Python: Go Interface based Checker for SQL injection vulnerability

[viveka1302]

Description:

GoLang was chosen for this checker for complex logical control of flow of execution.

Basic Idea:

SQL injection vulnerability in this checker is assumed when a SQL query contains concatenated string (f-string or interpolation) with user-input instead of parameterisation.

Logic:

To identify an SQL execution call, we search for the most common execution calls across all SQL libraries and ORMs, like:
execute, executemany, executescript
Once we find such a call, the first case we check for, is if the developer has passed a string directly to the execution call, in which case, a normal tree-sitter-query is enough.
If instead, we find a variable passed as parameter, instead of raw string, we use Go to trace the variable back to it's origin, whether it's in the same file or in a different file in the same project (hence, accounting for multiple layers of variables being passed in one another).
Once spotted, we check the assigned value for any concatenated strings. If found, the user receives Report.

Type Of Change

• New Checker

Checklist:

• All required checkers added
• Test case added
• Not tested (since current Github Actions workflow does not have support for testing Go checkers, as per test_runner.go)

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
globstar	⬜️ Ignored (Inspect)	Visit Preview		Mar 13, 2025 7:07am

[MashyBasker]

Hey, could you please add test directives to the test files.

[viveka1302]

Sure, I'll get back to that this evening! Thanks

[viveka1302]

@MashyBasker Added!

[sourya-deepsource]

This is being done in a different way (using scope analysis and data flow) here.