Python: Model new alias method on django QuerySets

RasmusWL · RasmusWL · commit 2302c8d5fa80 · 2021-04-21T13:52:38.000+02:00
diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -366,7 +366,7 @@ private module PrivateDjango {
               "none", "all", "filter", "exclude", "complex_filter", "union", "intersection",
               "difference", "select_for_update", "select_related", "prefetch_related", "order_by",
               "distinct", "reverse", "defer", "only", "using", "annotate", "extra", "raw",
-              "datetimes", "dates", "values", "values_list"
+              "datetimes", "dates", "values", "values_list", "alias"
             ] and
           result = [manager(), querySet()].getMember(name)
         }
@@ -386,7 +386,8 @@ private module PrivateDjango {
           /** Provides models for the `django.db.models.expressions.RawSQL` class. */
           module RawSQL {
             /**
-             * Gets a reference to the `django.db.models.expressions.RawSQL` class.
+             * Gets an instance of the `django.db.models.expressions.RawSQL` class,
+             * that was initiated with the SQL represented by `sql`.
              */
             API::Node classRef() {
               result = expressions().getMember("RawSQL")
@@ -406,7 +407,10 @@ private module PrivateDjango {
               exists(DataFlow::TypeTracker t2 | result = instance(t2, sql).track(t2, t))
             }
 
-            /** Gets an instance of the `django.db.models.expressions.RawSQL` class. */
+            /**
+             * Gets an instance of the `django.db.models.expressions.RawSQL` class,
+             * that was initiated with the SQL represented by `sql`.
+             */
             DataFlow::Node instance(ControlFlowNode sql) {
               instance(DataFlow::TypeTracker::end(), sql).flowsTo(result)
             }
@@ -435,6 +439,24 @@ private module PrivateDjango {
       override DataFlow::Node getSql() { result.asCfgNode() = sql }
     }
 
+    /**
+     * A call to the `alias` function on a model using a `RawSQL` argument.
+     *
+     * See https://docs.djangoproject.com/en/3.2/ref/models/querysets/#alias
+     */
+    private class ObjectsAlias extends SqlExecution::Range, DataFlow::CallCfgNode {
+      ControlFlowNode sql;
+
+      ObjectsAlias() {
+        this = django::db::models::querySetReturningMethod("alias").getACall() and
+        django::db::models::expressions::RawSQL::instance(sql) in [
+            this.getArg(_), this.getArgByName(_)
+          ]
+      }
+
+      override DataFlow::Node getSql() { result.asCfgNode() = sql }
+    }
+
     /**
      * A call to the `raw` function on a model.
      *
diff --git a/python/ql/test/library-tests/frameworks/django/SqlExecution.py b/python/ql/test/library-tests/frameworks/django/SqlExecution.py
@@ -19,9 +19,14 @@ class User(models.Model):
 
 def test_model():
     User.objects.raw("some sql")  # $getSql="some sql"
+
     User.objects.annotate(RawSQL("some sql"))  # $getSql="some sql"
     User.objects.annotate(RawSQL("foo"), RawSQL("bar"))  # $getSql="foo" getSql="bar"
     User.objects.annotate(val=RawSQL("some sql"))  # $getSql="some sql"
+
+    User.objects.alias(RawSQL("foo"), RawSQL("bar"))  # $getSql="foo" getSql="bar"
+    User.objects.alias(val=RawSQL("some sql"))  # $getSql="some sql"
+
     User.objects.extra("some sql")  # $getSql="some sql"
     User.objects.extra(select="select", where="where", tables="tables", order_by="order_by")  # $getSql="select" getSql="where" getSql="tables" getSql="order_by"
 
