hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

deprecate SqlConstruction

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2022-05-01 17:57:48 +02:00
parent 6c67e51ec3
commit c0eca0d09a
15 changed files with 49 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
python/ql/test/library-tests/frameworks/sqlalchemy/new_tests.py
View File

@@ -6,7 +6,7 @@ import sqlalchemy.orm
# either v1.4 or v2.0, such that we cover both.
raw_sql = "select 'FOO'"
text_sql = sqlalchemy.text(raw_sql) # $ constructedSql=raw_sql
text_sql = sqlalchemy.text(raw_sql) # $ getSql=raw_sql
Base = sqlalchemy.orm.declarative_base()
@@ -176,7 +176,7 @@ assert session.query(For14).all()[0].id == 14
# and now we can do the actual querying
text_foo = sqlalchemy.text("'FOO'") # $ constructedSql="'FOO'"
text_foo = sqlalchemy.text("'FOO'") # $ getSql="'FOO'"
# filter_by is only vulnerable to injection if sqlalchemy.text is used, which is evident
# from the logs produced if this file is run
@@ -305,7 +305,7 @@ with engine.connect() as conn:
assert scalar_result == "FOO"
# This is a contrived example
select = sqlalchemy.select(sqlalchemy.text("'BAR'")) # $ constructedSql="'BAR'"
select = sqlalchemy.select(sqlalchemy.text("'BAR'")) # $ getSql="'BAR'"
result = conn.execute(select) # $ getSql=select
assert result.fetchall() == [("BAR",)]