Better SQLi testing

This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab)
2025-11-23 22:15:04 +02:00 · 2016-07-27 14:59:10 +01:00
parent 2d0a26dafe
commit 3e4d96ef3e
2 changed files with 94 additions and 8 deletions
--- a/rules/sql.go
+++ b/rules/sql.go
@@ -15,10 +15,10 @@
 package rules

 import (
-	gas "github.com/HewlettPackard/gas/core"
 	"go/ast"
-	"reflect"
 	"regexp"
+
+	gas "github.com/HewlettPackard/gas/core"
 )

 type SqlStatement struct {
@@ -30,13 +30,27 @@ type SqlStrConcat struct {
 	SqlStatement
 }

+// see if we can figgure out what it is
+func (s *SqlStrConcat) checkObject(n *ast.Ident) bool {
+	if n.Obj != nil {
+		return (n.Obj.Kind != ast.Var || n.Obj.Kind != ast.Fun)
+	}
+	return false
+}
+
 // Look for "SELECT * FROM table WHERE " + " ' OR 1=1"
 func (s *SqlStrConcat) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
-	a := reflect.TypeOf(&ast.BinaryExpr{})
-	b := reflect.TypeOf(&ast.BasicLit{})
-	if node := gas.SimpleSelect(n, a, b); node != nil {
-		if str, _ := gas.GetString(node); s.pattern.MatchString(str) {
-			return gas.NewIssue(c, n, s.What, s.Severity, s.Confidence), nil
+	if node, ok := n.(*ast.BinaryExpr); ok {
+		if start, ok := node.X.(*ast.BasicLit); ok {
+			if str, _ := gas.GetString(start); s.pattern.MatchString(str) {
+				if _, ok := node.Y.(*ast.BasicLit); ok {
+					return nil, nil // string cat OK
+				}
+				if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second) {
+					return nil, nil
+				}
+				return gas.NewIssue(c, n, s.What, s.Severity, s.Confidence), nil
+			}
 		}
 	}
 	return nil, nil