go/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2025-11-25 22:22:17 +02:00
Code Issues Releases Activity

rules(G202): detect SQL concat in ValueSpec declarations; add test sample\n\n- Handle var query string = 'SELECT ...' + user style declarations\n- Reuse existing binary expr detection on ValueSpec.Values\n- Add postgres sample mirroring issue #1309 report\n- Rules tests: 42 passed

Browse Source
This commit is contained in:
Eshani Parulekar
2025-09-12 13:49:46 +05:30
committed by Cosmin Cojocar
parent 4be6b11bbc
commit 40ac53017b
2 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
rules/sql.go
View File

@@ -191,6 +191,11 @@ func (s *sqlStrConcat) checkQuery(call *ast.CallExpr, ctx *gosec.Context) (*issu
if injection := s.findInjectionInBranch(ctx, decl.Rhs); injection != nil { if injection := s.findInjectionInBranch(ctx, decl.Rhs); injection != nil {
return ctx.NewIssue(injection, s.ID(), s.What, s.Severity, s.Confidence), nil return ctx.NewIssue(injection, s.ID(), s.What, s.Severity, s.Confidence), nil
} }
case *ast.ValueSpec:
// handle: var query string = "SELECT ...'" + user
if injection := s.findInjectionInBranch(ctx, decl.Values); injection != nil {
return ctx.NewIssue(injection, s.ID(), s.What, s.Severity, s.Confidence), nil
}
} }
} }

28
testutils/g202_samples.go
View File

@@ -308,4 +308,32 @@ func main() {
fmt.Println(result) fmt.Println(result)
} }
`}, 0, gosec.NewConfig()}, `}, 0, gosec.NewConfig()},
{[]string{`
package main
import (
"database/sql"
"fmt"
_ "github.com/lib/pq"
)
func main() {
db, err := sql.Open("postgres", "user=postgres password=password dbname=mydb sslmode=disable")
if err!= nil {
panic(err)
}
defer db.Close()
var username string
fmt.Println("请输入用户名:")
fmt.Scanln(&username)
var query string = "SELECT * FROM users WHERE username = '" + username + "'"
rows, err := db.Query(query)
if err!= nil {
panic(err)
}
defer rows.Close()
}
`}, 1, gosec.NewConfig()},
} }