Python: Add support for Psycopg2 database connection pools

tausbn · tausbn · commit d5e029899919 · 2025-08-25T12:35:57.000Z
Our current modelling only treated `psycopg2` insofar as it implemented
PEP 249 (which does not define any notion of connection pool), which
meant we were missing database connections that arose from such pools.

With these changes, we add support for the three classes relating to
database pools that are defined in `psycopg2`. (Note that
`getAnInstance` automatically looks at subclasses, which means this
should also handle cases where the user has defined a new subclass that
inherits from one of these three classes.)
diff --git a/python/ql/lib/change-notes/2025-08-25-psycopg2-connection-pool-modelling.md b/python/ql/lib/change-notes/2025-08-25-psycopg2-connection-pool-modelling.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+- The modelling of Psycopg2 now supports the use of `psycopg2.pool` connection pools for handling database connections.
diff --git a/python/ql/lib/semmle/python/frameworks/Psycopg2.qll b/python/ql/lib/semmle/python/frameworks/Psycopg2.qll
@@ -29,4 +29,17 @@ private module Psycopg2 {
   class Psycopg2 extends PEP249::PEP249ModuleApiNode {
     Psycopg2() { this = API::moduleImport("psycopg2") }
   }
+
+  /** A database connection obtained from a psycopg2 connection pool. */
+  class Psycopg2ConnectionPoolMember extends PEP249::DatabaseConnection {
+    Psycopg2ConnectionPoolMember() {
+      this =
+        any(Psycopg2 p)
+            .getMember("pool")
+            .getMember(["SimpleConnectionPool", "ThreadedConnectionPool", "AbstractConnectionPool"])
+            .getAnInstance()
+            .getMember("getconn")
+            .getReturn()
+    }
+  }
 }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +category: minorAnalysis
 +---
++
 +- The modelling of Psycopg2 now supports the use of `psycopg2.pool` connection pools for handling database connections.