Python: Add tests for Flask-SQLAlchemy

RasmusWL · RasmusWL · commit f1744890b17c · 2021-09-02T10:48:15.000+02:00
diff --git a/python/ql/test/library-tests/frameworks/flask_sqlalchemy/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/flask_sqlalchemy/ConceptsTest.expected
diff --git a/python/ql/test/library-tests/frameworks/flask_sqlalchemy/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/flask_sqlalchemy/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/flask_sqlalchemy/InlineTaintTest.expected b/python/ql/test/library-tests/frameworks/flask_sqlalchemy/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/library-tests/frameworks/flask_sqlalchemy/InlineTaintTest.ql b/python/ql/test/library-tests/frameworks/flask_sqlalchemy/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/library-tests/frameworks/flask_sqlalchemy/SqlExecution.py b/python/ql/test/library-tests/frameworks/flask_sqlalchemy/SqlExecution.py
@@ -0,0 +1,51 @@
+# pip install Flask-SQLAlchemy
+from flask import Flask
+from flask_sqlalchemy import SQLAlchemy
+import sqlalchemy
+
+app = Flask(__name__)
+app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite+pysqlite:///:memory:"
+db = SQLAlchemy(app)
+
+# re-exports all things from `sqlalchemy` and `sqlalchemy.orm` under instances of `SQLAlchemy`
+# see
+# - https://github.com/pallets/flask-sqlalchemy/blob/931ec00d1e27f51508e05706eef41cc4419a0b32/src/flask_sqlalchemy/__init__.py#L765
+# - https://github.com/pallets/flask-sqlalchemy/blob/931ec00d1e27f51508e05706eef41cc4419a0b32/src/flask_sqlalchemy/__init__.py#L99-L109
+
+assert str(type(db.text("Foo"))) == "<class 'sqlalchemy.sql.elements.TextClause'>"
+
+# also has engine/session instantiated
+
+raw_sql = "SELECT 'Foo'"
+
+conn = db.engine.connect()
+result = conn.execute(raw_sql) # $ MISSING: getSql=raw_sql
+assert result.fetchall() == [("Foo",)]
+
+conn = db.get_engine().connect()
+result = conn.execute(raw_sql) # $ MISSING: getSql=raw_sql
+assert result.fetchall() == [("Foo",)]
+
+result = db.session.execute(raw_sql) # $ MISSING: getSql=raw_sql
+assert result.fetchall() == [("Foo",)]
+
+Session = db.create_session(options={})
+session = Session()
+result = session.execute(raw_sql) # $ MISSING: getSql=raw_sql
+assert result.fetchall() == [("Foo",)]
+
+Session = db.create_session(options={})
+with Session.begin() as session:
+    result = session.execute(raw_sql) # $ MISSING: getSql=raw_sql
+    assert result.fetchall() == [("Foo",)]
+
+result = db.create_scoped_session().execute(raw_sql) # $ MISSING: getSql=raw_sql
+assert result.fetchall() == [("Foo",)]
+
+
+# text
+t = db.text("foo")
+assert isinstance(t, sqlalchemy.sql.expression.TextClause)
+
+t = db.text(text="foo")
+assert isinstance(t, sqlalchemy.sql.expression.TextClause)
diff --git a/python/ql/test/query-tests/Security/CWE-089-SQLAlchemyTextClauseInjection/SQLAlchemyTextClauseInjection.expected b/python/ql/test/query-tests/Security/CWE-089-SQLAlchemyTextClauseInjection/SQLAlchemyTextClauseInjection.expected
@@ -1,34 +1,34 @@
 edges
-| test.py:18:15:18:22 | ControlFlowNode for username | test.py:22:28:22:87 | ControlFlowNode for Attribute() |
-| test.py:18:15:18:22 | ControlFlowNode for username | test.py:26:50:26:72 | ControlFlowNode for Attribute() |
-| test.py:18:15:18:22 | ControlFlowNode for username | test.py:36:26:36:33 | ControlFlowNode for username |
-| test.py:18:15:18:22 | ControlFlowNode for username | test.py:37:31:37:38 | ControlFlowNode for username |
-| test.py:18:15:18:22 | ControlFlowNode for username | test.py:38:30:38:37 | ControlFlowNode for username |
-| test.py:18:15:18:22 | ControlFlowNode for username | test.py:39:35:39:42 | ControlFlowNode for username |
-| test.py:18:15:18:22 | ControlFlowNode for username | test.py:40:41:40:48 | ControlFlowNode for username |
-| test.py:18:15:18:22 | ControlFlowNode for username | test.py:41:46:41:53 | ControlFlowNode for username |
-| test.py:18:15:18:22 | ControlFlowNode for username | test.py:42:47:42:54 | ControlFlowNode for username |
-| test.py:18:15:18:22 | ControlFlowNode for username | test.py:43:52:43:59 | ControlFlowNode for username |
+| test.py:23:15:23:22 | ControlFlowNode for username | test.py:27:28:27:87 | ControlFlowNode for Attribute() |
