Python: Merge SQLAlchemy TextClause injection into py/sql-injection

As discussed in a meeting today, this will end up presenting an query suite that's easier to use for customers. Since https://github.com/github/codeql/pull/6589 has JUST been merged, if we get this change in fast enough, no end-user will ever have run `py/sqlalchemy-textclause-injection` as part of LGTM.com or Code Scanning.
2026-05-04 21:25:44 +02:00 · 2021-09-21 20:21:42 +02:00
parent d62f76afa6
commit a83bb39d0f
13 changed files with 55 additions and 245 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/SQLAlchemyTextClause.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/SQLAlchemyTextClause.qll
@@ -1,35 +0,0 @@
-/**
- * Provides a taint-tracking configuration for detecting "SQLAlchemy TextClause injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `SQLAlchemyTextClause::Configuration` is needed, otherwise
- * `SQLAlchemyTextClauseCustomizations` should be imported instead.
- */
-
-private import python
-import semmle.python.dataflow.new.DataFlow
-import semmle.python.dataflow.new.TaintTracking
-
-/**
- * Provides a taint-tracking configuration for detecting "SQLAlchemy TextClause injection" vulnerabilities.
- */
-module SQLAlchemyTextClause {
-  import SQLAlchemyTextClauseCustomizations::SQLAlchemyTextClause
-
-  /**
-   * A taint-tracking configuration for detecting "SQLAlchemy TextClause injection" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "SQLAlchemyTextClause" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
-}
--- a/python/ql/lib/semmle/python/security/dataflow/SQLAlchemyTextClauseCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/SQLAlchemyTextClauseCustomizations.qll
@@ -1,56 +0,0 @@
-/**
- * Provides default sources, sinks and sanitizers for detecting
- * "SQLAlchemy TextClause injection"
- * vulnerabilities, as well as extension points for adding your own.
- */
-
-private import python
-private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.Concepts
-private import semmle.python.dataflow.new.RemoteFlowSources
-private import semmle.python.dataflow.new.BarrierGuards
-private import semmle.python.frameworks.SqlAlchemy
-
-/**
- * Provides default sources, sinks and sanitizers for detecting
- * "SQLAlchemy TextClause injection"
- * vulnerabilities, as well as extension points for adding your own.
- */
-module SQLAlchemyTextClause {
-  /**
-   * A data flow source for "SQLAlchemy TextClause injection" vulnerabilities.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for "SQLAlchemy TextClause injection" vulnerabilities.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for "SQLAlchemy TextClause injection" vulnerabilities.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
-
-  /**
-   * A sanitizer guard for "SQLAlchemy TextClause injection" vulnerabilities.
-   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
-
-  /**
-   * A source of remote user input, considered as a flow source.
-   */
-  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
-
-  /**
-   * The text argument of a SQLAlchemy TextClause construction, considered as a flow sink.
-   */
-  class TextArgAsSink extends Sink {
-    TextArgAsSink() { this = any(SqlAlchemy::TextClause::TextClauseConstruction tcc).getTextArg() }
-  }
-
-  /**
-   * A comparison with a constant string, considered as a sanitizer-guard.
-   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
-}
--- a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll
@@ -9,6 +9,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
+private import semmle.python.frameworks.SqlAlchemy

 /**
 * Provides default sources, sinks and sanitizers for detecting
@@ -48,6 +49,13 @@ module SqlInjection {
    SqlExecutionAsSink() { this = any(SqlExecution e).getSql() }
  }

+  /**
+   * The text argument of a SQLAlchemy TextClause construction, considered as a flow sink.
+   */
+  class TextArgAsSink extends Sink {
+    TextArgAsSink() { this = any(SqlAlchemy::TextClause::TextClauseConstruction tcc).getTextArg() }
+  }
+
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */