-
Notifications
You must be signed in to change notification settings - Fork 1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Upstream references: - Implementation: https://github.com/PyCQA/bandit/blob/1.7.8/bandit/plugins/django_sql_injection.py#L20-L97 - Test cases: https://github.com/PyCQA/bandit/blob/1.7.8/examples/django_sql_injection_extra.py - Test assertion: https://github.com/PyCQA/bandit/blob/1.7.8/tests/functional/test_functional.py#L517-L524
- Loading branch information
1 parent
0c84fbb
commit 33f1f5c
Showing
8 changed files
with
233 additions
and
0 deletions.
There are no files selected for viewing
34 changes: 34 additions & 0 deletions
34
crates/ruff_linter/resources/test/fixtures/flake8_bandit/S610.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
from django.contrib.auth.models import User | ||
|
||
# Errors | ||
User.objects.filter(username='admin').extra(dict(could_be='insecure')) | ||
User.objects.filter(username='admin').extra(select=dict(could_be='insecure')) | ||
User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'}) | ||
User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')}) | ||
User.objects.filter(username='admin').extra(where=['%secure' % 'nos']) | ||
User.objects.filter(username='admin').extra(where=['{}secure'.format('no')]) | ||
|
||
query = '"username") AS "username", * FROM "auth_user" WHERE 1=1 OR "username"=? --' | ||
User.objects.filter(username='admin').extra(select={'test': query}) | ||
|
||
where_var = ['1=1) OR 1=1 AND (1=1'] | ||
User.objects.filter(username='admin').extra(where=where_var) | ||
|
||
where_str = '1=1) OR 1=1 AND (1=1' | ||
User.objects.filter(username='admin').extra(where=[where_str]) | ||
|
||
tables_var = ['django_content_type" WHERE "auth_user"."username"="admin'] | ||
User.objects.all().extra(tables=tables_var).distinct() | ||
|
||
tables_str = 'django_content_type" WHERE "auth_user"."username"="admin' | ||
User.objects.all().extra(tables=[tables_str]).distinct() | ||
|
||
# OK | ||
User.objects.filter(username='admin').extra( | ||
select={'test': 'secure'}, | ||
where=['secure'], | ||
tables=['secure'] | ||
) | ||
User.objects.filter(username='admin').extra({'test': 'secure'}) | ||
User.objects.filter(username='admin').extra(select={'test': 'secure'}) | ||
User.objects.filter(username='admin').extra(where=['secure']) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
86 changes: 86 additions & 0 deletions
86
crates/ruff_linter/src/rules/flake8_bandit/rules/django_extra.rs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
use ruff_diagnostics::{Diagnostic, Violation}; | ||
use ruff_macros::{derive_message_formats, violation}; | ||
use ruff_python_ast::{self as ast, Expr, ExprAttribute, ExprDict, ExprList}; | ||
use ruff_python_semantic::Modules; | ||
use ruff_text_size::Ranged; | ||
|
||
use crate::checkers::ast::Checker; | ||
|
||
/// ## What it does | ||
/// Checks for uses of Django's `extra` function. | ||
/// | ||
/// ## Why is this bad? | ||
/// Django's `extra` function can be used to execute arbitrary SQL queries, | ||
/// which can in turn lead to SQL injection vulnerabilities. | ||
/// | ||
/// ## Example | ||
/// ```python | ||
/// from django.contrib.auth.models import User | ||
/// | ||
/// User.objects.all().extra(select={'test': '%secure' % 'nos'}) | ||
/// ``` | ||
/// | ||
/// ## References | ||
/// - [Django documentation: SQL injection protection](https://docs.djangoproject.com/en/dev/topics/security/#sql-injection-protection) | ||
/// - [Common Weakness Enumeration: CWE-89](https://cwe.mitre.org/data/definitions/89.html) | ||
#[violation] | ||
pub struct DjangoExtra; | ||
|
||
impl Violation for DjangoExtra { | ||
#[derive_message_formats] | ||
fn message(&self) -> String { | ||
format!("Use of `extra` can lead to SQL injection vulnerabilities") | ||
} | ||
} | ||
|
||
/// S610 | ||
pub(crate) fn django_extra(checker: &mut Checker, call: &ast::ExprCall) { | ||
if !checker.semantic().seen_module(Modules::DJANGO) { | ||
return; | ||
} | ||
|
||
let Expr::Attribute(ExprAttribute { attr, .. }) = call.func.as_ref() else { | ||
return; | ||
}; | ||
|
||
if attr.as_str() != "extra" { | ||
return; | ||
} | ||
|
||
if is_call_insecure(call) { | ||
checker | ||
.diagnostics | ||
.push(Diagnostic::new(DjangoExtra, call.arguments.range())); | ||
} | ||
} | ||
|
||
fn is_call_insecure(call: &ast::ExprCall) -> bool { | ||
for (argument_name, position) in [("select", 0), ("where", 1), ("tables", 3)] { | ||
if let Some(argument) = call.arguments.find_argument(argument_name, position) { | ||
match argument_name { | ||
"select" => match argument { | ||
Expr::Dict(ExprDict { keys, values, .. }) => { | ||
if !keys.iter().flatten().all(Expr::is_string_literal_expr) { | ||
return true; | ||
} | ||
if !values.iter().all(Expr::is_string_literal_expr) { | ||
return true; | ||
} | ||
} | ||
_ => return true, | ||
}, | ||
"where" | "tables" => match argument { | ||
Expr::List(ExprList { elts, .. }) => { | ||
if !elts.iter().all(Expr::is_string_literal_expr) { | ||
return true; | ||
} | ||
} | ||
_ => return true, | ||
}, | ||
