Python: Add modeling of PyMySQL

RasmusWL · RasmusWL · commit 31d4ea77cbce · 2020-12-14T10:56:47.000+01:00
diff --git a/python/change-notes/2020-12-14-add-PyMySQL-model.md b/python/change-notes/2020-12-14-add-PyMySQL-model.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added model of `PyMySQL` PyPI package as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.
diff --git a/python/ql/src/semmle/python/Frameworks.qll b/python/ql/src/semmle/python/Frameworks.qll
@@ -7,8 +7,9 @@ private import semmle.python.frameworks.Django
 private import semmle.python.frameworks.Fabric
 private import semmle.python.frameworks.Flask
 private import semmle.python.frameworks.Invoke
-private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.MysqlConnectorPython
+private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.Psycopg2
+private import semmle.python.frameworks.PyMySQL
 private import semmle.python.frameworks.Stdlib
 private import semmle.python.frameworks.Yaml
diff --git a/python/ql/src/semmle/python/frameworks/PyMySQL.qll b/python/ql/src/semmle/python/frameworks/PyMySQL.qll
@@ -0,0 +1,32 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `PyMySQL` PyPI package.
+ * See https://pypi.org/project/PyMySQL/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import PEP249
+
+/**
+ * Provides models for the `PyMySQL` PyPI package.
+ * See https://pypi.org/project/PyMySQL/
+ */
+private module PyMySQL {
+  /** Gets a reference to the `pymysql` module. */
+  private DataFlow::Node pymysql(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importNode("pymysql")
+    or
+    exists(DataFlow::TypeTracker t2 | result = pymysql(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `pymysql` module. */
+  DataFlow::Node pymysql() { result = pymysql(DataFlow::TypeTracker::end()) }
+
+  /** PyMySQL implements PEP 249, providing ways to execute SQL statements against a database. */
+  class PyMySQLPEP249 extends PEP249Module {
+    PyMySQLPEP249() { this = pymysql() }
+  }
+}
diff --git a/python/ql/test/experimental/library-tests/frameworks/pymysql/pep249.py b/python/ql/test/experimental/library-tests/frameworks/pymysql/pep249.py
@@ -2,4 +2,4 @@
 connection = pymysql.connect(host="localhost", user="user", password="passwd")
 
 cursor = connection.cursor()
-cursor.execute("some sql", (42,))  # $ MISSING: getSql="some sql"
+cursor.execute("some sql", (42,))  # $ getSql="some sql"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Added model of `PyMySQL` PyPI package as a SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.