8000 Add G202 section in G201 page (#16) · securego/securego.github.io@c85b17a · GitHub
[go: up one dir, main page]
Skip to content

Commit c85b17a

Browse files
MVrachevgcmurphy
MVrachev
authored and
gcmurphy
committed
Add G202 section in G201 page (#16)
There is no sense to use two doc pages for rules G201 and G202. Both rules are really similar and they can be placed in one doc. After all, why should we duplicate "The right way" section" in a separate doc for rule G202? Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
1 parent 913ae00 commit c85b17a

File tree

3 files changed

+58
-5
lines changed

3 files changed

+58
-5
lines changed

docs/rules/g201_sql_injection_via_format_string.md renamed to docs/rules/g201-g202_sql_injection_via_format_string.md

Lines changed: 37 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,14 @@
11
---
2-
id: g201
3-
title: G201: SQL query construction using format string
2+
id: g201-g202
3+
title: G201/G202: SQL query construction using format string/string concatenation
44
---
55

66
[SQL injection](https://en.wikipedia.org/wiki/SQL_injection) is one of the top security issues developers make and the consequences of this can be severe.
77
Using the format string function in the fmt Golang package to dynamically create an SQL query can easily create a possibility for SQL injection. The reason is that the format string function doesn't escape special characters like ' and it's easy to add second SQL command in the format string.
88

9-
## Example problematic code:
9+
## Examples of problematic code:
10+
11+
### G201 - SQL query construction using format string
1012

1113
```
1214
package main
@@ -29,13 +31,44 @@ func main(){
2931
}
3032
```
3133

32-
## Gosec command line output
34+
The Gosec command line output:
3335

3436
```
3537
[examples/main.go:14] - G201: SQL string formatting (Confidence: HIGH, Severity: MEDIUM)
3638
> fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1])
3739
```
3840

41+
### G202 - SQL query construction using string concatenation
42+
43+
```package main
44+
45+
import (
46+
"database/sql"
47+
)
48+
49+
var staticQuery = "SELECT * FROM foo WHERE age < "
50+
51+
func main() {
52+
db, err := sql.Open("sqlite3", ":memory:")
53+
if err != nil {
54+
panic(err)
55+
}
56+
var gender string = "M"
57+
rows, err := db.Query("SELECT * FROM foo WHERE gender = " + gender)
58+
if err != nil {
59+
panic(err)
60+
}
61+
defer rows.Close()
62+
}
63+
```
64+
65+
The Gosec command line output:
66+
67+
```
68+
[/Users/mvrachev/Martins/go/src/github.com/securego/securego.github.io/main.go:15] - G202: SQL string concatenation (Confidence: HIGH, Severity: MEDIUM)
69+
> "SELECT * FROM foo WHERE gender = " + gender
70+
```
71+
3972
## The right way
4073

4174
Two of the ways to escape SQL injection when using Golang are:

main.go

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
package main
2+
3+
import (
4+
"database/sql"
5+
)
6+
7+
var staticQuery = "SELECT * FROM foo WHERE age < "
8+
9+
func main() {
10+
db, err := sql.Open("sqlite3", ":memory:")
11+
if err != nil {
12+
panic(err)
13+
}
14+
var gender string = "M"
15+
rows, err := db.Query("SELECT * FROM foo WHERE gender = " + gender)
16+
if err != nil {
17+
panic(err)
18+
}
19+
defer rows.Close()
20+
}

website/sidebars.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
"rules/g103",
88
"rules/g104",
99
"rules/g107",
10-
"rules/g201"
10+
"rules/g201-g202"
1111
]
1212
}
1313
}

0 commit comments

Comments
 (0)
0