Merge pull request github#10778 from sylwia-budzynska/python-db-models

RasmusWL · web-flow · commit fb49babc14d7 · 2022-10-14T10:49:24.000+02:00
Python: Add cx_Oracle, phoenixdb, pyodbc models
diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
@@ -221,11 +221,15 @@ and the CodeQL library pack ``codeql/python-all`` (`changelog <https://github.co
    aiopg, Database
    asyncpg, Database
    clickhouse-driver, Database
+   cx_Oracle, Database
    mysql-connector-python, Database
    mysql-connector, Database
    MySQL-python, Database
    mysqlclient, Database
+   oracledb, Database
+   phoenixdb, Database
    psycopg2, Database
+   pyodbc, Database
    pymssql, Database
    PyMySQL, Database
    sqlite3, Database
diff --git a/python/ql/lib/semmle/python/Frameworks.qll b/python/ql/lib/semmle/python/Frameworks.qll
@@ -12,6 +12,7 @@ private import semmle.python.frameworks.Asyncpg
 private import semmle.python.frameworks.ClickhouseDriver
 private import semmle.python.frameworks.Cryptodome
 private import semmle.python.frameworks.Cryptography
+private import semmle.python.frameworks.Cx_Oracle
 private import semmle.python.frameworks.data.ModelsAsData
 private import semmle.python.frameworks.Dill
 private import semmle.python.frameworks.Django
@@ -33,12 +34,15 @@ private import semmle.python.frameworks.MarkupSafe
 private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Mysql
 private import semmle.python.frameworks.MySQLdb
+private import semmle.python.frameworks.Oracledb
 private import semmle.python.frameworks.Peewee
+private import semmle.python.frameworks.Phoenixdb
 private import semmle.python.frameworks.Psycopg2
 private import semmle.python.frameworks.Pycurl
 private import semmle.python.frameworks.Pydantic
 private import semmle.python.frameworks.Pymssql
 private import semmle.python.frameworks.PyMySQL
+private import semmle.python.frameworks.Pyodbc
 private import semmle.python.frameworks.Requests
 private import semmle.python.frameworks.RestFramework
 private import semmle.python.frameworks.Rsa
diff --git a/python/ql/lib/semmle/python/frameworks/Cx_Oracle.qll b/python/ql/lib/semmle/python/frameworks/Cx_Oracle.qll
@@ -0,0 +1,31 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `cx_Oracle` PyPI package.
+ *
+ * See
+ * - https://github.com/oracle/python-cx_Oracle
+ * - https://pypi.org/project/cx-Oracle/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * Provides models for the `cx_Oracle` PyPI package.
+ *
+ * See
+ * - https://github.com/oracle/python-cx_Oracle
+ * - https://pypi.org/project/cx-Oracle/
+ */
+private module Cx_Oracle {
+  /**
+   * A model for Cx_Oracle as a module that implements PEP 249, providing ways to execute SQL statements
+   * against a database.
+   */
+  class Cx_Oracle extends PEP249::PEP249ModuleApiNode {
+    Cx_Oracle() { this = API::moduleImport("cx_Oracle") }
+  }
+}
diff --git a/python/ql/lib/semmle/python/frameworks/Oracledb.qll b/python/ql/lib/semmle/python/frameworks/Oracledb.qll
@@ -0,0 +1,31 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `oracledb` PyPI package.
+ *
+ * See
+ * - https://python-oracledb.readthedocs.io/en/latest/index.html
+ * - https://pypi.org/project/oracledb/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * Provides models for the `oracledb` PyPI package.
+ *
+ * See
+ * - https://python-oracledb.readthedocs.io/en/latest/index.html
+ * - https://pypi.org/project/oracledb/
+ */
+private module Oracledb {
+  /**
+   * A model for oracledb as a module that implements PEP 249, providing ways to execute SQL statements
+   * against a database.
+   */
+  class Oracledb extends PEP249::PEP249ModuleApiNode {
+    Oracledb() { this = API::moduleImport("oracledb") }
+  }
+}
diff --git a/python/ql/lib/semmle/python/frameworks/Phoenixdb.qll b/python/ql/lib/semmle/python/frameworks/Phoenixdb.qll
@@ -0,0 +1,31 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `phoenixdb` PyPI package.
+ *
+ * See
+ * - https://github.com/apache/phoenix-queryserver/tree/master/python-phoenixdb
+ * - https://pypi.org/project/phoenixdb/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * Provides models for the `phoenixdb` PyPI package.