_ => (), | ||
} | ||
} | ||
} | ||
|
||
false | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
105 changes: 105 additions & 0 deletions
105
...rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S610_S610.py.snap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
--- | ||
source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs | ||
--- | ||
S610.py:4:44: S610 Use of `extra` can lead to SQL injection vulnerabilities | ||
| | ||
3 | # Errors | ||
4 | User.objects.filter(username='admin').extra(dict(could_be='insecure')) | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ S610 | ||
5 | User.objects.filter(username='admin').extra(select=dict(could_be='insecure')) | ||
6 | User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'}) | ||
| | ||
|
||
S610.py:5:44: S610 Use of `extra` can lead to SQL injection vulnerabilities | ||
| | ||
3 | # Errors | ||
4 | User.objects.filter(username='admin').extra(dict(could_be='insecure')) | ||
5 | User.objects.filter(username='admin').extra(select=dict(could_be='insecure')) | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S610 | ||
6 | User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'}) | ||
7 | User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')}) | ||
| | ||
|
||
S610.py:6:44: S610 Use of `extra` can lead to SQL injection vulnerabilities | ||
| | ||
4 | User.objects.filter(username='admin').extra(dict(could_be='insecure')) | ||
5 | User.objects.filter(username='admin').extra(select=dict(could_be='insecure')) | ||
6 | User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'}) | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S610 | ||
7 | User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')}) | ||
8 | User.objects.filter(username='admin').extra(where=['%secure' % 'nos']) | ||
| | ||
|
||
S610.py:7:44: S610 Use of `extra` can lead to SQL injection vulnerabilities | ||
| | ||
5 | User.objects.filter(username='admin').extra(select=dict(could_be='insecure')) | ||
6 | User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'}) | ||
7 | User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')}) | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S610 | ||
8 | User.objects.filter(username='admin').extra(where=['%secure' % 'nos']) | ||
9 | User.objects.filter(username='admin').extra(where=['{}secure'.format('no')]) | ||
| | ||
|
||
S610.py:8:44: S610 Use of `extra` can lead to SQL injection vulnerabilities | ||
| | ||
6 | User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'}) | ||
7 | User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')}) | ||
8 | User.objects.filter(username='admin').extra(where=['%secure' % 'nos']) | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ S610 | ||
9 | User.objects.filter(username='admin').extra(where=['{}secure'.format('no')]) | ||
| | ||
|
||
S610.py:9:44: S610 Use of `extra` can lead to SQL injection vulnerabilities | ||
| | ||
7 | User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')}) | ||
8 | User.objects.filter(username='admin').extra(where=['%secure' % 'nos']) | ||
9 | User.objects.filter(username='admin').extra(where=['{}secure'.format('no')]) | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S610 | ||
10 | | ||
11 | query = '"username") AS "username", * FROM "auth_user" WHERE 1=1 OR "username"=? --' | ||
| | ||
|
||
S610.py:12:44: S610 Use of `extra` can lead to SQL injection vulnerabilities | ||
| | ||
11 | query = '"username") AS "username", * FROM "auth_user" WHERE 1=1 OR "username"=? --' | ||
12 | User.objects.filter(username='admin').extra(select={'test': query}) | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^ S610 | ||
13 | | ||
14 | where_var = ['1=1) OR 1=1 AND (1=1'] | ||
| | ||
|
||
S610.py:15:44: S610 Use of `extra` can lead to SQL injection vulnerabilities | ||
| | ||
14 | where_var = ['1=1) OR 1=1 AND (1=1'] | ||
15 | User.objects.filter(username='admin').extra(where=where_var) | ||
| ^^^^^^^^^^^^^^^^^ S610 | ||
16 | | ||
17 | where_str = '1=1) OR 1=1 AND (1=1' | ||
| | ||
|
||
S610.py:18:44: S610 Use of `extra` can lead to SQL injection vulnerabilities | ||
| | ||
17 | where_str = '1=1) OR 1=1 AND (1=1' | ||
18 | User.objects.filter(username='admin').extra(where=[where_str]) | ||
| ^^^^^^^^^^^^^^^^^^^ S610 | ||
19 | | ||
20 | tables_var = ['django_content_type" WHERE "auth_user"."username"="admin'] | ||
| | ||
|
||
S610.py:21:25: S610 Use of `extra` can lead to SQL injection vulnerabilities | ||
| | ||
20 | tables_var = ['django_content_type" WHERE "auth_user"."username"="admin'] | ||
21 | User.objects.all().extra(tables=tables_var).distinct() | ||
| ^^^^^^^^^^^^^^^^^^^ S610 | ||
22 | | ||
23 | tables_str = 'django_content_type" WHERE "auth_user"."username"="admin' | ||
| | ||
|
||
S610.py:24:25: S610 Use of `extra` can lead to SQL injection vulnerabilities | ||
| | ||
23 | tables_str = 'django_content_type" WHERE "auth_user"."username"="admin' | ||
24 | User.objects.all().extra(tables=[tables_str]).distinct() | ||
| ^^^^^^^^^^^^^^^^^^^^^ S610 | ||
25 | | ||
26 | # OK | ||
| |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.