Merge pull request #10778 from sylwia-budzynska/python-db-models

Python: Add cx_Oracle, phoenixdb, pyodbc models

python/ql/lib/semmle/python/Frameworks.qll

@@ -12,6 +12,7 @@ private import semmle.python.frameworks.Asyncpg
 private import semmle.python.frameworks.ClickhouseDriver
 private import semmle.python.frameworks.Cryptodome
 private import semmle.python.frameworks.Cryptography
+private import semmle.python.frameworks.Cx_Oracle
 private import semmle.python.frameworks.data.ModelsAsData
 private import semmle.python.frameworks.Dill
 private import semmle.python.frameworks.Django
@@ -33,12 +34,15 @@ private import semmle.python.frameworks.MarkupSafe
 private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Mysql
 private import semmle.python.frameworks.MySQLdb
+private import semmle.python.frameworks.Oracledb
 private import semmle.python.frameworks.Peewee
+private import semmle.python.frameworks.Phoenixdb
 private import semmle.python.frameworks.Psycopg2
 private import semmle.python.frameworks.Pycurl
 private import semmle.python.frameworks.Pydantic
 private import semmle.python.frameworks.Pymssql
 private import semmle.python.frameworks.PyMySQL
+private import semmle.python.frameworks.Pyodbc
 private import semmle.python.frameworks.Requests
 private import semmle.python.frameworks.RestFramework
 private import semmle.python.frameworks.Rsa

python/ql/lib/semmle/python/frameworks/Cx_Oracle.qll

@@ -0,0 +1,31 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `cx_Oracle` PyPI package.
+ *
+ * See
+ * - https://github.com/oracle/python-cx_Oracle
+ * - https://pypi.org/project/cx-Oracle/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * Provides models for the `cx_Oracle` PyPI package.
+ *
+ * See
+ * - https://github.com/oracle/python-cx_Oracle
+ * - https://pypi.org/project/cx-Oracle/
+ */
+private module Cx_Oracle {
+  /**
+   * A model for Cx_Oracle as a module that implements PEP 249, providing ways to execute SQL statements
+   * against a database.
+   */
+  class Cx_Oracle extends PEP249::PEP249ModuleApiNode {
+    Cx_Oracle() { this = API::moduleImport("cx_Oracle") }
+  }
+}

python/ql/lib/semmle/python/frameworks/Oracledb.qll

@@ -0,0 +1,31 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `oracledb` PyPI package.
+ *
+ * See
+ * - https://python-oracledb.readthedocs.io/en/latest/index.html
+ * - https://pypi.org/project/oracledb/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * Provides models for the `oracledb` PyPI package.
+ *
+ * See
+ * - https://python-oracledb.readthedocs.io/en/latest/index.html
+ * - https://pypi.org/project/oracledb/
+ */
+private module Oracledb {
+  /**
+   * A model for oracledb as a module that implements PEP 249, providing ways to execute SQL statements
+   * against a database.
+   */
+  class Oracledb extends PEP249::PEP249ModuleApiNode {
+    Oracledb() { this = API::moduleImport("oracledb") }
+  }
+}

python/ql/lib/semmle/python/frameworks/Phoenixdb.qll

@@ -0,0 +1,31 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `phoenixdb` PyPI package.
+ *
+ * See
+ * - https://github.com/apache/phoenix-queryserver/tree/master/python-phoenixdb
+ * - https://pypi.org/project/phoenixdb/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * Provides models for the `phoenixdb` PyPI package.
+ *
+ * See
+ * - https://github.com/apache/phoenix-queryserver/tree/master/python-phoenixdb
+ * - https://pypi.org/project/phoenixdb/
+ */
+private module Phoenixdb {
+  /**
+   * A model for Phoenixdb as a module that implements PEP 249, providing ways to execute SQL statements
+   * against a database.
+   */
+  class Phoenixdb extends PEP249::PEP249ModuleApiNode {
+    Phoenixdb() { this = API::moduleImport("phoenixdb") }
+  }
+}

python/ql/lib/semmle/python/frameworks/Pyodbc.qll

@@ -0,0 +1,31 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `pyodbc` PyPI package.
+ *
+ * See
+ * - https://github.com/mkleehammer/pyodbc/wiki
+ * - https://pypi.org/project/pyodbc/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * Provides models for the `pyodbc` PyPI package.
+ *
+ * See
+ * - https://github.com/mkleehammer/pyodbc/wiki
+ * - https://pypi.org/project/pyodbc/
+ */
+private module Pyodbc {
+  /**
+   * A model for Pyodbc as a module that implements PEP 249, providing ways to execute SQL statements
+   * against a database.
+   */
+  class Pyodbc extends PEP249::PEP249ModuleApiNode {
+    Pyodbc() { this = API::moduleImport("pyodbc") }
+  }
+}

python/ql/src/change-notes/2022-10-12-cx_oracle-phoenixdb-pyodbc-modeling.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added model of `cx_Oracle`, `oracledb`, `phonenixdb` and `pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.

python/ql/test/library-tests/frameworks/cx_Oracle/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/cx_Oracle/pep249.py

@@ -0,0 +1,6 @@
+import cx_Oracle
+connection = cx_Oracle.connect(user="hr", password="pwd",
+                               dsn="dbhost.example.com/orclpdb1")
+
+cursor = connection.cursor()
+cursor.execute("some sql")  # $ getSql="some sql"

python/ql/test/library-tests/frameworks/oracledb/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/oracledb/pep249.py

@@ -0,0 +1,5 @@
+import oracledb
+
+connection = oracledb.connect(user="username", password="password", dsn="connectstring")
+cursor = connection.cursor()
+cursor.execute("some sql")  # $ getSql="some sql"

python/ql/test/library-tests/frameworks/phoenixdb/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/phoenixdb/pep249.py

@@ -0,0 +1,8 @@
+import phoenixdb
+import phoenixdb.cursor
+
+database_url = 'http://localhost:8765/'
+conn = phoenixdb.connect(database_url, autocommit=True)
+
+cursor = conn.cursor()
+cursor.execute("some sql")  # $ getSql="some sql"

python/ql/test/library-tests/frameworks/pyodbc/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/pyodbc/pep249.py

@@ -0,0 +1,6 @@
+import pyodbc
+
+cnxn = pyodbc.connect('DSN=test;PWD=password')
+
+cursor = cnxn.cursor()
+cursor.execute("some sql")  # $ getSql="some sql"