-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathBeegoOrm.qll
More file actions
54 lines (49 loc) · 1.67 KB
/
BeegoOrm.qll
File metadata and controls
54 lines (49 loc) · 1.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
/**
* Provides classes for working with remote flow sources, sinks and taint propagators
* from the `github.com/astaxie/beego/orm` subpackage.
*/
overlay[local?]
module;
import go
private import semmle.go.security.StoredXssCustomizations
/**
* Provides classes for working with remote flow sources, sinks and taint propagators
* from the [Beego ORM](https://github.com/astaxie/beego/orm) subpackage.
*/
module BeegoOrm {
/** Gets the package name `github.com/astaxie/beego/orm`. */
string packagePath() { result = package("github.com/astaxie/beego", "orm") }
private class OrmerSource extends StoredXss::Source {
OrmerSource() {
exists(Method impl |
impl.implements(packagePath(), "Ormer", ["Read", "ReadForUpdate", "ReadOrCreate"])
|
this = FunctionOutput::parameter(0).getExitNode(impl.getACall())
)
}
}
private class StringFieldSource extends StoredXss::Source {
StringFieldSource() {
exists(Method m |
m.hasQualifiedName(packagePath(), ["JSONField", "JsonbField", "TextField"],
["RawValue", "String", "Value"])
|
this = m.getACall().getResult()
)
}
}
private class SeterSource extends StoredXss::Source {
SeterSource() {
exists(Method impl |
// All and One are exclusive to QuerySeter, QueryRow[s] are exclusive to RawSeter, the rest are common.
impl.implements(packagePath(), ["QuerySeter", "RawSeter"],
[
"All", "One", "Values", "ValuesList", "ValuesFlat", "RowsToMap", "RowsToStruct",
"QueryRow", "QueryRows"
])
|
this = FunctionOutput::parameter(0).getExitNode(impl.getACall())
)
}
}
}