Python: Model executemany on PEP-249 DB APIs

RasmusWL · RasmusWL · commit dba42d6bb8b0 · 2022-10-10T14:16:47.000+02:00
Note: I kept the modeling using the old approach with type-trackers
instead of `DataFlow::MethodCallNode`.

I would like a meta query for DCA to show sinks before doing this, so I
can be absolutely sure we don't loose out on any important sinks on
this... so will postpone this work to a small one-off task (added to my
todo list).
diff --git a/python/ql/lib/semmle/python/frameworks/internal/PEP249Impl.qll b/python/ql/lib/semmle/python/frameworks/internal/PEP249Impl.qll
@@ -178,4 +178,27 @@ module PEP249 {
 
     override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("sql")] }
   }
+
+  private DataFlow::TypeTrackingNode executemany(DataFlow::TypeTracker t) {
+    t.startInAttr("executemany") and
+    result in [Cursor::instance(), Connection::instance()]
+    or
+    exists(DataFlow::TypeTracker t2 | result = executemany(t2).track(t2, t))
+  }
+
+  private DataFlow::Node executemany() { executemany(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+  /**
+   * A call to the `executemany` method on a cursor or a connection.
+   *
+   * See https://peps.python.org/pep-0249/#executemany
+   *
+   * Note: While `executemany` method on a connection is not part of PEP249, if it is used, we
+   * recognize it as an alias for constructing a cursor and calling `executemany` on it.
+   */
+  private class ExecutemanyCall extends SqlExecution::Range, DataFlow::CallCfgNode {
+    ExecutemanyCall() { this.getFunction() = executemany() }
+
+    override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("sql")] }
+  }
 }
diff --git a/python/ql/src/change-notes/2022-10-10-pep249-executemany-modeling.md b/python/ql/src/change-notes/2022-10-10-pep249-executemany-modeling.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added model of `executemany` calls on PEP-249 compliant Database APIs, resulting in additional sinks for `py/sql-injection`.
diff --git a/python/ql/test/library-tests/frameworks/pymssql/pep249.py b/python/ql/test/library-tests/frameworks/pymssql/pep249.py
@@ -3,4 +3,4 @@
 
 cursor = connection.cursor()
 cursor.execute("some sql", (42,))  # $ getSql="some sql"
-cursor.executemany("some sql", [(42,)])  # $ MISSING: getSql="some sql"
+cursor.executemany("some sql", [(42,)])  # $ getSql="some sql"
diff --git a/python/ql/test/library-tests/frameworks/pymysql/pep249.py b/python/ql/test/library-tests/frameworks/pymysql/pep249.py
@@ -3,3 +3,4 @@
 
 cursor = connection.cursor()
 cursor.execute("some sql", (42,))  # $ getSql="some sql"
+cursor.executemany("some sql", [(42,)])  # $ getSql="some sql"

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added model of `executemany` calls on PEP-249 compliant Database APIs, resulting in additional sinks for `py/sql-injection`.
Original file line number	Diff line number	Diff line change
`@@ -3,3 +3,4 @@`
`3`	`3`
`4`	`4`	`cursor = connection.cursor()`
`5`	`5`	`cursor.execute("some sql", (42,)) # $ getSql="some sql"`
	`6`	`+cursor.executemany("some sql", [(42,)]) # $ getSql="some sql"`