|
| 1 | +/** |
| 2 | + * Provides classes modeling security-relevant aspects of the `aiopg` PyPI package. |
| 3 | + * See |
| 4 | + * - https://aiopg.readthedocs.io/en/stable/index.html |
| 5 | + * - https://pypi.org/project/aiopg/ |
| 6 | + */ |
| 7 | + |
| 8 | +private import python |
| 9 | +private import semmle.python.dataflow.new.DataFlow |
| 10 | +private import semmle.python.Concepts |
| 11 | +private import semmle.python.ApiGraphs |
| 12 | + |
| 13 | +/** Provides models for the `aiopg` PyPI package. */ |
| 14 | +private module Aiopg { |
| 15 | + private import semmle.python.internal.Awaited |
| 16 | + |
| 17 | + /** A `ConectionPool` is created when the result of `aiopg.create_pool()` is awaited. */ |
| 18 | + API::Node connectionPool() { |
| 19 | + result = API::moduleImport("aiopg").getMember("create_pool").getReturn().getAwaited() |
| 20 | + } |
| 21 | + |
| 22 | + /** |
| 23 | + * A `Connection` is created when |
| 24 | + * - the result of `aiopg.connect()` is awaited. |
| 25 | + * - the result of calling `aquire` on a `ConnectionPool` is awaited. |
| 26 | + */ |
| 27 | + API::Node connection() { |
| 28 | + result = API::moduleImport("aiopg").getMember("connect").getReturn().getAwaited() |
| 29 | + or |
| 30 | + result = connectionPool().getMember("acquire").getReturn().getAwaited() |
| 31 | + } |
| 32 | + |
| 33 | + /** |
| 34 | + * A `Cursor` is created when |
| 35 | + * - the result of calling `cursor` on a `ConnectionPool` is awaited. |
| 36 | + * - the result of calling `cursor` on a `Connection` is awaited. |
| 37 | + */ |
| 38 | + API::Node cursor() { |
| 39 | + result = connectionPool().getMember("cursor").getReturn().getAwaited() |
| 40 | + or |
| 41 | + result = connection().getMember("cursor").getReturn().getAwaited() |
| 42 | + } |
| 43 | + |
| 44 | + class CursorExecuteCall extends SqlConstruction::Range, DataFlow::CallCfgNode { |
| 45 | + CursorExecuteCall() { this = cursor().getMember("execute").getACall() } |
| 46 | + |
| 47 | + override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("operation")] } |
| 48 | + } |
| 49 | + |
| 50 | + /** |
| 51 | + * This is only needed to connect the argument to the execute call with the subsequnt awaiting. |
| 52 | + * It should be obsolete once we have `API::CallNode` available. |
| 53 | + */ |
| 54 | + private DataFlow::TypeTrackingNode cursorExecuteCall(DataFlow::TypeTracker t, DataFlow::Node sql) { |
| 55 | + // cursor created from connection |
| 56 | + t.start() and |
| 57 | + sql = result.(CursorExecuteCall).getSql() |
| 58 | + or |
| 59 | + exists(DataFlow::TypeTracker t2 | result = cursorExecuteCall(t2, sql).track(t2, t)) |
| 60 | + } |
| 61 | + |
| 62 | + DataFlow::Node cursorExecuteCall(DataFlow::Node sql) { |
| 63 | + cursorExecuteCall(DataFlow::TypeTracker::end(), sql).flowsTo(result) |
| 64 | + } |
| 65 | + |
| 66 | + /** Awaiting the result of calling `execute` executes the query. */ |
| 67 | + class AwaitedCursorExecuteCall extends SqlExecution::Range { |
| 68 | + DataFlow::Node sql; |
| 69 | + |
| 70 | + AwaitedCursorExecuteCall() { this = awaited(cursorExecuteCall(sql)) } |
| 71 | + |
| 72 | + override DataFlow::Node getSql() { result = sql } |
| 73 | + } |
| 74 | +} |
0 commit comments