hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Add test and fix filename

Browse Source
This commit is contained in:
Rasmus Lerchedahl Petersen
2020-10-14 20:18:29 +02:00
parent d76b2c0023
commit f17720f587
4 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
python/ql/src/experimental/Security-new-dataflow/CWE-089/SqlIjection.ql → python/ql/src/experimental/Security-new-dataflow/CWE-089/SqlInjection.ql
View File

3
python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-089/SqlInjection.expected Normal file
View File

@@ -0,0 +1,3 @@
edges
nodes
#select

1
python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-089/SqlInjection.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security-new-dataflow/CWE-089/SqlInjection.ql

40
python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-089/sql_injection.py Normal file
View File

@@ -0,0 +1,40 @@
"""This is copied from ql/python/ql/test/library-tests/web/django/test.py
and a only a slight extension of ql/python/ql/src/Security/CWE-089/examples/sql_injection.py
"""
from django.conf.urls import url
from django.db import connection, models
from django.db.models.expressions import RawSQL
class User(models.Model):
pass
def show_user(request, username):
with connection.cursor() as cursor:
# GOOD -- Using parameters
cursor.execute("SELECT * FROM users WHERE username = %s", username)
User.objects.raw("SELECT * FROM users WHERE username = %s", (username,))
# BAD -- Using string formatting
cursor.execute("SELECT * FROM users WHERE username = '%s'" % username)
# BAD -- other ways of executing raw SQL code with string interpolation
User.objects.annotate(RawSQL("insert into names_file ('name') values ('%s')" % username))
User.objects.raw("insert into names_file ('name') values ('%s')" % username)
User.objects.extra("insert into names_file ('name') values ('%s')" % username)
# BAD (but currently no custom query to find this)
#
# It is exposed to SQL injection (https://docs.djangoproject.com/en/2.2/ref/models/querysets/#extra)
# For example, using name = "; DROP ALL TABLES -- "
# will result in SQL: SELECT * FROM name WHERE name = ''; DROP ALL TABLES -- ''
#
# This shouldn't be very widespread, since using a normal string will result in invalid SQL
# Using name = "example", will result in SQL: SELECT * FROM name WHERE name = ''example''
# which in MySQL will give a syntax error
#
# When testing this out locally, none of the queries worked against SQLite3, but I could use
# the SQL injection against MySQL.
User.objects.raw("SELECT * FROM users WHERE username = '%s'", (username,))
urlpatterns = [url(r'^users/(?P<username>[^/]+)$', show_user)]