+| test.py:23:15:23:22 | ControlFlowNode for username | test.py:31:50:31:72 | ControlFlowNode for Attribute() |
+| test.py:23:15:23:22 | ControlFlowNode for username | test.py:41:26:41:33 | ControlFlowNode for username |
+| test.py:23:15:23:22 | ControlFlowNode for username | test.py:42:31:42:38 | ControlFlowNode for username |
+| test.py:23:15:23:22 | ControlFlowNode for username | test.py:43:30:43:37 | ControlFlowNode for username |
+| test.py:23:15:23:22 | ControlFlowNode for username | test.py:44:35:44:42 | ControlFlowNode for username |
+| test.py:23:15:23:22 | ControlFlowNode for username | test.py:45:41:45:48 | ControlFlowNode for username |
+| test.py:23:15:23:22 | ControlFlowNode for username | test.py:46:46:46:53 | ControlFlowNode for username |
+| test.py:23:15:23:22 | ControlFlowNode for username | test.py:47:47:47:54 | ControlFlowNode for username |
+| test.py:23:15:23:22 | ControlFlowNode for username | test.py:48:52:48:59 | ControlFlowNode for username |
 nodes
-| test.py:18:15:18:22 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
-| test.py:22:28:22:87 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| test.py:26:50:26:72 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| test.py:36:26:36:33 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
-| test.py:37:31:37:38 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
-| test.py:38:30:38:37 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
-| test.py:39:35:39:42 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
-| test.py:40:41:40:48 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
-| test.py:41:46:41:53 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
-| test.py:42:47:42:54 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
-| test.py:43:52:43:59 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| test.py:23:15:23:22 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| test.py:27:28:27:87 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:31:50:31:72 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:41:26:41:33 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| test.py:42:31:42:38 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| test.py:43:30:43:37 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| test.py:44:35:44:42 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| test.py:45:41:45:48 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| test.py:46:46:46:53 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| test.py:47:47:47:54 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| test.py:48:52:48:59 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
 #select
-| test.py:22:28:22:87 | ControlFlowNode for Attribute() | test.py:18:15:18:22 | ControlFlowNode for username | test.py:22:28:22:87 | ControlFlowNode for Attribute() | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:18:15:18:22 | ControlFlowNode for username | a user-provided value |
-| test.py:26:50:26:72 | ControlFlowNode for Attribute() | test.py:18:15:18:22 | ControlFlowNode for username | test.py:26:50:26:72 | ControlFlowNode for Attribute() | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:18:15:18:22 | ControlFlowNode for username | a user-provided value |
-| test.py:36:26:36:33 | ControlFlowNode for username | test.py:18:15:18:22 | ControlFlowNode for username | test.py:36:26:36:33 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:18:15:18:22 | ControlFlowNode for username | a user-provided value |
-| test.py:37:31:37:38 | ControlFlowNode for username | test.py:18:15:18:22 | ControlFlowNode for username | test.py:37:31:37:38 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:18:15:18:22 | ControlFlowNode for username | a user-provided value |
-| test.py:38:30:38:37 | ControlFlowNode for username | test.py:18:15:18:22 | ControlFlowNode for username | test.py:38:30:38:37 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:18:15:18:22 | ControlFlowNode for username | a user-provided value |
-| test.py:39:35:39:42 | ControlFlowNode for username | test.py:18:15:18:22 | ControlFlowNode for username | test.py:39:35:39:42 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:18:15:18:22 | ControlFlowNode for username | a user-provided value |
