Merge pull request github#5950 from RasmusWL/promote-clickhouse

Python: Promote ClickHouse SQL models

Author: yoff

docs/codeql/support/reusables/frameworks.rst

@@ -1,7 +1,7 @@
 C and C++ built-in support
 ================================
 
-.. csv-table:: 
+.. csv-table::
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
@@ -14,7 +14,7 @@ C and C++ built-in support
 C# built-in support
 ================================
 
-.. csv-table:: 
+.. csv-table::
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
@@ -84,7 +84,7 @@ Go built-in support
 Java built-in support
 ==================================
 
-.. csv-table:: 
+.. csv-table::
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
@@ -109,7 +109,7 @@ Java built-in support
 JavaScript and TypeScript built-in support
 =======================================================
 
-.. csv-table:: 
+.. csv-table::
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
@@ -165,6 +165,8 @@ Python built-in support
    invoke, Utility library
    multidict, Utility library
    yarl, Utility library
+   aioch, Database
+   clickhouse-driver, Database
    mysql-connector-python, Database
    mysql-connector, Database
    MySQL-python, Database

python/change-notes/2021-05-25-add-ClickHouse-sql-libs.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added model of SQL execution in `clickhouse-driver` and `aioch` PyPI packages, resulting in additional sinks for the SQL Injection query (`py/sql-injection`). This modeling was originally [submitted as a contribution by @japroc](https://github.com/github/codeql/pull/5889).

python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py

@@ -4,7 +4,9 @@
 
 // If you add modeling of a new framework/library, remember to add it it to the docs in
 // `docs/codeql/support/reusables/frameworks.rst`
+private import semmle.python.frameworks.Aioch
 private import semmle.python.frameworks.Aiohttp
+private import semmle.python.frameworks.ClickhouseDriver
 private import semmle.python.frameworks.Cryptodome
 private import semmle.python.frameworks.Cryptography
 private import semmle.python.frameworks.Dill

python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp

@@ -0,0 +1,52 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `aioch` PyPI package (an
+ * async-io version of the `clickhouse-driver` PyPI package).
+ *
+ * See https://pypi.org/project/aioch/
+ */
+
+private import python
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+private import semmle.python.frameworks.ClickhouseDriver
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides models for `aioch` PyPI package (an async-io version of the
+ * `clickhouse-driver` PyPI package).
+ *
+ * See https://pypi.org/project/aioch/
+ */
+module Aioch {
+  /** Provides models for `aioch.Client` class and subclasses. */
+  module Client {
+    /** Gets a reference to the `aioch.Client` class or any subclass. */
+    API::Node subclassRef() {
+      result = API::moduleImport("aioch").getMember("Client").getASubclass*()
+    }
+
+    /** Gets a reference to an instance of `clickhouse_driver.Client` or any subclass. */
+    API::Node instance() { result = subclassRef().getReturn() }
+  }
+
+  /**
+   * A call to any of the the execute methods on a `aioch.Client`, which are just async
+   * versions of the methods in the `clickhouse-driver` PyPI package.
+   *
+   * See
+   * - https://clickhouse-driver.readthedocs.io/en/latest/api.html#clickhouse_driver.Client.execute
+   * - https://clickhouse-driver.readthedocs.io/en/latest/api.html#clickhouse_driver.Client.execute_iter
+   * - https://clickhouse-driver.readthedocs.io/en/latest/api.html#clickhouse_driver.Client.execute_with_progress
+   */
+  class ClientExecuteCall extends SqlExecution::Range, DataFlow::CallCfgNode {
+    ClientExecuteCall() {
+      exists(string methodName | methodName = ClickhouseDriver::getExecuteMethodName() |
+        this = Client::instance().getMember(methodName).getACall()
+      )
+    }
+
+    override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("query")] }
+  }
+}

python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.ql

@@ -0,0 +1,65 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `clickhouse-driver` PyPI package.
+ * See
+ * - https://pypi.org/project/clickhouse-driver/
+ * - https://clickhouse-driver.readthedocs.io/en/latest/
+ */
+
+private import python
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides models for `clickhouse-driver` PyPI package (imported as `clickhouse_driver`).
+ * See
+ * - https://pypi.org/project/clickhouse-driver/
+ * - https://clickhouse-driver.readthedocs.io/en/latest/
+ */
+module ClickhouseDriver {
+  /**
+   * `clickhouse_driver` implements PEP249,
+   * providing ways to execute SQL statements against a database.
+   */
+  class ClickHouseDriverPEP249 extends PEP249ModuleApiNode {
+    ClickHouseDriverPEP249() { this = API::moduleImport("clickhouse_driver") }
+  }
+
+  /** Provides models for `clickhouse_driver.Client` class and subclasses. */
+  module Client {
+    /** Gets a reference to the `clickhouse_driver.Client` class or any subclass. */
+    API::Node subclassRef() {
+      exists(API::Node classRef |
+        // canonical definition
+        classRef = API::moduleImport("clickhouse_driver").getMember("client").getMember("Client")
+        or
+        // commonly used alias
+        classRef = API::moduleImport("clickhouse_driver").getMember("Client")
+      |
+        result = classRef.getASubclass*()
+      )
+    }
+
+    /** Gets a reference to an instance of `clickhouse_driver.Client` or any subclass. */
+    API::Node instance() { result = subclassRef().getReturn() }
+  }
+
+  /** `clickhouse_driver.Client` execute method names */
+  string getExecuteMethodName() { result in ["execute_with_progress", "execute", "execute_iter"] }
+
+  /**
+   * A call to any of the the execute methods on a `clickhouse_driver.Client` method
+   *
+   * See
+   * - https://clickhouse-driver.readthedocs.io/en/latest/api.html#clickhouse_driver.Client.execute
+   * - https://clickhouse-driver.readthedocs.io/en/latest/api.html#clickhouse_driver.Client.execute_iter
+   * - https://clickhouse-driver.readthedocs.io/en/latest/api.html#clickhouse_driver.Client.execute_with_progress
+   */
+  class ClientExecuteCall extends SqlExecution::Range, DataFlow::CallCfgNode {
+    ClientExecuteCall() { this = Client::instance().getMember(getExecuteMethodName()).getACall() }
+
+    override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("query")] }
+  }
+}