rules(G202): detect SQL concat in ValueSpec declarations; add test sample\n\n- Handle var query string = 'SELECT ...' + user style declarations\n- Reuse existing binary expr detection on ValueSpec.Values\n- Add postgres sample mirroring issue #1309 report\n- Rules tests: 42 passed

Eshani Parulekar · ccojocar · commit 40ac53017b81 · 2025-09-12T13:27:02.000Z
diff --git a/rules/sql.go b/rules/sql.go
@@ -191,6 +191,11 @@ func (s *sqlStrConcat) checkQuery(call *ast.CallExpr, ctx *gosec.Context) (*issu
 			if injection := s.findInjectionInBranch(ctx, decl.Rhs); injection != nil {
 				return ctx.NewIssue(injection, s.ID(), s.What, s.Severity, s.Confidence), nil
 			}
+		case *ast.ValueSpec:
+			// handle: var query string = "SELECT ...'" + user
+			if injection := s.findInjectionInBranch(ctx, decl.Values); injection != nil {
+				return ctx.NewIssue(injection, s.ID(), s.What, s.Severity, s.Confidence), nil
+			}
 		}
 	}
 
diff --git a/testutils/g202_samples.go b/testutils/g202_samples.go
@@ -308,4 +308,32 @@ func main() {
 	fmt.Println(result)
 }
 `}, 0, gosec.NewConfig()},
+	{[]string{`
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	_ "github.com/lib/pq"
+)
+
+func main() {
+	db, err := sql.Open("postgres", "user=postgres password=password dbname=mydb sslmode=disable")
+	if err!= nil {
+		panic(err)
+	}
+	defer db.Close()
+
+	var username string
+	fmt.Println("请输入用户名:")
+	fmt.Scanln(&username)
+
+	var query string = "SELECT * FROM users WHERE username = '" + username + "'"
+	rows, err := db.Query(query)
+	if err!= nil {
+		panic(err)
+	}
+	defer rows.Close()
+}
+`}, 1, gosec.NewConfig()},
 }

Original file line number	Diff line number	Diff line change
`@@ -191,6 +191,11 @@ func (s sqlStrConcat) checkQuery(call ast.CallExpr, ctx gosec.Context) (issu`
`191`	`191`	`if injection := s.findInjectionInBranch(ctx, decl.Rhs); injection != nil {`
`192`	`192`	`return ctx.NewIssue(injection, s.ID(), s.What, s.Severity, s.Confidence), nil`
`193`	`193`	`}`
	`194`	`+ case *ast.ValueSpec:`
	`195`	`+ // handle: var query string = "SELECT ...'" + user`
	`196`	`+ if injection := s.findInjectionInBranch(ctx, decl.Values); injection != nil {`
	`197`	`+ return ctx.NewIssue(injection, s.ID(), s.What, s.Severity, s.Confidence), nil`
	`198`	`+ }`
`194`	`199`	`}`
`195`	`200`	`}`
`196`	`201`