Merge pull request #19561 from owen-mc/go/mad/bigquery-sql-injection-sink

owen-mc · web-flow · commit e7e42862337a · 2025-06-04T11:36:18.000+01:00
Go: Add BigQuery as a sink for SQLi queries #2
diff --git a/go/documentation/library-coverage/frameworks.csv b/go/documentation/library-coverage/frameworks.csv
@@ -3,6 +3,7 @@ Standard library,https://pkg.go.dev/std, archive/* bufio bytes cmp compress/* co
 appleboy/gin-jwt,https://github.com/appleboy/gin-jwt,github.com/appleboy/gin-jwt*
 Afero,https://github.com/spf13/afero,github.com/spf13/afero*
 beego,https://beego.me/,github.com/astaxie/beego* github.com/beego/beego*
+bigquery,https://pkg.go.dev/cloud.google.com/go/bigquery,cloud.google.com/go/bigquery*
 Bun,https://bun.uptrace.dev/,github.com/uptrace/bun*
 CleverGo,https://github.com/clevergo/clevergo,clevergo.tech/clevergo* github.com/clevergo/clevergo*
 Couchbase official client(gocb),https://github.com/couchbase/gocb,github.com/couchbase/gocb* gopkg.in/couchbase/gocb*
@@ -35,7 +36,7 @@ golang.org/x/net,https://pkg.go.dev/golang.org/x/net,golang.org/x/net*
 goproxy,https://github.com/elazarl/goproxy,github.com/elazarl/goproxy*
 gorilla/mux,https://github.com/gorilla/mux,github.com/gorilla/mux*
 gorilla/websocket,https://github.com/gorilla/websocket,github.com/gorilla/websocket*
-gorqlite,https://github.com/rqlite/gorqlite,github.com/raindog308/gorqlite* github.com/rqlite/gorqlite*
+gorqlite,https://github.com/rqlite/gorqlite,github.com/raindog308/gorqlite* github.com/rqlite/gorqlite* github.com/kanikanema/gorqlite*
 goxpath,https://github.com/ChrisTrenkamp/goxpath/wiki,github.com/ChrisTrenkamp/goxpath*
 htmlquery,https://github.com/antchfx/htmlquery,github.com/antchfx/htmlquery*
 Iris,https://www.iris-go.com/,github.com/kataras/iris*
diff --git a/go/ql/lib/change-notes/2025-05-22-bigquery-client-query-sql-injection.md b/go/ql/lib/change-notes/2025-05-22-bigquery-client-query-sql-injection.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The first argument of `Client.Query` in `cloud.google.com/go/bigquery` is now recognized as a SQL injection sink.
diff --git a/go/ql/lib/ext/cloud.google.com.go.bigquery.model.yml b/go/ql/lib/ext/cloud.google.com.go.bigquery.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["cloud.google.com/go/bigquery", "Client", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/QueryString.expected b/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/QueryString.expected
@@ -0,0 +1,2 @@
+invalidModelRow
+testFailures
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/QueryString.ql b/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/QueryString.ql
@@ -0,0 +1,56 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import utils.test.InlineExpectationsTest
+
+module SqlTest implements TestSig {
+  string getARelevantTag() { result = "query" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "query" and
+    exists(SQL::Query q, SQL::QueryString qs | qs = q.getAQueryString() |
+      q.getLocation() = location and
+      element = q.toString() and
+      value = qs.toString()
+    )
+  }
+}
+
+module QueryString implements TestSig {
+  string getARelevantTag() { result = "querystring" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "querystring" and
+    element = "" and
+    exists(SQL::QueryString qs | not exists(SQL::Query q | qs = q.getAQueryString()) |
+      qs.getLocation() = location and
+      value = qs.toString()
+    )
+  }
+}
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLit }
+
+  predicate isSink(DataFlow::Node n) {
+    n = any(DataFlow::CallNode cn | cn.getTarget().getName() = "sink").getAnArgument()
+  }
+}
+
+module Flow = TaintTracking::Global<Config>;
+
+module TaintFlow implements TestSig {
+  string getARelevantTag() { result = "flowfrom" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "flowfrom" and
+    element = "" and
+    exists(DataFlow::Node fromNode, DataFlow::Node toNode |
+      toNode.getLocation() = location and
+      Flow::flow(fromNode, toNode) and
+      value = fromNode.asExpr().(StringLit).getValue()
+    )
+  }
+}
+
+import MakeTest<MergeTests3<SqlTest, QueryString, TaintFlow>>
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/bigquery.expected b/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/bigquery.expected
@@ -0,0 +1 @@
+| bigquery.go:17:15:17:23 | untrusted | cloud.google.com/go/bigquery.Client | Query |
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/bigquery.go b/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/bigquery.go
@@ -0,0 +1,18 @@
+package main
+
+//go:generate depstubber -vendor cloud.google.com/go/bigquery Client
+
+import (
+	"cloud.google.com/go/bigquery"
+)
+
+func getUntrustedString() string {
+	return "trouble"
+}
+
+func main() {
+	untrusted := getUntrustedString()
+	var client *bigquery.Client
+
+	client.Query(untrusted) // $ querystring=untrusted
+}
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/bigquery.ql b/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/bigquery.ql
@@ -0,0 +1,7 @@
+import go
+
+from SQL::QueryString qs, Function func, string a, string b
+where
+  func.hasQualifiedName(a, b) and
+  qs = func.getACall().getSyntacticArgument(_)
+select qs, a, b
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/go.mod b/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/go.mod
@@ -0,0 +1,50 @@
+module bigquerytest
+
+go 1.24
+
+require cloud.google.com/go/bigquery v1.68.0
+
+require (
+	cloud.google.com/go v0.121.0 // indirect
+	cloud.google.com/go/auth v0.16.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	cloud.google.com/go/iam v1.5.2 // indirect
+	github.com/apache/arrow/go/v15 v15.0.2 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/google/flatbuffers v23.5.26+incompatible // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/klauspost/compress v1.16.7 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
+	github.com/pierrec/lz4/v4 v4.1.18 // indirect
+	github.com/zeebo/xxh3 v1.0.2 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	golang.org/x/crypto v0.37.0 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/mod v0.23.0 // indirect
+	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/oauth2 v0.29.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
+	golang.org/x/tools v0.30.0 // indirect
+	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
+	google.golang.org/api v0.231.0 // indirect
+	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250428153025-10db94c68c34 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250428153025-10db94c68c34 // indirect
+	google.golang.org/grpc v1.72.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+)
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/vendor/cloud.google.com/go/bigquery/stub.go b/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/vendor/cloud.google.com/go/bigquery/stub.go
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/vendor/modules.txt b/go/ql/test/library-tests/semmle/go/frameworks/SQL/bigquery/vendor/modules.txt

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The first argument of `Client.Query` in `cloud.google.com/go/bigquery` is now recognized as a SQL injection sink.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| bigquery.go:17:15:17:23 \| untrusted \| cloud.google.com/go/bigquery.Client \| Query \|`