Merge pull request #4820 from RasmusWL/add-pymysql-modeling

Approved by yoff

Author: codeql-ci

python/change-notes/2020-12-14-add-PyMySQL-model.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added model of `PyMySQL` PyPI package as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.

python/ql/src/semmle/python/Frameworks.qll

@@ -7,8 +7,9 @@ private import semmle.python.frameworks.Django
 private import semmle.python.frameworks.Fabric
 private import semmle.python.frameworks.Flask
 private import semmle.python.frameworks.Invoke
-private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.MysqlConnectorPython
+private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.Psycopg2
+private import semmle.python.frameworks.PyMySQL
 private import semmle.python.frameworks.Stdlib
 private import semmle.python.frameworks.Yaml

python/ql/src/semmle/python/frameworks/MySQLdb.qll

@@ -17,7 +17,7 @@ private import PEP249
  * - https://mysqlclient.readthedocs.io/index.html
  * - https://pypi.org/project/MySQL-python/
  */
-module MySQLdb {
+private module MySQLdb {
   // ---------------------------------------------------------------------------
   // MySQLdb
   // ---------------------------------------------------------------------------

python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll

@@ -17,7 +17,7 @@ private import PEP249
  * - https://dev.mysql.com/doc/connector-python/en/
  * - https://dev.mysql.com/doc/connector-python/en/connector-python-example-connecting.html
  */
-module MysqlConnectorPython {
+private module MysqlConnectorPython {
   // ---------------------------------------------------------------------------
   // mysql
   // ---------------------------------------------------------------------------

python/ql/src/semmle/python/frameworks/Psycopg2.qll

@@ -17,7 +17,7 @@ private import PEP249
  * - https://www.psycopg.org/docs/
  * - https://pypi.org/project/psycopg2/
  */
-module Psycopg2 {
+private module Psycopg2 {
   // ---------------------------------------------------------------------------
   // Psycopg
   // ---------------------------------------------------------------------------

python/ql/src/semmle/python/frameworks/PyMySQL.qll

@@ -0,0 +1,32 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `PyMySQL` PyPI package.
+ * See https://pypi.org/project/PyMySQL/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import PEP249
+
+/**
+ * Provides models for the `PyMySQL` PyPI package.
+ * See https://pypi.org/project/PyMySQL/
+ */
+private module PyMySQL {
+  /** Gets a reference to the `pymysql` module. */
+  private DataFlow::Node pymysql(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importNode("pymysql")
+    or
+    exists(DataFlow::TypeTracker t2 | result = pymysql(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `pymysql` module. */
+  DataFlow::Node pymysql() { result = pymysql(DataFlow::TypeTracker::end()) }
+
+  /** PyMySQL implements PEP 249, providing ways to execute SQL statements against a database. */
+  class PyMySQLPEP249 extends PEP249Module {
+    PyMySQLPEP249() { this = pymysql() }
+  }
+}

python/ql/test/experimental/library-tests/frameworks/pymysql/ConceptsTest.expected

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/experimental/library-tests/frameworks/pymysql/ConceptsTest.ql

@@ -0,0 +1,5 @@
+import pymysql
+connection = pymysql.connect(host="localhost", user="user", password="passwd")
+
+cursor = connection.cursor()
+cursor.execute("some sql", (42,))  # $ getSql="some sql"