Move Scan methods to QL classes

egregius313 · egregius313 · commit 05385955edd7 · 2025-02-27T15:20:44.000-05:00
diff --git a/go/ql/lib/ext/github.com.mastermind.squirrel.model.yml b/go/ql/lib/ext/github.com.mastermind.squirrel.model.yml
@@ -81,8 +81,3 @@ extensions:
       - ["group:squirrel", "UpdateBuilder", True, "Suffix", "", "", "Argument[0]", "sql-injection", "manual"]
       - ["group:squirrel", "UpdateBuilder", True, "Table", "", "", "Argument[0]", "sql-injection", "manual"]
       # UpdateBuilder.Where has to be modeled in QL to avoid FPs when a non-string argument is used
-  - addsTo:
-      pack: codeql/go-all
-      extensible: summaryModel
-    data:
-      - ["group:squirrel", "RowScanner", True, "Scan", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
diff --git a/go/ql/lib/semmle/go/frameworks/Squirrel.qll b/go/ql/lib/semmle/go/frameworks/Squirrel.qll
@@ -0,0 +1,85 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `squirrel` ORM package.
+ */
+
+import go
+
+/**
+ * Provides classes modeling security-relevant aspects of the `squirrel` ORM package.
+ */
+module Squirrel {
+  private string packagePath() {
+    result =
+      package([
+          "github.com/Masterminds/squirrel",
+          "github.com/lann/squirrel",
+          "gopkg.in/Masterminds/squirrel",
+        ], "")
+  }
+
+  private class RowScan extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    RowScan() {
+      // signature: func (rs *RowScanner) Scan(dest ...interface{}) error
+      this.hasQualifiedName(packagePath(), "Row", "Scan") and
+      inp.isReceiver() and
+      outp.isParameter(_)
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class RowScannerScan extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    RowScannerScan() {
+      // signature: func (rs *RowScanner) Scan(dest ...interface{}) error
+      this.hasQualifiedName(packagePath(), "RowScanner", "Scan") and
+      inp.isReceiver() and
+      outp.isParameter(_)
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class BuilderScan extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    BuilderScan() {
+      // signature: func (rs *InsertBuilder) Scan(dest ...interface{}) error
+      this.hasQualifiedName(packagePath(),
+        ["DeleteBuilder", "InsertBuilder", "SelectBuilder", "UpdateBuilder"], "Scan") and
+      inp.isReceiver() and
+      outp.isParameter(_)
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class BuilderScanContext extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    BuilderScanContext() {
+      // signature: func (rs *InsertBuilder) Scan(dest ...interface{}) error
+      this.hasQualifiedName(packagePath(),
+        ["DeleteBuilder", "InsertBuilder", "SelectBuilder", "UpdateBuilder"], "ScanContext") and
+      inp.isReceiver() and
+      exists(int i | i > 0 | outp.isParameter(i))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
