[python] ClickHouseDriver.qll: add support for subclasses

Author: japroc

python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py

@@ -3,6 +3,10 @@
 from clickhouse_driver import connect
 from aioch import Client as aiochClient
 
+class MyClient(Client):
+    def dummy(self):
+        return None
+
 def show_user(request, username):
 
     # BAD -- async library 'aioch'
@@ -25,4 +29,7 @@ def show_user(request, username):
     cursor = conn.cursor()
     cursor.execute("SELECT * FROM users WHERE username = '%s'" % username)
 
+    # BAD -- MyClient is a subclass of Client
+    MyClient('localhost').execute("SELECT * FROM users WHERE username = '%s'" % username)
+
 urlpatterns = [url(r'^users/(?P<username>[^/]+)$', show_user)]

python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp

@@ -47,6 +47,10 @@ second dict-like argument.
 In the fifth case, there is example of PEP249 interface usage.
 </p>
 
+<p>
+In the sixth case, there is custom Class usge which is a subclass of default Client.
+</p>
+
 <sample src="ClickHouseSQLInjection.py" />
 </example>
 

python/ql/src/experimental/semmle/python/frameworks/ClickHouseDriver.qll

@@ -36,9 +36,9 @@ module ClickHouseDriver {
   module Client {
     /** Gets a reference to a Client call. */
     private DataFlow::Node client_ref() {
-      result = clickhouse_driver().getMember("Client").getAUse()
+      result = clickhouse_driver().getMember("Client").getASubclass*().getAUse()
       or
-      result = aioch().getMember("Client").getAUse()
+      result = aioch().getMember("Client").getASubclass*().getAUse()
     }
 
     /** A direct instantiation of `clickhouse_driver.Client`. */