codeql-go icon indicating copy to clipboard operation
codeql-go copied to clipboard

Published 20 hours ago verified publisher icon github

Add Column, From, JoinClause, *Join, Having, OrderByClause methods for squirrel SQLi query

Open lyoung-confluent opened this issue 3 years ago • 5 comments

Changes

Building on @tunnelshade's work in #611, add a few additional methods with similar signatures/issues. These are vulnerable sinks if the first parameter is tainted input. Some of these functions accept interface{} type in which case only string type (StringType) is tainted/vulnerable.

Links

lyoung-confluent avatar Feb 03 '22 21:02 lyoung-confluent

I don't have detailed knowledge of the package to know whether the Having and Clause methods perform sufficient escaping of their arguments to prevent a meaningful injection attack: have you tested that they really are exploitable?

Yes, demo: https://go.dev/play/p/7Ipxor9Z029

Having actually uses the exact same newWhereClause as Where does internally so is vulnerable in the same way: https://github.com/Masterminds/squirrel/blob/v1.5.2/select.go#L351

OrderByClause uses newPart which directly returns the pred (first argument) when ToSQL is invoked if it is a string: https://github.com/Masterminds/squirrel/blob/def598cbb358368fbfc3f6a9a914699a36846992/part.go#L24

lyoung-confluent avatar Feb 07 '22 18:02 lyoung-confluent

:+1: ping me when this is in a ready state

smowton avatar Feb 07 '22 18:02 smowton

I added "Join", "LeftJoin", "RightJoin", "InnerJoin", "CrossJoin" as well as these functions are all aliases of JoinClause with a small prefix added, ex: https://github.com/Masterminds/squirrel/blob/v1.5.2/select.go#L292

Also From which uses newPart as well: https://github.com/Masterminds/squirrel/blob/v1.5.2/select.go#L275 And finally Columns which also uses newPart: https://github.com/Masterminds/squirrel/blob/v1.5.2/select.go#L260

lyoung-confluent avatar Feb 07 '22 19:02 lyoung-confluent

@smowton I believe it's ready for a round of review/merge (assuming tests pass, currently blocked on github actions being started)

lyoung-confluent avatar Feb 07 '22 19:02 lyoung-confluent

CI is currently failing when trying to extract ql/test/library-tests/semmle/go/frameworks/SQL/. You need to update the version of Squirrel in ql/test/library-tests/semmle/go/frameworks/SQL/vendor/modules.txt to match the corresponding go.mod. With that change, the tests fail because lines 46-58 of ql/test/library-tests/semmle/go/frameworks/SQL/main.go should have the comment // $ querystring=querypart querystring="users".

owen-mc avatar Feb 08 '22 14:02 owen-mc

Noting this was merged accidentally due to changes to the automerge criteria and then reverted in #748

smowton avatar Sep 13 '22 09:09 smowton