From 2b4ebf7377bbd51a863da82b4dbad23bf3a6ca21 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 22 Mar 2023 15:08:53 +0100
Subject: [PATCH] Python: Add support for `.executescript`

---
 python/ql/lib/semmle/python/frameworks/PEP249.qll        | 7 ++++---
 python/ql/test/library-tests/frameworks/stdlib/pep249.py | 4 ++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/python/ql/lib/semmle/python/frameworks/PEP249.qll b/python/ql/lib/semmle/python/frameworks/PEP249.qll
index b365cb83dc1..c385739ad40 100644
--- a/python/ql/lib/semmle/python/frameworks/PEP249.qll
+++ b/python/ql/lib/semmle/python/frameworks/PEP249.qll
@@ -49,11 +49,12 @@ module PEP249 {
   }
 
   private string getSqlKwargName() {
-    result in ["sql", "statement", "operation", "query", "query_string"]
+    result in ["sql", "statement", "operation", "query", "query_string", "sql_script"]
   }
 
   /**
-   * A call to `execute` or  `executemany` method on a database cursor or a connection.
+   * A call to an execute method on a database cursor or a connection, such as `execute`
+   * or `executemany`.
    *
    * See
    * - https://peps.python.org/pep-0249/#execute
@@ -67,7 +68,7 @@ module PEP249 {
       exists(API::Node start |
         start instanceof DatabaseCursor or start instanceof DatabaseConnection
       |
-        this = start.getMember(["execute", "executemany"]).getACall()
+        this = start.getMember(["execute", "executemany", "executescript"]).getACall()
       )
     }
 
diff --git a/python/ql/test/library-tests/frameworks/stdlib/pep249.py b/python/ql/test/library-tests/frameworks/stdlib/pep249.py
index 45c5a496bd7..6f601f5b6c2 100644
--- a/python/ql/test/library-tests/frameworks/stdlib/pep249.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/pep249.py
@@ -6,8 +6,8 @@ db.execute("some sql", (42,))  # $ getSql="some sql"
 
 cursor = db.cursor()
 cursor.execute("some sql", (42,))  # $ getSql="some sql"
-cursor.executescript("sql")  # $ MISSING: getSql="sql"
-cursor.executescript(sql_script="sql") # $ MISSING: getSql="sql"
+cursor.executescript("sql")  # $ getSql="sql"
+cursor.executescript(sql_script="sql") # $ getSql="sql"
 
 import sqlite3.dbapi2
 conn = sqlite3.dbapi2.connect()