codeql/python/ql/test/query-tests/Security/CWE-089-SQLAlchemyTextClauseInjection/test.py at c34d6d116274dec8891ec3ccbf8d7c32db517501 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from flask import Flask, request
import sqlalchemy
import sqlalchemy.orm

app = Flask(__name__)
engine = sqlalchemy.create_engine(...)
Base = sqlalchemy.orm.declarative_base()


class User(Base):
    __tablename__ = "users"

    id = sqlalchemy.Column(sqlalchemy.Integer, primary_key=True)
    username = sqlalchemy.Column(sqlalchemy.String)


@app.route("/users/<username>")
def show_user(username):
    session = sqlalchemy.orm.Session(engine)

    # BAD, normal SQL injection
    stmt = sqlalchemy.text("SELECT * FROM users WHERE username = '{}'".format(username))
    results = session.execute(stmt).fetchall()

    # BAD, allows SQL injection
    username_formatted_for_sql = sqlalchemy.text("'{}'".format(username))
    stmt = sqlalchemy.select(User).where(User.username == username_formatted_for_sql)
    results = session.execute(stmt).scalars().all()

    # GOOD, does not allow for SQL injection
    stmt = sqlalchemy.select(User).where(User.username == username)
    results = session.execute(stmt).scalars().all()


    # All of these should be flagged by query
    t1 = sqlalchemy.text(username)
    t2 = sqlalchemy.text(text=username)
    t3 = sqlalchemy.sql.text(username)
    t4 = sqlalchemy.sql.text(text=username)
    t5 = sqlalchemy.sql.expression.text(username)
    t6 = sqlalchemy.sql.expression.text(text=username)
    t7 = sqlalchemy.sql.expression.TextClause(username)
    t8 = sqlalchemy.sql.expression.TextClause(text=username)