From 0163d5a7fc5143c78fec4c5688fb077f98e4c096 Mon Sep 17 00:00:00 2001 From: Jordy Zomer Date: Thu, 9 Jan 2025 14:31:09 +0100 Subject: [PATCH] Add BigQuery to the SQL frameworks so that it Can be used as a sink for SQL injection queries. Signed-off-by: Jordy Zomer --- go/ql/lib/semmle/go/frameworks/SQL.qll | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/go/ql/lib/semmle/go/frameworks/SQL.qll b/go/ql/lib/semmle/go/frameworks/SQL.qll index a0e80fde1c9f..82f0c0043531 100644 --- a/go/ql/lib/semmle/go/frameworks/SQL.qll +++ b/go/ql/lib/semmle/go/frameworks/SQL.qll @@ -100,12 +100,28 @@ module SQL { } } + /** A string that might identify package `go/bigquery` */ + string gobigquery() { result = "cloud.google.com/go/bigquery.Client" } + /** A string that might identify package `go-pg/pg` or a specific version of it. */ private string gopg() { result = package("github.com/go-pg/pg", "") } /** A string that might identify package `go-pg/pg/orm` or a specific version of it. */ private string gopgorm() { result = package("github.com/go-pg/pg", "orm") } + /** + * A string argument to an api of `go/bigquery` that is directly interpreted as SQL + * without taking syntactic structure in account + */ + class BigQueryString extends Range { + BigQueryString() { + exists(Function f | + f.hasQualifiedName(gobigquery(), "Query") and + this = f.getACall().getArgument(0) + ) + } + } + /** * A string argument to an API of `go-pg/pg` that is directly interpreted as SQL without * taking syntactic structure into account.