Better SQLi testing

This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab)
2025-11-25 22:22:17 +02:00 · 2016-07-27 14:59:10 +01:00
parent 2d0a26dafe
commit 3e4d96ef3e
2 changed files with 94 additions and 8 deletions
--- a/rules/sql_test.go
+++ b/rules/sql_test.go
@@ -15,8 +15,9 @@
 package rules

 import (
-	gas "github.com/HewlettPackard/gas/core"
 	"testing"
+
+	gas "github.com/HewlettPackard/gas/core"
 )

 func TestSQLInjectionViaConcatenation(t *testing.T) {
@@ -144,3 +145,74 @@ func TestSQLInjectionFalsePositiveB(t *testing.T) {

 	checkTestResults(t, issues, 0, "Not expected to match")
 }
+
+func TestSQLInjectionFalsePositiveC(t *testing.T) {
+	analyzer := gas.NewAnalyzer(false, nil)
+	analyzer.AddRule(NewSqlStrConcat())
+	analyzer.AddRule(NewSqlStrFormat())
+
+	source := `
+
+        package main
+        import (
+                "database/sql"
+                "fmt"
+                "os"
+                _ "github.com/mattn/go-sqlite3"
+        )
+
+        var staticQuery = "SELECT * FROM foo WHERE age < "
+
+        func main(){
+                db, err := sql.Open("sqlite3", ":memory:")
+                if err != nil {
+                        panic(err)
+                }
+                rows, err := db.Query(staticQuery + "32")
+                if err != nil {
+                        panic(err)
+                }
+                defer rows.Close()
+        }
+
+        `
+	issues := gasTestRunner(source, analyzer)
+
+	checkTestResults(t, issues, 0, "Not expected to match")
+}
+
+func TestSQLInjectionFalsePositiveD(t *testing.T) {
+	analyzer := gas.NewAnalyzer(false, nil)
+	analyzer.AddRule(NewSqlStrConcat())
+	analyzer.AddRule(NewSqlStrFormat())
+
+	source := `
+
+        package main
+        import (
+                "database/sql"
+                "fmt"
+                "os"
+                _ "github.com/mattn/go-sqlite3"
+        )
+
+				const age = "32"
+        var staticQuery = "SELECT * FROM foo WHERE age < "
+
+        func main(){
+                db, err := sql.Open("sqlite3", ":memory:")
+                if err != nil {
+                        panic(err)
+                }
+                rows, err := db.Query(staticQuery + age)
+                if err != nil {
+                        panic(err)
+                }
+                defer rows.Close()
+        }
+
+        `
+	issues := gasTestRunner(source, analyzer)
+
+	checkTestResults(t, issues, 0, "Not expected to match")
+}