+ *
+ * See
+ * - https://github.com/apache/phoenix-queryserver/tree/master/python-phoenixdb
+ * - https://pypi.org/project/phoenixdb/
+ */
+private module Phoenixdb {
+  /**
+   * A model for Phoenixdb as a module that implements PEP 249, providing ways to execute SQL statements
+   * against a database.
+   */
+  class Phoenixdb extends PEP249::PEP249ModuleApiNode {
+    Phoenixdb() { this = API::moduleImport("phoenixdb") }
+  }
+}
diff --git a/python/ql/lib/semmle/python/frameworks/Pyodbc.qll b/python/ql/lib/semmle/python/frameworks/Pyodbc.qll
@@ -0,0 +1,31 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `pyodbc` PyPI package.
+ *
+ * See
+ * - https://github.com/mkleehammer/pyodbc/wiki
+ * - https://pypi.org/project/pyodbc/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * Provides models for the `pyodbc` PyPI package.
+ *
+ * See
+ * - https://github.com/mkleehammer/pyodbc/wiki
+ * - https://pypi.org/project/pyodbc/
+ */
+private module Pyodbc {
+  /**
+   * A model for Pyodbc as a module that implements PEP 249, providing ways to execute SQL statements
+   * against a database.
+   */
+  class Pyodbc extends PEP249::PEP249ModuleApiNode {
+    Pyodbc() { this = API::moduleImport("pyodbc") }
+  }
+}
diff --git a/python/ql/src/change-notes/2022-10-12-cx_oracle-phoenixdb-pyodbc-modeling.md b/python/ql/src/change-notes/2022-10-12-cx_oracle-phoenixdb-pyodbc-modeling.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added model of `cx_Oracle`, `oracledb`, `phonenixdb` and `pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.
diff --git a/python/ql/test/library-tests/frameworks/cx_Oracle/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/cx_Oracle/ConceptsTest.expected
diff --git a/python/ql/test/library-tests/frameworks/cx_Oracle/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/cx_Oracle/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/cx_Oracle/pep249.py b/python/ql/test/library-tests/frameworks/cx_Oracle/pep249.py
@@ -0,0 +1,6 @@
+import cx_Oracle
+connection = cx_Oracle.connect(user="hr", password="pwd",
+                               dsn="dbhost.example.com/orclpdb1")
+
+cursor = connection.cursor()
+cursor.execute("some sql")  # $ getSql="some sql"
diff --git a/python/ql/test/library-tests/frameworks/oracledb/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/oracledb/ConceptsTest.expected
diff --git a/python/ql/test/library-tests/frameworks/oracledb/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/oracledb/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/oracledb/pep249.py b/python/ql/test/library-tests/frameworks/oracledb/pep249.py
@@ -0,0 +1,5 @@
+import oracledb
+
+connection = oracledb.connect(user="username", password="password", dsn="connectstring")
+cursor = connection.cursor()
+cursor.execute("some sql")  # $ getSql="some sql"
diff --git a/python/ql/test/library-tests/frameworks/phoenixdb/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/phoenixdb/ConceptsTest.expected
diff --git a/python/ql/test/library-tests/frameworks/phoenixdb/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/phoenixdb/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/phoenixdb/pep249.py b/python/ql/test/library-tests/frameworks/phoenixdb/pep249.py
@@ -0,0 +1,8 @@
+import phoenixdb
+import phoenixdb.cursor
+
+database_url = 'http://localhost:8765/'
+conn = phoenixdb.connect(database_url, autocommit=True)
+
+cursor = conn.cursor()
+cursor.execute("some sql")  # $ getSql="some sql"
diff --git a/python/ql/test/library-tests/frameworks/pyodbc/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/pyodbc/ConceptsTest.expected
diff --git a/python/ql/test/library-tests/frameworks/pyodbc/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/pyodbc/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/pyodbc/pep249.py b/python/ql/test/library-tests/frameworks/pyodbc/pep249.py
@@ -0,0 +1,6 @@
+import pyodbc
+
+cnxn = pyodbc.connect('DSN=test;PWD=password')
+
+cursor = cnxn.cursor()
+cursor.execute("some sql")  # $ getSql="some sql"

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added model of `cx_Oracle`, `oracledb`, `phonenixdb` and `pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+import python`
	`2`	`+import experimental.meta.ConceptsTest`