From da108721c5dc0624521b93ee62528568e18a280f Mon Sep 17 00:00:00 2001
From: Matthew Sykes <matthew.sykes@gmail.com>
Date: Fri, 25 Aug 2023 21:33:37 -0400
Subject: [PATCH] Disable ts injections in import strings (#371)

Import paths like 'database/sql' are string literals and activate the
SQL injection. Adding a #not-has-ancestor predicate for
import_declaration prevents this.
---
 after/queries/go/injections.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/after/queries/go/injections.scm b/after/queries/go/injections.scm
index 403f7b3..dcdc48c 100644
--- a/after/queries/go/injections.scm
+++ b/after/queries/go/injections.scm
@@ -19,6 +19,7 @@
    (interpreted_string_literal)
    (raw_string_literal)
  ] @sql
+ (#not-has-ancestor? @sql import_declaration)
  (#match? @sql "(SELECT|select|INSERT|insert|UPDATE|update|DELETE|delete).+(FROM|from|INTO|into|VALUES|values|SET|set).*(WHERE|where|GROUP BY|group by)?")
  (#offset! @sql 0 1 0 -1))
 
@@ -29,6 +30,7 @@
   (interpreted_string_literal)
   (raw_string_literal)
  ] @sql
+ (#not-has-ancestor? @sql import_declaration)
  (#contains? @sql "-- sql" "--sql" "ADD CONSTRAINT" "ALTER TABLE" "ALTER COLUMN"
                   "DATABASE" "FOREIGN KEY" "GROUP BY" "HAVING" "CREATE INDEX" "INSERT INTO"
                   "NOT NULL" "PRIMARY KEY" "UPDATE SET" "TRUNCATE TABLE" "LEFT JOIN" "add constraint" "alter table" "alter column" "database" "foreign key" "group by" "having" "create index" "insert into"