Skip to content

Commit

Permalink
fix(python): update sql sanitizer (#466)
Browse files Browse the repository at this point in the history
  • Loading branch information
elsapet authored Oct 18, 2024
1 parent b6a88ee commit 111b0ed
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 2 deletions.
17 changes: 17 additions & 0 deletions rules/python/shared/common/sql_user_input.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ imports:
- python_shared_lang_import1
- python_shared_lang_import2
- python_shared_lang_import3
- python_shared_lang_import4
sanitizer: python_shared_common_sql_user_input_sanitizer
patterns:
- pattern: $<INPUT>
Expand All @@ -17,6 +18,22 @@ patterns:
auxiliary:
- id: python_shared_common_sql_user_input_sanitizer
patterns:
- pattern: $<CONVERTER_CLASS>($<_>)
filters:
- variable: CONVERTER_CLASS
detection: python_shared_lang_import4
scope: cursor
filters:
- variable: MODULE1
values: [mysql]
- variable: MODULE2
values: [connector]
- variable: MODULE3
values: [conversion]
- variable: MODULE4
values: [MySQLConverter]
- variable: NAME
values: [escape]
- pattern: $<CONVERTER>.escape($<_>)
filters:
- variable: CONVERTER
Expand Down
17 changes: 15 additions & 2 deletions tests/python/lang/sql_injection/testdata/main.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ def asyncpg():
conn = await asyncpg.connect(user='mish', password='password')
query = "SELECT * FROM bar WHERE foo=" + user_input
# bearer:expected python_lang_sql_injection
values = await conn.fetch(query)
values = await conn.fetch(query)
await conn.close()

def pg8000():
import pg8000.native as pg
import pg8000.dbapi
Expand Down Expand Up @@ -60,6 +60,19 @@ def mysql_connector_sanitizer():
cursor.execute(user_input)
cursor.execute(converter.escape(user_input))

def mysql_connector_sanitizer_2():
import mysql.connector
from mysql.connector.conversion import MySQLConverter

cursor = self.con.cursor()
# bearer:expected python_lang_sql_injection
cursor.callproc(user_input, user_input)

sanitized_input = MySQLConverter.escape(str(user_input))
sanitized_values = [MySQLConverter.escape(str(value)) for value in user_input]
# ok
cursor.callproc(sanitized_input, sanitized_values)

def pymysql_sanitizer():
import pymysql

Expand Down

0 comments on commit 111b0ed

Please sign in to comment.