Merge pull request #4819 from RasmusWL/pep249-execute-on-connection

codeql-ci · web-flow · commit 90dbb60c7ffa · 2020-12-14T03:04:08.000-08:00
Approved by yoff
diff --git a/python/ql/src/semmle/python/frameworks/PEP249.qll b/python/ql/src/semmle/python/frameworks/PEP249.qll
@@ -62,54 +62,63 @@ module Connection {
 }
 
 /**
- * Provides models for the `db.Connection.cursor` method.
+ * Provides models for the `cursor` method on a connection.
  * See https://www.python.org/dev/peps/pep-0249/#cursor.
  */
 module cursor {
-  /** Gets a reference to the `db.connection.cursor` method. */
+  /** Gets a reference to the `cursor` method on a connection. */
   private DataFlow::Node methodRef(DataFlow::TypeTracker t) {
     t.startInAttr("cursor") and
     result = Connection::instance()
     or
     exists(DataFlow::TypeTracker t2 | result = methodRef(t2).track(t2, t))
   }
 
-  /** Gets a reference to the `db.connection.cursor` metod. */
+  /** Gets a reference to the `cursor` method on a connection. */
   DataFlow::Node methodRef() { result = methodRef(DataFlow::TypeTracker::end()) }
 
-  /** Gets a reference to a result of calling `db.connection.cursor`. */
+  /** Gets a reference to a result of calling the `cursor` method on a connection. */
   private DataFlow::Node methodResult(DataFlow::TypeTracker t) {
     t.start() and
     result.asCfgNode().(CallNode).getFunction() = methodRef().asCfgNode()
     or
     exists(DataFlow::TypeTracker t2 | result = methodResult(t2).track(t2, t))
   }
 
-  /** Gets a reference to a result of calling `db.connection.cursor`. */
+  /** Gets a reference to a result of calling the `cursor` method on a connection. */
   DataFlow::Node methodResult() { result = methodResult(DataFlow::TypeTracker::end()) }
 }
 
 /**
- * Gets a reference to the `db.Connection.Cursor.execute` function.
+ * Gets a reference to the `execute` method on a cursor (or on a connection).
+ *
+ * Note: while `execute` method on a connection is not part of PEP249, if it is used, we
+ * recognize it as an alias for constructing a cursor and calling `execute` on it.
+ *
  * See https://www.python.org/dev/peps/pep-0249/#id15.
  */
 private DataFlow::Node execute(DataFlow::TypeTracker t) {
   t.startInAttr("execute") and
-  result = cursor::methodResult()
+  result in [cursor::methodResult(), Connection::instance()]
   or
   exists(DataFlow::TypeTracker t2 | result = execute(t2).track(t2, t))
 }
 
 /**
- * Gets a reference to the `db.Connection.Cursor.execute` function.
+ * Gets a reference to the `execute` method on a cursor (or on a connection).
+ *
+ * Note: while `execute` method on a connection is not part of PEP249, if it is used, we
+ * recognize it as an alias for constructing a cursor and calling `execute` on it.
+ *
  * See https://www.python.org/dev/peps/pep-0249/#id15.
  */
 DataFlow::Node execute() { result = execute(DataFlow::TypeTracker::end()) }
 
-private class DbConnectionExecute extends SqlExecution::Range, DataFlow::CfgNode {
+/** A call to the `execute` method on a cursor (or on a connection). */
+private class ExecuteCall extends SqlExecution::Range, DataFlow::CfgNode {
   override CallNode node;
 
-  DbConnectionExecute() { node.getFunction() = execute().asCfgNode() }
+  ExecuteCall() { node.getFunction() = execute().asCfgNode() }
 
   override DataFlow::Node getSql() {
     result.asCfgNode() in [node.getArg(0), node.getArgByName("sql")]
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/pep249.py b/python/ql/test/experimental/library-tests/frameworks/stdlib/pep249.py
@@ -2,7 +2,7 @@
 db = sqlite3.connect("example.db")
 
 # non standard
-db.execute("some sql", (42,))  # $ MISSING: getSql="some sql"
+db.execute("some sql", (42,))  # $ getSql="some sql"
 
 cursor = db.cursor()
 cursor.execute("some sql", (42,))  # $ getSql="some sql"
