go:80:13:80:16 | &... | test.go:81:13:81:29 | type conversion | provenance | Src:MaD:339 | +| test.go:80:13:80:16 | &... | test.go:82:13:82:43 | type conversion | provenance | Src:MaD:339 | +| test.go:85:22:85:26 | &... | test.go:86:13:86:30 | type conversion | provenance | Src:MaD:340 | +| test.go:89:21:89:25 | &... | test.go:90:13:90:30 | type conversion | provenance | Src:MaD:341 | | test.go:95:20:95:36 | call to Value | test.go:95:13:95:37 | type conversion | provenance | | | test.go:96:20:96:39 | call to RawValue | test.go:96:13:96:49 | type conversion | provenance | | | test.go:97:20:97:37 | call to String | test.go:97:13:97:38 | type conversion | provenance | |