G201/G202: add checks for injection into sql.Conn methods

We check sql.DB and sql.Tx, but sql.Conn appears to have been missed. It carries the same issues as DB/Tx in terms of injection.
2025-11-23 22:15:04 +02:00 · 2025-06-02 23:03:04 -04:00
parent 67f63d4781
commit 017d1d655c
3 changed files with 65 additions and 0 deletions
--- a/rules/sql.go
+++ b/rules/sql.go
@@ -32,6 +32,12 @@ type sqlStatement struct {
 }

 var sqlCallIdents = map[string]map[string]int{
+	"*database/sql.Conn": {
+		"ExecContext":     1,
+		"QueryContext":    1,
+		"QueryRowContext": 1,
+		"PrepareContext":  1,
+	},
 	"*database/sql.DB": {
 		"Exec":            0,
 		"ExecContext":     1,