Python: Use new taint-tracking query in SQL-injection query.

Author: markshannon

python/ql/src/Security/CWE-089/SqlInjection.ql

@@ -22,7 +22,16 @@ import semmle.python.security.injection.Sql
 import semmle.python.web.django.Db
 import semmle.python.web.django.Model
 
+class SQLInjectionConfiguration extends TaintTracking::Configuration {
 
-from TaintedPathSource src, TaintedPathSink sink
-where src.flowsTo(sink)
-select sink.getSink(), src, sink, "This SQL query depends on $@.", src.getSource(), "a user-provided value"
+    SQLInjectionConfiguration() { this = "SQL injection configuration" }
+
+    override predicate isSource(TaintTracking::Source source) { source.isSourceOf(any(UntrustedStringKind u)) }
+
+    override predicate isSink(TaintTracking::Sink sink) { sink instanceof SqlInjectionSink }
+
+}
+
+from SQLInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
+select sink.getNode(), src, sink, "This SQL query depends on $@.", src.getNode(), "a user-provided value"

python/ql/src/semmle/python/security/SQL.qll

@@ -0,0 +1,4 @@
+import python
+import semmle.python.security.TaintTracking
+
+abstract class SqlInjectionSink extends TaintSink {}

python/ql/src/semmle/python/security/TaintTracking.qll

@@ -1668,3 +1668,4 @@ private predicate sequence_call(ControlFlowNode fromnode, CallNode tonode) {
         cls.refersTo(theSetType())
     )
 }
+

python/ql/src/semmle/python/security/injection/Sql.qll

@@ -9,6 +9,7 @@ import python
 
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Untrusted
+import semmle.python.security.SQL
 
 
 private StringObject first_part(ControlFlowNode command) {
@@ -48,11 +49,10 @@ abstract class DbCursor extends TaintKind {
 
 }
 
-
 /** A part of a string that appears to be a SQL command and is thus
  * vulnerable to malicious input.
  */
-class SimpleSqlStringInjection extends TaintSink {
+class SimpleSqlStringInjection extends SqlInjectionSink {
 
     override string toString() { result = "simple SQL string injection" }
 
@@ -76,7 +76,7 @@ abstract class DbConnectionSource extends TaintSource {
 /** A taint sink that is vulnerable to malicious SQL queries.
  * The `vuln` in `db.connection.execute(vuln)` and similar.
  */
-class DbConnectionExecuteArgument extends TaintSink {
+class DbConnectionExecuteArgument extends SqlInjectionSink {
 
     override string toString() { result = "db.connection.execute" }
 

python/ql/src/semmle/python/web/django/Db.qll

@@ -46,7 +46,7 @@ ClassObject theDjangoRawSqlClass() {
  * allows arbitrary SQL statements to be executed, which is a security risk.
  */
 
-class DjangoRawSqlSink extends TaintSink {
+class DjangoRawSqlSink extends SqlInjectionSink {
     DjangoRawSqlSink() {
         exists(CallNode call |
             call = theDjangoRawSqlClass().getACall() and

python/ql/src/semmle/python/web/django/Model.qll

@@ -3,6 +3,7 @@ import python
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.Http
+import semmle.python.security.injection.Sql
 
 /** A django model class */
 class DjangoModel extends ClassObject {
@@ -68,7 +69,7 @@ class DjangoModelObjects extends TaintSource {
 }
 
 /** A write to a field of a django model, which is a vulnerable to external data. */
-class DjangoModelFieldWrite extends TaintSink {
+class DjangoModelFieldWrite extends SqlInjectionSink {
 
     DjangoModelFieldWrite() {
         exists(AttrNode attr, DjangoModel model |
@@ -111,7 +112,7 @@ class DjangoModelDirectObjectReference extends TaintSink {
  * to be sent to the database, which is a security risk.
  */
 
-class DjangoModelRawCall extends TaintSink {
+class DjangoModelRawCall extends SqlInjectionSink {
 
     DjangoModelRawCall() {
         exists(CallNode raw_call, ControlFlowNode queryset |
@@ -136,7 +137,7 @@ class DjangoModelRawCall extends TaintSink {
  */
 
 
-class DjangoModelExtraCall extends TaintSink {
+class DjangoModelExtraCall extends SqlInjectionSink {
 
     DjangoModelExtraCall() {
         exists(CallNode extra_call, ControlFlowNode queryset |