Merge pull request #5680 from mrthankyou/python-use-sqlalchemy

Python: Add SqlAlchemy model
2025-12-18 01:33:15 +01:00 · 2021-07-22 15:31:39 +02:00
parent f6f9c8af65 9e01338500
commit 802d9bda83
8 changed files with 258 additions and 0 deletions
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -146,3 +146,36 @@ class LDAPEscape extends DataFlow::Node {
   */
  DataFlow::Node getAnInput() { result = range.getAnInput() }
 }
+
+/** Provides classes for modeling SQL sanitization libraries. */
+module SQLEscape {
+  /**
+   * A data-flow node that collects functions that escape SQL statements.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `SQLEscape` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /**
+     * Gets the argument containing the raw SQL statement.
+     */
+    abstract DataFlow::Node getAnInput();
+  }
+}
+
+/**
+ * A data-flow node that collects functions escaping SQL statements.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `SQLEscape::Range` instead.
+ */
+class SQLEscape extends DataFlow::Node {
+  SQLEscape::Range range;
+
+  SQLEscape() { this = range }
+
+  /**
+   * Gets the argument containing the raw SQL statement.
+   */
+  DataFlow::Node getAnInput() { result = range.getAnInput() }
+}
--- a/python/ql/src/experimental/semmle/python/frameworks/SqlAlchemy.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/SqlAlchemy.qll
@@ -0,0 +1,148 @@
+/**
+ * Provides classes modeling security-relevant aspects of the 'SqlAlchemy' package.
+ * See https://pypi.org/project/SQLAlchemy/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.ApiGraphs
+private import semmle.python.Concepts
+private import experimental.semmle.python.Concepts
+
+private module SqlAlchemy {
+  /**
+   * Returns an instantization of a SqlAlchemy Session object.
+   * See https://docs.sqlalchemy.org/en/14/orm/session_api.html#sqlalchemy.orm.Session and
+   * https://docs.sqlalchemy.org/en/14/orm/session_api.html#sqlalchemy.orm.sessionmaker
+   */
+  private API::Node getSqlAlchemySessionInstance() {
+    result = API::moduleImport("sqlalchemy.orm").getMember("Session").getReturn() or
+    result = API::moduleImport("sqlalchemy.orm").getMember("sessionmaker").getReturn().getReturn()
+  }
+
+  /**
+   * Returns an instantization of a SqlAlchemy Engine object.
+   * See https://docs.sqlalchemy.org/en/14/core/engines.html#sqlalchemy.create_engine
+   */
+  private API::Node getSqlAlchemyEngineInstance() {
+    result = API::moduleImport("sqlalchemy").getMember("create_engine").getReturn()
+  }
+
+  /**
+   * Returns an instantization of a SqlAlchemy Query object.
+   * See https://docs.sqlalchemy.org/en/14/orm/query.html?highlight=query#sqlalchemy.orm.Query
+   */
+  private API::Node getSqlAlchemyQueryInstance() {
+    result = getSqlAlchemySessionInstance().getMember("query").getReturn()
+  }
+
+  /**
+   * A call to `execute` meant to execute an SQL expression
+   * See the following links:
+   *   - https://docs.sqlalchemy.org/en/14/core/connections.html?highlight=execute#sqlalchemy.engine.Connection.execute
+   *   - https://docs.sqlalchemy.org/en/14/core/connections.html?highlight=execute#sqlalchemy.engine.Engine.execute
+   *   - https://docs.sqlalchemy.org/en/14/orm/session_api.html?highlight=execute#sqlalchemy.orm.Session.execute
+   */
+  private class SqlAlchemyExecuteCall extends DataFlow::CallCfgNode, SqlExecution::Range {
+    SqlAlchemyExecuteCall() {
+      // new way
+      this = getSqlAlchemySessionInstance().getMember("execute").getACall() or
+      this =
+        getSqlAlchemyEngineInstance()
+            .getMember(["connect", "begin"])
+            .getReturn()
+            .getMember("execute")
+            .getACall()
+    }
+
+    override DataFlow::Node getSql() { result = this.getArg(0) }
+  }
+
+  /**
+   * A call to `scalar` meant to execute an SQL expression
+   * See https://docs.sqlalchemy.org/en/14/orm/session_api.html#sqlalchemy.orm.Session.scalar and
+   * https://docs.sqlalchemy.org/en/14/core/connections.html?highlight=scalar#sqlalchemy.engine.Engine.scalar
+   */
+  private class SqlAlchemyScalarCall extends DataFlow::CallCfgNode, SqlExecution::Range {
+    SqlAlchemyScalarCall() {
+      this =
+        [getSqlAlchemySessionInstance(), getSqlAlchemyEngineInstance()]
+            .getMember("scalar")
+            .getACall()
+    }
+
+    override DataFlow::Node getSql() { result = this.getArg(0) }
+  }
+
+  /**
+   * A call on a Query object
+   * See https://docs.sqlalchemy.org/en/14/orm/query.html?highlight=query#sqlalchemy.orm.Query
+   */
+  private class SqlAlchemyQueryCall extends DataFlow::CallCfgNode, SqlExecution::Range {
+    SqlAlchemyQueryCall() {
+      this =
+        getSqlAlchemyQueryInstance()
+            .getMember(any(SqlAlchemyVulnerableMethodNames methodName))
+            .getACall()
+    }
+
+    override DataFlow::Node getSql() { result = this.getArg(0) }
+  }
+
+  /**
+   * This class represents a list of methods vulnerable to sql injection.
+   *
+   * See https://github.com/jty-team/codeql/pull/2#issue-611592361
+   */
+  private class SqlAlchemyVulnerableMethodNames extends string {
+    SqlAlchemyVulnerableMethodNames() { this in ["filter", "filter_by", "group_by", "order_by"] }
+  }
+
+  /**
+   * Additional taint-steps for `sqlalchemy.text()`
+   *
+   * See https://docs.sqlalchemy.org/en/14/core/sqlelement.html#sqlalchemy.sql.expression.text
+   * See https://docs.sqlalchemy.org/en/14/core/sqlelement.html#sqlalchemy.sql.expression.TextClause
+   */
+  class SqlAlchemyTextAdditionalTaintSteps extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+      exists(DataFlow::CallCfgNode call |
+        (
+          call = API::moduleImport("sqlalchemy").getMember("text").getACall()
+          or
+          call = API::moduleImport("sqlalchemy").getMember("sql").getMember("text").getACall()
+          or
+          call =
+            API::moduleImport("sqlalchemy")
+                .getMember("sql")
+                .getMember("expression")
+                .getMember("text")
+                .getACall()
+          or
+          call =
+            API::moduleImport("sqlalchemy")
+                .getMember("sql")
+                .getMember("expression")
+                .getMember("TextClause")
+                .getACall()
+        ) and
+        nodeFrom in [call.getArg(0), call.getArgByName("text")] and
+        nodeTo = call
+      )
+    }
+  }
+
+  /**
+   * Gets a reference to `sqlescapy.sqlescape`.
+   *
+   * See https://pypi.org/project/sqlescapy/
+   */
+  class SQLEscapySanitizerCall extends DataFlow::CallCfgNode, SQLEscape::Range {
+    SQLEscapySanitizerCall() {
+      this = API::moduleImport("sqlescapy").getMember("sqlescape").getACall()
+    }
+
+    override DataFlow::Node getAnInput() { result = this.getArg(0) }
+  }
+}