import asyncio import asyncpg async def test_connection(): conn = await asyncpg.connect() try: # The file-like object is passed in as a keyword-only argument. # See https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.connection.Connection.copy_from_query await conn.copy_from_query("sql", output="filepath") # $ mad-sink[sql-injection]="sql" mad-sink[path-injection]="filepath" await conn.copy_from_query("sql", "arg1", "arg2", output="filepath") # $ mad-sink[sql-injection]="sql" mad-sink[path-injection]="filepath" await conn.copy_from_table("table", output="filepath") # $ mad-sink[path-injection]="filepath" await conn.copy_to_table("table", source="filepath") # $ mad-sink[path-injection]="filepath" await conn.execute("sql") # $ mad-sink[sql-injection]="sql" await conn.executemany("sql") # $ mad-sink[sql-injection]="sql" await conn.fetch("sql") # $ mad-sink[sql-injection]="sql" await conn.fetchrow("sql") # $ mad-sink[sql-injection]="sql" await conn.fetchval("sql") # $ mad-sink[sql-injection]="sql" finally: await conn.close() conn = await asyncpg.connection.connect() conn.execute("sql") # $ mad-sink[sql-injection]="sql" async def test_prepared_statement(): conn = await asyncpg.connect() try: pstmt = await conn.prepare("psql") # $ mad-sink[sql-injection]="psql" pstmt.executemany() pstmt.fetch() pstmt.fetchrow() pstmt.fetchval() finally: await conn.close() # The sql statement is executed when the `CursorFactory` (obtained by e.g. `conn.cursor()`) is awaited. # See https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.cursor.CursorFactory async def test_cursor(): conn = await asyncpg.connect() try: async with conn.transaction(): cursor = await conn.cursor("sql") # $ getSql="sql" constructedSql="sql" await cursor.fetch() pstmt = await conn.prepare("psql") # $ mad-sink[sql-injection]="psql" pcursor = await pstmt.cursor() # $ getSql="psql" await pcursor.fetch() async for record in conn.cursor("sql"): # $ getSql="sql" constructedSql="sql" pass async for record in pstmt.cursor(): # $ getSql="psql" pass cursor_factory = conn.cursor("sql") # $ constructedSql="sql" cursor = await cursor_factory # $ getSql="sql" pcursor_factory = pstmt.cursor() pcursor = await pcursor_factory # $ getSql="psql" finally: await conn.close() async def test_connection_pool(): pool = await asyncpg.create_pool() try: await pool.copy_from_query("sql", output="filepath") # $ mad-sink[sql-injection]="sql" mad-sink[path-injection]="filepath" await pool.copy_from_query("sql", "arg1", "arg2", output="filepath") # $ mad-sink[sql-injection]="sql" mad-sink[path-injection]="filepath" await pool.copy_from_table("table", output="filepath") # $ mad-sink[path-injection]="filepath" await pool.copy_to_table("table", source="filepath") # $ mad-sink[path-injection]="filepath" await pool.execute("sql") # $ mad-sink[sql-injection]="sql" await pool.executemany("sql") # $ mad-sink[sql-injection]="sql" await pool.fetch("sql") # $ mad-sink[sql-injection]="sql" await pool.fetchrow("sql") # $ mad-sink[sql-injection]="sql" await pool.fetchval("sql") # $ mad-sink[sql-injection]="sql" async with pool.acquire() as conn: await conn.execute("sql") # $ mad-sink[sql-injection]="sql" conn = await pool.acquire() try: await conn.fetch("sql") # $ mad-sink[sql-injection]="sql" finally: await pool.release(conn) finally: await pool.close() async with asyncpg.create_pool() as pool: await pool.execute("sql") # $ mad-sink[sql-injection]="sql" async with pool.acquire() as conn: await conn.execute("sql") # $ mad-sink[sql-injection]="sql" conn = await pool.acquire() try: await conn.fetch("sql") # $ mad-sink[sql-injection]="sql" finally: await pool.release(conn)