chore: Refactor Sample Code to Separate Files

Split the code in `source.go` to individual sample files, one per rule. This will help contributors submit samples for new rules, or improvements to existing rules. The cgo sample was all that was left after refactoring, which resulted in its own sample file. Sample code was also formatted to have some level of consistency. Each sample go "file" attempts to keep the formatting of `gofmt`, and each code sample is in its own section in the sample file. Signed-off-by: Adam Kaplan <adam@adambkaplan.com>
2025-11-23 22:15:04 +02:00 · 2023-11-25 17:51:38 -05:00
parent bc03d1c1bc
commit 0e2a61899a
38 changed files with 4461 additions and 4076 deletions
--- a/testutils/g201_samples.go
+++ b/testutils/g201_samples.go
@@ -0,0 +1,403 @@
+package testutils
+
+import "github.com/securego/gosec/v2"
+
+var (
+	// SampleCodeG201 - SQL injection via format string
+	SampleCodeG201 = []CodeSample{
+		{[]string{`
+// Format string without proper quoting
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1])
+	rows, err := db.Query(q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+}
+`}, 1, gosec.NewConfig()},
+		{[]string{`
+// Format string without proper quoting case insensitive
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1])
+	rows, err := db.Query(q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+}
+`}, 1, gosec.NewConfig()},
+		{[]string{`
+// Format string without proper quoting with context
+package main
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1])
+	rows, err := db.QueryContext(context.Background(), q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+}
+`}, 1, gosec.NewConfig()},
+		{[]string{`
+// Format string without proper quoting with transaction
+package main
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	tx, err := db.Begin()
+	if err != nil {
+		panic(err)
+	}
+	defer tx.Rollback()
+	q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1])
+	rows, err := tx.QueryContext(context.Background(), q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+	if err := tx.Commit(); err != nil {
+		panic(err)
+	}
+}
+`}, 1, gosec.NewConfig()},
+		{[]string{`
+// Format string false positive, safe string spec.
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT * FROM foo where id = %d", os.Args[1])
+	rows, err := db.Query(q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+}
+`}, 0, gosec.NewConfig()},
+		{[]string{`
+// Format string false positive
+package main
+
+import (
+		"database/sql"
+)
+
+const staticQuery = "SELECT * FROM foo WHERE age < 32"
+
+func main(){
+		db, err := sql.Open("sqlite3", ":memory:")
+		if err != nil {
+			panic(err)
+		}
+		rows, err := db.Query(staticQuery)
+		if err != nil {
+			panic(err)
+		}
+		defer rows.Close()
+}
+`}, 0, gosec.NewConfig()},
+		{[]string{`
+// Format string false positive, quoted formatter argument.
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+	"github.com/lib/pq"
+)
+
+func main(){
+	db, err := sql.Open("postgres", "localhost")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT * FROM %s where id = 1", pq.QuoteIdentifier(os.Args[1]))
+	rows, err := db.Query(q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+}
+`}, 0, gosec.NewConfig()},
+		{[]string{`
+// false positive
+package main
+
+import (
+	"database/sql"
+	"fmt"
+)
+
+const Table = "foo"
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT * FROM %s where id = 1", Table)
+	rows, err := db.Query(q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+}
+`}, 0, gosec.NewConfig()},
+		{[]string{`
+package main
+import (
+	"fmt"
+)
+
+func main(){
+	fmt.Sprintln()
+}
+`}, 0, gosec.NewConfig()},
+		{[]string{`
+// Format string with \n\r
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT * FROM foo where\n name = '%s'", os.Args[1])
+	rows, err := db.Query(q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+}
+`}, 1, gosec.NewConfig()},
+		{[]string{`
+// Format string with \n\r
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main(){
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT * FROM foo where\nname = '%s'", os.Args[1])
+	rows, err := db.Query(q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
+}
+`}, 1, gosec.NewConfig()},
+		{[]string{`
+// SQLI by db.Query(some).Scan(&other)
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main() {
+	var name string
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT name FROM users where id = '%s'", os.Args[1])
+	row := db.QueryRow(q)
+	err = row.Scan(&name)
+	if err != nil {
+		panic(err)
+	}
+	defer db.Close()
+}`}, 1, gosec.NewConfig()},
+		{[]string{`
+// SQLI by db.Query(some).Scan(&other)
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+)
+
+func main() {
+	var name string
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT name FROM users where id = '%s'", os.Args[1])
+	err = db.QueryRow(q).Scan(&name)
+	if err != nil {
+		panic(err)
+	}
+	defer db.Close()
+}`}, 1, gosec.NewConfig()},
+		{[]string{`
+// SQLI by db.Prepare(some)
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"log"
+	"os"
+)
+
+const Table = "foo"
+
+func main() {
+	var album string
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT name FROM users where '%s' = ?", os.Args[1])
+	stmt, err := db.Prepare(q)
+	if err != nil {
+		log.Fatal(err)
+	}
+	stmt.QueryRow(fmt.Sprintf("%s", os.Args[2])).Scan(&album)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			log.Fatal(err)
+		}
+	}
+	defer stmt.Close()
+}
+`}, 1, gosec.NewConfig()},
+		{[]string{`
+// SQLI by db.PrepareContext(some)
+package main
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"log"
+	"os"
+)
+
+const Table = "foo"
+
+func main() {
+	var album string
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT name FROM users where '%s' = ?", os.Args[1])
+	stmt, err := db.PrepareContext(context.Background(), q)
+	if err != nil {
+		log.Fatal(err)
+	}
+	stmt.QueryRow(fmt.Sprintf("%s", os.Args[2])).Scan(&album)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			log.Fatal(err)
+		}
+	}
+	defer stmt.Close()
+}
+`}, 1, gosec.NewConfig()},
+		{[]string{`
+// false positive
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"log"
+	"os"
+)
+
+const Table = "foo"
+
+func main() {
+	var album string
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		panic(err)
+	}
+	stmt, err := db.Prepare("SELECT * FROM album WHERE id = ?")
+	if err != nil {
+		log.Fatal(err)
+	}
+	stmt.QueryRow(fmt.Sprintf("%s", os.Args[1])).Scan(&album)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			log.Fatal(err)
+		}
+	}
+	defer stmt.Close()
+}
+`}, 0, gosec.NewConfig()},
+	}
+)