stripe-archive / safesql Goto Github PK

See cockroachdb/cockroach#7172

I am researching tools that could detect leaked connections, e.g. failing to call rows.Close after a call to db.Query
This tool does not do this right? Should it? Any suggestions for tools that are out there that might accept a PR if not this one?
I want to avoid writing something from scratch.

Hi,

I was trying to analyse this project : github.com/pydio/cells

and got this error:

Any idea ?

eagle@XXXXXX:~/go/src/github.com/pydio/cells$ /home/eagle/go/bin/safesql -q .
Internal panic in pointer analysis:
goroutine 1 [running]:
runtime/debug.Stack(0x24, 0x0, 0x0)
/usr/lib/go-1.10/src/runtime/debug/stack.go:24 +0xa7
runtime/debug.PrintStack()
/usr/lib/go-1.10/src/runtime/debug/stack.go:16 +0x22
golang.org/x/tools/go/pointer.Analyze.func1(0xc4201f1be0)
/home/eagle/go/src/golang.org/x/tools/go/pointer/analysis.go:227 +0x110
panic(0x6844e0, 0xc4c38e1f10)
/usr/lib/go-1.10/src/runtime/panic.go:502 +0x229
golang.org/x/tools/go/pointer.(*analysis).callEdge(0xc4cb5fc8c0, 0xc4d0c85d40, 0xc4c571af80, 0xcb179)
/home/eagle/go/src/golang.org/x/tools/go/pointer/analysis.go:368 +0x7cc
golang.org/x/tools/go/pointer.Analyze(0xc4cb8c4280, 0x0, 0x72aa20, 0xc4c38e1fc0)
/home/eagle/go/src/golang.org/x/tools/go/pointer/analysis.go:354 +0x6fd
main.main()
/home/eagle/go/src/github.com/stripe/safesql/safesql.go:114 +0xa7e
error performing pointer analysis: internal error in pointer analysis: callEdge dynamic function call -> n831865: not a function object (please report this bug)

Hi, I ran into trouble when running the shipped test case. The command and output are listed below:

PS PATH\TO\safe-sql-testdata> safesql.exe
Usage: D:\lang\go_work\bin\safesql.exe [-q] [-v] package1 [package2 ...]
  -q    Only print on failure
  -v    Verbose mode
# the command got stuck here
PS PATH\TO\safe-sql-testdata> safesql.exe -v .\ignored_back_to_back\

When I ran safesql.exe -v .\ignored_back_to_back\, the shell got stuck without output. Is safesql trying to download something? Or maybe I miss something?

I'll like an alternative output. Something like JSON.

Using this tool for the very first time, I was curious why the output is so verbose.
Here is what I see:

Found 3 potentially unsafe SQL statements:
<LIST OF FILES WITH PROBLEMS>
Please ensure that all SQL queries you use are compile-time constants.
You should always use parameterized queries or prepared statements
instead of building queries from strings.

Do we gain anything from all the extra output or could we just output a list of problematic files?
I'd be happy to open a PR if y'all think we should trim down the output.

I think the informational lines would be more appropriate in the output of safesql -h what do you think?

I propose adding functionality to allow the programmer to override the analysis done by SafeSQL to help avoid false positives. Specifically I have have an offending line such as:

stmt, err = dbh.Prepare(query)

That is actually safe, I'd like to be able to provide a comment right above the line that tells SafeSQL to ignore the error. Perhaps something similar to the build-tag syntax such as:

// +safesql ignore
stmt, err = dbh.Prepare(query)

Hi,

We have a requirement to create dynamic query along with the parameters. The query is still parameterized though.

But safesql errors out complaining the below

"Please ensure that all SQL queries you use are compile-time constants.
You should always use parameterized queries or prepared statements
instead of building queries from strings"

Code is like below:

// Dynamic query to insert all
query, params := getInsertAllQuery()

result, err := db.ExecContext(ctx, query, params...) // safesql throws error in this line.

Please let know whether this is false positive

When I run go get, I receive the following error:

$ go get github.com/stripe/safesql
# github.com/stripe/safesql
github.com/stripe/safesql/safesql.go:46: s.Build undefined (type *ssa.Program has no field or method Build)

When using safesql, the script scans the entire working directory for packages. In some cases, selected packages should the option of being 'skipped' or 'ignored' (i.e, vendor packages), so that we aren't running the tool against code that isn't developed by the first party.

Fails to compile with the following errors:

# github.com/stripe/safesql
safesql/safesql.go:48: cannot use p.Package("database/sql").Pkg (type *"go/types".Package) as type *"golang.org/x/tools/go/types".Package in argument to FindQueryMethods
safesql/safesql.go:123: cannot use m (type *"golang.org/x/tools/go/types".Func) as type *"go/types".Func in argument to ssa.FuncValue