-| test.py:40:41:40:48 | ControlFlowNode for username | test.py:18:15:18:22 | ControlFlowNode for username | test.py:40:41:40:48 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:18:15:18:22 | ControlFlowNode for username | a user-provided value |
-| test.py:41:46:41:53 | ControlFlowNode for username | test.py:18:15:18:22 | ControlFlowNode for username | test.py:41:46:41:53 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:18:15:18:22 | ControlFlowNode for username | a user-provided value |
-| test.py:42:47:42:54 | ControlFlowNode for username | test.py:18:15:18:22 | ControlFlowNode for username | test.py:42:47:42:54 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:18:15:18:22 | ControlFlowNode for username | a user-provided value |
-| test.py:43:52:43:59 | ControlFlowNode for username | test.py:18:15:18:22 | ControlFlowNode for username | test.py:43:52:43:59 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:18:15:18:22 | ControlFlowNode for username | a user-provided value |
+| test.py:27:28:27:87 | ControlFlowNode for Attribute() | test.py:23:15:23:22 | ControlFlowNode for username | test.py:27:28:27:87 | ControlFlowNode for Attribute() | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| test.py:31:50:31:72 | ControlFlowNode for Attribute() | test.py:23:15:23:22 | ControlFlowNode for username | test.py:31:50:31:72 | ControlFlowNode for Attribute() | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| test.py:41:26:41:33 | ControlFlowNode for username | test.py:23:15:23:22 | ControlFlowNode for username | test.py:41:26:41:33 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| test.py:42:31:42:38 | ControlFlowNode for username | test.py:23:15:23:22 | ControlFlowNode for username | test.py:42:31:42:38 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| test.py:43:30:43:37 | ControlFlowNode for username | test.py:23:15:23:22 | ControlFlowNode for username | test.py:43:30:43:37 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| test.py:44:35:44:42 | ControlFlowNode for username | test.py:23:15:23:22 | ControlFlowNode for username | test.py:44:35:44:42 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| test.py:45:41:45:48 | ControlFlowNode for username | test.py:23:15:23:22 | ControlFlowNode for username | test.py:45:41:45:48 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| test.py:46:46:46:53 | ControlFlowNode for username | test.py:23:15:23:22 | ControlFlowNode for username | test.py:46:46:46:53 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| test.py:47:47:47:54 | ControlFlowNode for username | test.py:23:15:23:22 | ControlFlowNode for username | test.py:47:47:47:54 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| test.py:48:52:48:59 | ControlFlowNode for username | test.py:23:15:23:22 | ControlFlowNode for username | test.py:48:52:48:59 | ControlFlowNode for username | This SQLAlchemy TextClause depends on $@, which could lead to SQL injection. | test.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
diff --git a/python/ql/test/query-tests/Security/CWE-089-SQLAlchemyTextClauseInjection/test.py b/python/ql/test/query-tests/Security/CWE-089-SQLAlchemyTextClauseInjection/test.py
@@ -1,11 +1,16 @@
 from flask import Flask, request
 import sqlalchemy
 import sqlalchemy.orm
+from flask_sqlalchemy import SQLAlchemy
 
 app = Flask(__name__)
 engine = sqlalchemy.create_engine(...)
 Base = sqlalchemy.orm.declarative_base()
 
+app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite+pysqlite:///:memory:"
+db = SQLAlchemy(app)
+
+
 
 class User(Base):
     __tablename__ = "users"
@@ -41,3 +46,6 @@ def show_user(username):
     t6 = sqlalchemy.sql.expression.text(text=username)
     t7 = sqlalchemy.sql.expression.TextClause(username)
     t8 = sqlalchemy.sql.expression.TextClause(text=username)
+
+    t9 = db.text(username)
+    t10 = db.text(text=username)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+import python`
	`2`	`+import experimental.meta.ConceptsTest`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+argumentToEnsureNotTaintedNotMarkedAsSpurious`
	`2`	`+untaintedArgumentToEnsureTaintedNotMarkedAsMissing`
	`3`	`+failures`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+import experimental.meta.InlineTaintTest`