Python: Add modeling of PyMySQL

python/change-notes/2020-12-14-add-PyMySQL-model.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added model of `PyMySQL` PyPI package as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.

python/ql/src/semmle/python/Frameworks.qll

@@ -7,8 +7,9 @@ private import semmle.python.frameworks.Django
 private import semmle.python.frameworks.Fabric
 private import semmle.python.frameworks.Flask
 private import semmle.python.frameworks.Invoke
-private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.MysqlConnectorPython
+private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.Psycopg2
+private import semmle.python.frameworks.PyMySQL
 private import semmle.python.frameworks.Stdlib
 private import semmle.python.frameworks.Yaml

python/ql/src/semmle/python/frameworks/PyMySQL.qll

@@ -0,0 +1,32 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `PyMySQL` PyPI package.
+ * See https://pypi.org/project/PyMySQL/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import PEP249
+
+/**
+ * Provides models for the `PyMySQL` PyPI package.
+ * See https://pypi.org/project/PyMySQL/
+ */
+private module PyMySQL {
+  /** Gets a reference to the `pymysql` module. */
+  private DataFlow::Node pymysql(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importNode("pymysql")
+    or
+    exists(DataFlow::TypeTracker t2 | result = pymysql(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `pymysql` module. */
+  DataFlow::Node pymysql() { result = pymysql(DataFlow::TypeTracker::end()) }
+
+  /** PyMySQL implements PEP 249, providing ways to execute SQL statements against a database. */
+  class PyMySQLPEP249 extends PEP249Module {
+    PyMySQLPEP249() { this = pymysql() }
+  }
+}

python/ql/test/experimental/library-tests/frameworks/pymysql/pep249.py

@@ -2,4 +2,4 @@ import pymysql
 connection = pymysql.connect(host="localhost", user="user", password="passwd")
 
 cursor = connection.cursor()
-cursor.execute("some sql", (42,))  # $ MISSING: getSql="some sql"
+cursor.execute("some sql", (42,))  # $ getSql="some sql"