Python: Add support for Psycopg2 database connection pools

Our current modelling only treated `psycopg2` insofar as it implemented PEP 249 (which does not define any notion of connection pool), which meant we were missing database connections that arose from such pools. With these changes, we add support for the three classes relating to database pools that are defined in `psycopg2`. (Note that `getAnInstance` automatically looks at subclasses, which means this should also handle cases where the user has defined a new subclass that inherits from one of these three classes.)
2025-12-16 16:53:25 +01:00 · 2025-08-25 12:35:57 +00:00
parent 88059d97c8
commit d5e0298999
2 changed files with 18 additions and 0 deletions
--- a/python/ql/lib/change-notes/2025-08-25-psycopg2-connection-pool-modelling.md
+++ b/python/ql/lib/change-notes/2025-08-25-psycopg2-connection-pool-modelling.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+- The modelling of Psycopg2 now supports the use of `psycopg2.pool` connection pools for handling database connections.
--- a/python/ql/lib/semmle/python/frameworks/Psycopg2.qll
+++ b/python/ql/lib/semmle/python/frameworks/Psycopg2.qll
@@ -29,4 +29,17 @@ private module Psycopg2 {
  class Psycopg2 extends PEP249::PEP249ModuleApiNode {
    Psycopg2() { this = API::moduleImport("psycopg2") }
  }
+
+  /** A database connection obtained from a psycopg2 connection pool. */
+  class Psycopg2ConnectionPoolMember extends PEP249::DatabaseConnection {
+    Psycopg2ConnectionPoolMember() {
+      this =
+        any(Psycopg2 p)
+            .getMember("pool")
+            .getMember(["SimpleConnectionPool", "ThreadedConnectionPool", "AbstractConnectionPool"])
+            .getAnInstance()
+            .getMember("getconn")
+            .getReturn()
+    }
+  }
 }