Merge pull request #19594 from sylwia-budzynska/pandas-sqli

Python: Add Pandas SQLi sinks

python/ql/lib/semmle/python/frameworks/Pandas.qll

@@ -151,4 +151,17 @@ private module Pandas {
 
     override DataFlow::Node getCode() { result = this.getParameter(0, "expr").asSink() }
   }
+
+  /**
+   * A Call to `pandas.read_sql` or `pandas.read_sql_query`
+   * which allows for executing raw SQL queries against a database.
+   * See https://pandas.pydata.org/docs/reference/api/pandas.read_sql.html
+   */
+  class ReadSqlCall extends SqlExecution::Range, DataFlow::CallCfgNode {
+    ReadSqlCall() {
+      this = API::moduleImport("pandas").getMember(["read_sql", "read_sql_query"]).getACall()
+    }
+
+    override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("sql")] }
+  }
 }

python/ql/src/change-notes/2025-05-26-pandas-sqli-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added SQL injection models from the `pandas` PyPI package.

python/ql/test/library-tests/frameworks/pandas/dataframe_query.py

@@ -1,5 +1,5 @@
 import pandas as pd
-
+import sqlite3
 
 df = pd.DataFrame({'temp_c': [17.0, 25.0]}, index=['Portland', 'Berkeley'])
 df.sample().query("query")  # $getCode="query"
@@ -55,11 +55,12 @@ df = pd.read_sql_table("filepath", 'postgres:///db_name')
 df.query("query")  # $getCode="query"
 df.eval("query")  # $getCode="query"
 
-df = pd.read_sql_query("filepath", 'postgres:///db_name')
+connection = sqlite3.connect("pets.db")
+df = pd.read_sql_query("sql query", connection) # $getSql="sql query"
 df.query("query")  # $getCode="query"
 df.eval("query")  # $getCode="query"
 
-df = pd.read_sql("filepath", 'postgres:///db_name')
+df = pd.read_sql("sql query", connection) # $getSql="sql query"
 df.query("query")  # $getCode="query"
 df.eval("query")  # $getCode="query"