Python: Add support for pymssql package

I also forgot to mention `PyMySQL` in frameworks.rst
2025-12-18 09:43:15 +01:00 · 2022-10-10 13:58:21 +02:00
parent b1d33a404c
commit 4ee71ae4a1
7 changed files with 40 additions and 0 deletions
--- a/python/ql/lib/semmle/python/Frameworks.qll
+++ b/python/ql/lib/semmle/python/Frameworks.qll
@@ -37,6 +37,7 @@ private import semmle.python.frameworks.Peewee
 private import semmle.python.frameworks.Psycopg2
 private import semmle.python.frameworks.Pycurl
 private import semmle.python.frameworks.Pydantic
+private import semmle.python.frameworks.Pymssql
 private import semmle.python.frameworks.PyMySQL
 private import semmle.python.frameworks.Requests
 private import semmle.python.frameworks.RestFramework
--- a/python/ql/lib/semmle/python/frameworks/Pymssql.qll
+++ b/python/ql/lib/semmle/python/frameworks/Pymssql.qll
@@ -0,0 +1,25 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `pymssql` PyPI package.
+ * See https://pypi.org/project/pymssql/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * Provides models for the `pymssql` PyPI package.
+ * See https://pypi.org/project/pymssql/
+ */
+private module Pymssql {
+  /**
+   * A model of `pymssql` as a module that implements PEP 249, providing ways to execute SQL statements
+   * against a database.
+   */
+  class PymssqlPEP249 extends PEP249::PEP249ModuleApiNode {
+    PymssqlPEP249() { this = API::moduleImport("pymssql") }
+  }
+}
--- a/python/ql/src/change-notes/2022-10-10-pymssql-modeling.md
+++ b/python/ql/src/change-notes/2022-10-10-pymssql-modeling.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added model of `pymssql` PyPI package as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.
--- a/python/ql/test/library-tests/frameworks/pymssql/ConceptsTest.expected
+++ b/python/ql/test/library-tests/frameworks/pymssql/ConceptsTest.expected
--- a/python/ql/test/library-tests/frameworks/pymssql/ConceptsTest.ql
+++ b/python/ql/test/library-tests/frameworks/pymssql/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
--- a/python/ql/test/library-tests/frameworks/pymssql/pep249.py
+++ b/python/ql/test/library-tests/frameworks/pymssql/pep249.py
@@ -0,0 +1,6 @@
+import pymssql
+connection = pymssql.connect(host="localhost", user="user", password="passwd")
+
+cursor = connection.cursor()
+cursor.execute("some sql", (42,))  # $ getSql="some sql"
+cursor.executemany("some sql", [(42,)])  # $ MISSING: getSql="some sql"