sdk/golang/Databases/GoSqlxDB

GoSqlxDB

Represents sqlx.DB and sqlx.Tx from the sqlx library, which extends database/sql with struct scanning. Unsafe query methods (QueryUnsafe, GetUnsafe) and raw string methods are injection sinks.

4 sinks

Taint flow0 sources → 4 sinks

Sinks — dangerous call

.Query()Executes raw SQL query

.Exec()Executes raw SQL DML

.Queryx()Like Query but returns sqlx

.Get()Executes query and scans result into dest

Sinks

— dangerous functions taint must not reach

.Query()Sink

Signature

Query(query string, args ...any) (*sql.Rows, error)

Executes raw SQL query. Sink when query string contains user input.

tracks:0

.Exec()Sink

Signature

Exec(query string, args ...any) (sql.Result, error)

Executes raw SQL DML. Sink when query string contains user input.

tracks:0

.Queryx()Sink

Signature

Queryx(query string, args ...any) (*sqlx.Rows, error)

Like Query but returns sqlx.Rows. Same injection risk.

tracks:0

.Get()Sink

Signature

Get(dest any, query string, args ...any) error

Executes query and scans result into dest. query is an injection sink.

tracks:1

Fully-Qualified Names

FQN	Field
github.com/jmoiron/sqlx.DB	fqns[0]
github.com/jmoiron/sqlx.Tx	fqns[1]
*.DB	patterns
*.Tx	patterns

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

go.mod

require github.com/jmoiron/sqlx v1.3.5

rule.py

from codepathfinder.go_rule import GoSqlxDB

Rules Using This Class

GO-SQLI-003

← PreviousGoRedisClient