Python: Remove modeling of sqlescapy PyPI package

RasmusWL · RasmusWL · commit ba99e218754b · 2021-09-02T10:19:57.000+02:00
I've never seen this being used in real code, and this library doesn't
have a lot of traction, so I would rather not commit to supporting it
(which includes verifying that it actually makes things safe).

Personally I don't think this is the right approach for avoiding SQL
injection either.
diff --git a/python/ql/src/experimental/semmle/python/frameworks/SqlAlchemy.qll b/python/ql/src/experimental/semmle/python/frameworks/SqlAlchemy.qll
@@ -312,19 +312,6 @@ private module SqlAlchemy {
       )
     }
   }
-
-  /**
-   * Gets a reference to `sqlescapy.sqlescape`.
-   *
-   * See https://pypi.org/project/sqlescapy/
-   */
-  class SQLEscapySanitizerCall extends DataFlow::CallCfgNode, SQLEscape::Range {
-    SQLEscapySanitizerCall() {
-      this = API::moduleImport("sqlescapy").getMember("sqlescape").getACall()
-    }
-
-    override DataFlow::Node getAnInput() { result = this.getArg(0) }
-  }
 }
 
 private module OldModeling {

Original file line number	Diff line number	Diff line change
`@@ -312,19 +312,6 @@ private module SqlAlchemy {`
`312`	`312`	`)`
`313`	`313`	`}`
`314`	`314`	`}`
`315`		`-`
`316`		`- /**`
`317`		- * Gets a reference to `sqlescapy.sqlescape`.
`318`		`- *`
`319`		`- * See https://pypi.org/project/sqlescapy/`
`320`		`- */`
`321`		`- class SQLEscapySanitizerCall extends DataFlow::CallCfgNode, SQLEscape::Range {`
`322`		`- SQLEscapySanitizerCall() {`
`323`		`- this = API::moduleImport("sqlescapy").getMember("sqlescape").getACall()`
`324`		`- }`
`325`		`-`
`326`		`- override DataFlow::Node getAnInput() { result = this.getArg(0) }`
`327`		`- }`
`328`	`315`	`}`
`329`	`316`
`330`	`317`	`private module OldModeling {`