Python: Model sqlite3 as SQL interface

Author: RasmusWL

python/change-notes/2020-12-09-add-sqlite3-model.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added model of `sqlite3` as SQL interface following PEP249, resulting in additional sinks for `py/sql-injection`.

python/ql/src/semmle/python/frameworks/Stdlib.qll

@@ -8,6 +8,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
+private import PEP249
 
 /** Provides models for the Python standard library. */
 private module Stdlib {
@@ -1032,6 +1033,29 @@ private module Stdlib {
 
     override string getFormat() { result = "JSON" }
   }
+
+  // ---------------------------------------------------------------------------
+  // sqlite3
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `sqlite3` module. */
+  private DataFlow::Node sqlite3(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importNode("sqlite3")
+    or
+    exists(DataFlow::TypeTracker t2 | result = sqlite3(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `sqlite3` module. */
+  DataFlow::Node sqlite3() { result = sqlite3(DataFlow::TypeTracker::end()) }
+
+  /**
+   * sqlite3 implements PEP 249, providing ways to execute SQL statements against a database.
+   *
+   * See https://devdocs.io/python~3.9/library/sqlite3
+   */
+  class Sqlite3 extends PEP249Module {
+    Sqlite3() { this = sqlite3() }
+  }
 }
 
 // ---------------------------------------------------------------------------

python/ql/test/experimental/library-tests/frameworks/stdlib/pep249.py

@@ -5,4 +5,4 @@
 db.execute("some sql", (42,))  # $ MISSING: getSql="some sql"
 
 cursor = db.cursor()
-cursor.execute("some sql", (42,))  # $ MISSING: getSql="some sql"
+cursor.execute("some sql", (42,))  # $ getSql="some sql"