Add python cx_oracle, phoenixdb, pyodbc models

2025-12-24 04:36:35 +01:00 · 2022-10-11 15:29:57 +02:00
parent 7bcd247128
commit e41d79e37d
6 changed files with 19 additions and 0 deletions
--- a/python/ql/lib/semmle/python/Frameworks.qll
+++ b/python/ql/lib/semmle/python/Frameworks.qll
@@ -12,6 +12,7 @@ private import semmle.python.frameworks.Asyncpg
 private import semmle.python.frameworks.ClickhouseDriver
 private import semmle.python.frameworks.Cryptodome
 private import semmle.python.frameworks.Cryptography
+private import semmle.python.frameworks.Cx_Oracle
 private import semmle.python.frameworks.data.ModelsAsData
 private import semmle.python.frameworks.Dill
 private import semmle.python.frameworks.Django
@@ -34,10 +35,12 @@ private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Mysql
 private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.Peewee
+private import semmle.python.frameworks.Phoenixdb
 private import semmle.python.frameworks.Psycopg2
 private import semmle.python.frameworks.Pycurl
 private import semmle.python.frameworks.Pydantic
 private import semmle.python.frameworks.PyMySQL
+private import semmle.python.frameworks.Pyodbc
 private import semmle.python.frameworks.Requests
 private import semmle.python.frameworks.RestFramework
 private import semmle.python.frameworks.Rsa
--- a/python/ql/lib/semmle/python/frameworks/Pyodbc.qll
+++ b/python/ql/lib/semmle/python/frameworks/Pyodbc.qll
@@ -3,7 +3,11 @@
 *
 * See
 * - https://github.com/mkleehammer/pyodbc/wiki
+<<<<<<< HEAD
 * - https://pypi.org/project/pyodbc/ 
+=======
+ * - https://pypi.org/project/pyodbc/
+>>>>>>> 5352eb77cc (Add python cx_oracle, phoenixdb, pyodbc models)
 */

 private import python
--- a/python/ql/src/change-notes/2022-10-12-cx_oracle-phoenixdb-pyodbc-modeling.md
+++ b/python/ql/src/change-notes/2022-10-12-cx_oracle-phoenixdb-pyodbc-modeling.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added model of `cx_Oracle`, `phonenixdb` and `pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.
--- a/python/ql/test/library-tests/frameworks/cx_Oracle/ConceptsTest.expected
+++ b/python/ql/test/library-tests/frameworks/cx_Oracle/ConceptsTest.expected
--- a/python/ql/test/library-tests/frameworks/cx_Oracle/ConceptsTest.ql
+++ b/python/ql/test/library-tests/frameworks/cx_Oracle/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
--- a/python/ql/test/library-tests/frameworks/cx_Oracle/pep249.py
+++ b/python/ql/test/library-tests/frameworks/cx_Oracle/pep249.py
@@ -0,0 +1,6 @@
+import cx_Oracle
+connection = cx_Oracle.connect(user="hr", password="pwd",
+                               dsn="dbhost.example.com/orclpdb1")
+
+cursor = connection.cursor()
+cursor.execute("some sql")  # $ getSql="some sql"