Represents gorm.DB, the primary database handle in GORM v2. Raw(), Exec(), and Where() with string arguments are SQL injection sinks when called with unsanitized user input.
.Raw().Exec().Where()from codepathfinder.go_rule import GoGinContext, GoGormDB, GoStrconv
from codepathfinder import flows
from codepathfinder.presets import PropagationPresets
from codepathfinder.go_decorators import go_rule
@go_rule(
id="GO-GORM-SQLI-002",
severity="HIGH",
cwe="CWE-89",
owasp="A03:2021",
message="String concatenation in GORM query builder. Use ? placeholders.",
)
def detect_gorm_sqli_concat():
return flows(
from_sources=[
GoGinContext.method("Query", "Param", "PostForm"),
],
to_sinks=[
GoGormDB.method("Where", "Having", "Order"),
],
propagates_through=PropagationPresets.standard(),
scope="global",
)
pathfinder scan --ruleset custom/security --project ..Raw()SinkRaw(sql string, values ...any) *DB
Executes raw SQL. The sql string is an injection sink when built with user input.
0.Exec()SinkExec(sql string, values ...any) *DB
Executes raw SQL DML. Same risk as Raw().
0.Where()SinkWhere(query any, args ...any) *DB
Adds WHERE clause. Sink when query is a string with user input concatenated.
0| FQN | Field | |
|---|---|---|
| gorm.io/gorm.DB | fqns[0] | |
| *.DB | patterns |
Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.
require gorm.io/gorm v1.25.5
from codepathfinder.go_rule import GoGormDB