Add oracledb model

sylwia-budzynska · sylwia-budzynska · commit e291d61bc765 · 2022-10-13T18:08:47.000+02:00
diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
@@ -226,6 +226,7 @@ and the CodeQL library pack ``codeql/python-all`` (`changelog <https://github.co
    mysql-connector, Database
    MySQL-python, Database
    mysqlclient, Database
+   oracledb, Database
    phoenixdb, Database
    psycopg2, Database
    pyodbc, Database
diff --git a/python/ql/lib/semmle/python/Frameworks.qll b/python/ql/lib/semmle/python/Frameworks.qll
@@ -34,6 +34,7 @@ private import semmle.python.frameworks.MarkupSafe
 private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Mysql
 private import semmle.python.frameworks.MySQLdb
+private import semmle.python.frameworks.Oracledb
 private import semmle.python.frameworks.Peewee
 private import semmle.python.frameworks.Phoenixdb
 private import semmle.python.frameworks.Psycopg2
diff --git a/python/ql/lib/semmle/python/frameworks/Oracledb.qll b/python/ql/lib/semmle/python/frameworks/Oracledb.qll
@@ -0,0 +1,31 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `oracledb` PyPI package.
+ *
+ * See
+ * - https://python-oracledb.readthedocs.io/en/latest/index.html
+ * - https://pypi.org/project/oracledb/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * Provides models for the `oracledb` PyPI package.
+ *
+ * See
+ * - https://python-oracledb.readthedocs.io/en/latest/index.html
+ * - https://pypi.org/project/oracledb/
+ */
+private module Oracledb {
+  /**
+   * A model for oracledb as a module that implements PEP 249, providing ways to execute SQL statements
+   * against a database.
+   */
+  class Oracledb extends PEP249::PEP249ModuleApiNode {
+    Oracledb() { this = API::moduleImport("oracledb") }
+  }
+}
diff --git a/python/ql/src/change-notes/2022-10-12-cx_oracle-phoenixdb-pyodbc-modeling.md b/python/ql/src/change-notes/2022-10-12-cx_oracle-phoenixdb-pyodbc-modeling.md
@@ -1,4 +1,4 @@
 ---
 category: minorAnalysis
 ---
-* Added model of `cx_Oracle`, `phonenixdb` and `pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.
+* Added model of `cx_Oracle`, `oracledb`, `phonenixdb` and `pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.
diff --git a/python/ql/test/library-tests/frameworks/oracledb/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/oracledb/ConceptsTest.expected
diff --git a/python/ql/test/library-tests/frameworks/oracledb/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/oracledb/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/oracledb/pep249.py b/python/ql/test/library-tests/frameworks/oracledb/pep249.py
@@ -0,0 +1,5 @@
+import oracledb
+
+connection = oracledb.connect(user=u"username", password="password", dsn="connectstring")
+cursor = connection.cursor()
+cursor.execute("some sql")  # $ getSql="some sql"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+import python`
	`2`	`+import experimental.meta.ConceptsTest`