stripe-archive / safesql Goto Github PK
View Code? Open in Web Editor NEWStatic analysis tool for Golang that protects against SQL injections
License: MIT License
Static analysis tool for Golang that protects against SQL injections
License: MIT License
I am researching tools that could detect leaked connections, e.g. failing to call rows.Close after a call to db.Query
This tool does not do this right? Should it? Any suggestions for tools that are out there that might accept a PR if not this one?
I want to avoid writing something from scratch.
Hi,
I was trying to analyse this project : github.com/pydio/cells
and got this error:
Any idea ?
eagle@XXXXXX:~/go/src/github.com/pydio/cells$ /home/eagle/go/bin/safesql -q .
Internal panic in pointer analysis:
goroutine 1 [running]:
runtime/debug.Stack(0x24, 0x0, 0x0)
/usr/lib/go-1.10/src/runtime/debug/stack.go:24 +0xa7
runtime/debug.PrintStack()
/usr/lib/go-1.10/src/runtime/debug/stack.go:16 +0x22
golang.org/x/tools/go/pointer.Analyze.func1(0xc4201f1be0)
/home/eagle/go/src/golang.org/x/tools/go/pointer/analysis.go:227 +0x110
panic(0x6844e0, 0xc4c38e1f10)
/usr/lib/go-1.10/src/runtime/panic.go:502 +0x229
golang.org/x/tools/go/pointer.(*analysis).callEdge(0xc4cb5fc8c0, 0xc4d0c85d40, 0xc4c571af80, 0xcb179)
/home/eagle/go/src/golang.org/x/tools/go/pointer/analysis.go:368 +0x7cc
golang.org/x/tools/go/pointer.Analyze(0xc4cb8c4280, 0x0, 0x72aa20, 0xc4c38e1fc0)
/home/eagle/go/src/golang.org/x/tools/go/pointer/analysis.go:354 +0x6fd
main.main()
/home/eagle/go/src/github.com/stripe/safesql/safesql.go:114 +0xa7e
error performing pointer analysis: internal error in pointer analysis: callEdge dynamic function call -> n831865: not a function object (please report this bug)
Hi, I ran into trouble when running the shipped test case. The command and output are listed below:
PS PATH\TO\safe-sql-testdata> safesql.exe
Usage: D:\lang\go_work\bin\safesql.exe [-q] [-v] package1 [package2 ...]
-q Only print on failure
-v Verbose mode
# the command got stuck here
PS PATH\TO\safe-sql-testdata> safesql.exe -v .\ignored_back_to_back\
When I ran safesql.exe -v .\ignored_back_to_back\
, the shell got stuck without output. Is safesql trying to download something? Or maybe I miss something?
I'll like an alternative output. Something like JSON.
Using this tool for the very first time, I was curious why the output is so verbose.
Here is what I see:
Found 3 potentially unsafe SQL statements:
<LIST OF FILES WITH PROBLEMS>
Please ensure that all SQL queries you use are compile-time constants.
You should always use parameterized queries or prepared statements
instead of building queries from strings.
Do we gain anything from all the extra output or could we just output a list of problematic files?
I'd be happy to open a PR if y'all think we should trim down the output.
I think the informational lines would be more appropriate in the output of safesql -h
what do you think?
I propose adding functionality to allow the programmer to override the analysis done by SafeSQL to help avoid false positives. Specifically I have have an offending line such as:
stmt, err = dbh.Prepare(query)
That is actually safe, I'd like to be able to provide a comment right above the line that tells SafeSQL to ignore the error. Perhaps something similar to the build-tag syntax such as:
// +safesql ignore
stmt, err = dbh.Prepare(query)
Hi,
We have a requirement to create dynamic query along with the parameters. The query is still parameterized though.
But safesql errors out complaining the below
"Please ensure that all SQL queries you use are compile-time constants.
You should always use parameterized queries or prepared statements
instead of building queries from strings"
Code is like below:
// Dynamic query to insert all
query, params := getInsertAllQuery()
result, err := db.ExecContext(ctx, query, params...) // safesql throws error in this line.
Please let know whether this is false positive
When I run go get
, I receive the following error:
$ go get github.com/stripe/safesql
# github.com/stripe/safesql
github.com/stripe/safesql/safesql.go:46: s.Build undefined (type *ssa.Program has no field or method Build)
When using safesql, the script scans the entire working directory for packages. In some cases, selected packages should the option of being 'skipped' or 'ignored' (i.e, vendor packages), so that we aren't running the tool against code that isn't developed by the first party.
Fails to compile with the following errors:
# github.com/stripe/safesql
safesql/safesql.go:48: cannot use p.Package("database/sql").Pkg (type *"go/types".Package) as type *"golang.org/x/tools/go/types".Package in argument to FindQueryMethods
safesql/safesql.go:123: cannot use m (type *"golang.org/x/tools/go/types".Func) as type *"go/types".Func in argument to ssa.FuncValue
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.