rules(G202): detect SQL concat in ValueSpec declarations; add test sample\n\n- Handle var query string = 'SELECT ...' + user style declarations\n- Reuse existing binary expr detection on ValueSpec.Values\n- Add postgres sample mirroring issue #1309 report\n- Rules tests: 42 passed

2025-11-25 22:22:17 +02:00 · 2025-09-12 13:49:46 +05:30
parent 4be6b11bbc
commit 40ac53017b
2 changed files with 33 additions and 0 deletions
--- a/rules/sql.go
+++ b/rules/sql.go
@@ -191,6 +191,11 @@ func (s *sqlStrConcat) checkQuery(call *ast.CallExpr, ctx *gosec.Context) (*issu
 			if injection := s.findInjectionInBranch(ctx, decl.Rhs); injection != nil {
 				return ctx.NewIssue(injection, s.ID(), s.What, s.Severity, s.Confidence), nil
 			}
+		case *ast.ValueSpec:
+			// handle: var query string = "SELECT ...'" + user
+			if injection := s.findInjectionInBranch(ctx, decl.Values); injection != nil {
+				return ctx.NewIssue(injection, s.ID(), s.What, s.Severity, s.Confidence), nil
+			}
 		}
 	}

--- a/testutils/g202_samples.go
+++ b/testutils/g202_samples.go
@@ -308,4 +308,32 @@ func main() {
 	fmt.Println(result)
 }
 `}, 0, gosec.NewConfig()},
+	{[]string{`
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	_ "github.com/lib/pq"
+)
+
+func main() {
+	db, err := sql.Open("postgres", "user=postgres password=password dbname=mydb sslmode=disable")
+	if err!= nil {
+		panic(err)
+	}
+	defer db.Close()
+
+	var username string
+	fmt.Println("请输入用户名:")
+	fmt.Scanln(&username)
+
+	var query string = "SELECT * FROM users WHERE username = '" + username + "'"
+	rows, err := db.Query(query)
+	if err!= nil {
+		panic(err)
+	}
+	defer rows.Close()
+}
+`}, 1, gosec.NewConfig()},
 }