Add python cx_oracle, phoenixdb, pyodbc models

sylwia-budzynska · sylwia-budzynska · commit e41d79e37dbc · 2022-10-13T12:36:41.000+02:00
diff --git a/python/ql/lib/semmle/python/Frameworks.qll b/python/ql/lib/semmle/python/Frameworks.qll
@@ -12,6 +12,7 @@ private import semmle.python.frameworks.Asyncpg
 private import semmle.python.frameworks.ClickhouseDriver
 private import semmle.python.frameworks.Cryptodome
 private import semmle.python.frameworks.Cryptography
+private import semmle.python.frameworks.Cx_Oracle
 private import semmle.python.frameworks.data.ModelsAsData
 private import semmle.python.frameworks.Dill
 private import semmle.python.frameworks.Django
@@ -34,10 +35,12 @@ private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Mysql
 private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.Peewee
+private import semmle.python.frameworks.Phoenixdb
 private import semmle.python.frameworks.Psycopg2
 private import semmle.python.frameworks.Pycurl
 private import semmle.python.frameworks.Pydantic
 private import semmle.python.frameworks.PyMySQL
+private import semmle.python.frameworks.Pyodbc
 private import semmle.python.frameworks.Requests
 private import semmle.python.frameworks.RestFramework
 private import semmle.python.frameworks.Rsa
diff --git a/python/ql/lib/semmle/python/frameworks/Pyodbc.qll b/python/ql/lib/semmle/python/frameworks/Pyodbc.qll
@@ -3,7 +3,11 @@
  *
  * See
  * - https://github.com/mkleehammer/pyodbc/wiki
+<<<<<<< HEAD
  * - https://pypi.org/project/pyodbc/ 
+=======
+ * - https://pypi.org/project/pyodbc/
+>>>>>>> 5352eb77cc (Add python cx_oracle, phoenixdb, pyodbc models)
  */
 
 private import python
diff --git a/python/ql/src/change-notes/2022-10-12-cx_oracle-phoenixdb-pyodbc-modeling.md b/python/ql/src/change-notes/2022-10-12-cx_oracle-phoenixdb-pyodbc-modeling.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added model of `cx_Oracle`, `phonenixdb` and `pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.
diff --git a/python/ql/test/library-tests/frameworks/cx_Oracle/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/cx_Oracle/ConceptsTest.expected
diff --git a/python/ql/test/library-tests/frameworks/cx_Oracle/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/cx_Oracle/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/cx_Oracle/pep249.py b/python/ql/test/library-tests/frameworks/cx_Oracle/pep249.py
@@ -0,0 +1,6 @@
+import cx_Oracle
+connection = cx_Oracle.connect(user="hr", password="pwd",
+                               dsn="dbhost.example.com/orclpdb1")
+
+cursor = connection.cursor()
+cursor.execute("some sql")  # $ getSql="some sql"

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added model of `cx_Oracle`, `phonenixdb` and `pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+import python`
	`2`	`+import experimental.meta.ConceptsTest`