Python: Add taint-step for sqlalchemy.text

2026-04-30 11:15:13 +02:00 · 2021-06-29 11:06:25 +02:00
parent ef48734206
commit a5a7f3e38a
2 changed files with 38 additions and 4 deletions
--- a/python/ql/src/experimental/semmle/python/frameworks/SqlAlchemy.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/SqlAlchemy.qll
@@ -83,4 +83,38 @@ private module SqlAlchemy {

    override DataFlow::Node getSql() { result = this.getArg(0) }
  }
+
+  /**
+   * Additional taint-steps for `sqlalchemy.text()`
+   *
+   * See https://docs.sqlalchemy.org/en/14/core/sqlelement.html#sqlalchemy.sql.expression.text
+   * See https://docs.sqlalchemy.org/en/14/core/sqlelement.html#sqlalchemy.sql.expression.TextClause
+   */
+  class SqlAlchemyTextAdditionalTaintSteps extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+      exists(DataFlow::CallCfgNode call |
+        (
+          call = API::moduleImport("sqlalchemy").getMember("text").getACall()
+          or
+          call = API::moduleImport("sqlalchemy").getMember("sql").getMember("text").getACall()
+          or
+          call =
+            API::moduleImport("sqlalchemy")
+                .getMember("sql")
+                .getMember("expression")
+                .getMember("text")
+                .getACall()
+          or
+          call =
+            API::moduleImport("sqlalchemy")
+                .getMember("sql")
+                .getMember("expression")
+                .getMember("TextClause")
+                .getACall()
+        ) and
+        nodeFrom in [call.getArg(0), call.getArgByName("text")] and
+        nodeTo = call
+      )
+    }
+  }
 }
--- a/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/taint_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/taint_test.py
@@ -5,8 +5,8 @@ def test_taint():

    ensure_tainted(
        ts, # $ tainted
-        sqlalchemy.text(ts), # $ MISSING: tainted
-        sqlalchemy.sql.text(ts),# $ MISSING: tainted
-        sqlalchemy.sql.expression.text(ts),# $ MISSING: tainted
-        sqlalchemy.sql.expression.TextClause(ts),# $ MISSING: tainted
+        sqlalchemy.text(ts), # $ tainted
+        sqlalchemy.sql.text(ts),# $ tainted
+        sqlalchemy.sql.expression.text(ts),# $ tainted
+        sqlalchemy.sql.expression.TextClause(ts),# $ tainted
    )