forked from PyCQA/bandit
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Detect misuse of
psycopg2.sql.SQL
composable
Add a plugin test to detect when something other than a string literal is passed to the constructor of the `psycopg2.sql.SQL` composable object. Resolves: PyCQA#412
- Loading branch information
Showing
4 changed files
with
48 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# -*- coding:utf-8 -*- | ||
# | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
import ast | ||
|
||
import bandit | ||
from bandit.core import test_properties as test | ||
|
||
|
||
@test.checks('Call') | ||
@test.test_id('B612') | ||
def psycopg2_sql_injection(context): | ||
"""**B612: Potential SQL injection on psycopg2 raw SQL composable object ** | ||
The `psycopg2.sql.SQL` composable object should not be used to represent | ||
variable identifiers or values that may be controlled by an attacker since | ||
the argument that is passed to the `SQL` constructor is not escaped when | ||
the SQL statement is composed. Instead, `SQL` should only be used to | ||
represent constant strings. | ||
.. seealso:: | ||
- https://www.psycopg.org/docs/sql.html | ||
.. versionadded:: 1.5.0 | ||
""" | ||
if context.is_module_imported_like('psycopg2.sql'): | ||
if context.call_function_name == 'SQL': | ||
argument = context.node.args[0] | ||
if not isinstance(argument, ast.Str): | ||
return bandit.Issue( | ||
severity=bandit.MEDIUM, | ||
confidence=bandit.MEDIUM, | ||
text=( | ||
"Possible SQL injection vector through instantiation " | ||
"of psycopg2.sql.SQL composable object on an argument " | ||
"other than a string literal." | ||
) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
from psycopg2 import sql | ||
|
||
table = 'users; drop table users; --' | ||
sql.SQL('select * from {}').format(sql.SQL(table)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters