Python: Add support for pymssql package

RasmusWL · RasmusWL · commit 4ee71ae4a10b · 2022-10-10T14:02:40.000+02:00
I also forgot to mention `PyMySQL` in frameworks.rst
diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
@@ -226,6 +226,8 @@ and the CodeQL library pack ``codeql/python-all`` (`changelog <https://github.co
    MySQL-python, Database
    mysqlclient, Database
    psycopg2, Database
+   pymssql, Database
+   PyMySQL, Database
    sqlite3, Database
    Flask-SQLAlchemy, Database ORM
    peewee, Database ORM
diff --git a/python/ql/lib/semmle/python/Frameworks.qll b/python/ql/lib/semmle/python/Frameworks.qll
@@ -37,6 +37,7 @@ private import semmle.python.frameworks.Peewee
 private import semmle.python.frameworks.Psycopg2
 private import semmle.python.frameworks.Pycurl
 private import semmle.python.frameworks.Pydantic
+private import semmle.python.frameworks.Pymssql
 private import semmle.python.frameworks.PyMySQL
 private import semmle.python.frameworks.Requests
 private import semmle.python.frameworks.RestFramework
diff --git a/python/ql/lib/semmle/python/frameworks/Pymssql.qll b/python/ql/lib/semmle/python/frameworks/Pymssql.qll
@@ -0,0 +1,25 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `pymssql` PyPI package.
+ * See https://pypi.org/project/pymssql/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * Provides models for the `pymssql` PyPI package.
+ * See https://pypi.org/project/pymssql/
+ */
+private module Pymssql {
+  /**
+   * A model of `pymssql` as a module that implements PEP 249, providing ways to execute SQL statements
+   * against a database.
+   */
+  class PymssqlPEP249 extends PEP249::PEP249ModuleApiNode {
+    PymssqlPEP249() { this = API::moduleImport("pymssql") }
+  }
+}
diff --git a/python/ql/src/change-notes/2022-10-10-pymssql-modeling.md b/python/ql/src/change-notes/2022-10-10-pymssql-modeling.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added model of `pymssql` PyPI package as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.
diff --git a/python/ql/test/library-tests/frameworks/pymssql/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/pymssql/ConceptsTest.expected
diff --git a/python/ql/test/library-tests/frameworks/pymssql/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/pymssql/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/pymssql/pep249.py b/python/ql/test/library-tests/frameworks/pymssql/pep249.py
@@ -0,0 +1,6 @@
+import pymssql
+connection = pymssql.connect(host="localhost", user="user", password="passwd")
+
+cursor = connection.cursor()
+cursor.execute("some sql", (42,))  # $ getSql="some sql"
+cursor.executemany("some sql", [(42,)])  # $ MISSING: getSql="some sql"

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added model of `pymssql` PyPI package as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+import python`
	`2`	`+import experimental.meta.ConceptsTest`