| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139 |
- #
- # Copyright (C) 2018 [Victor Torre](https://github.com/ehooo)
- #
- # SPDX-License-Identifier: Apache-2.0
- import ast
- import bandit
- from bandit.core import issue
- from bandit.core import test_properties as test
- def keywords2dict(keywords):
- kwargs = {}
- for node in keywords:
- if isinstance(node, ast.keyword):
- kwargs[node.arg] = node.value
- return kwargs
- @test.checks("Call")
- @test.test_id("B610")
- def django_extra_used(context):
- """**B610: Potential SQL injection on extra function**
- :Example:
- .. code-block:: none
- >> Issue: [B610:django_extra_used] Use of extra potential SQL attack vector.
- Severity: Medium Confidence: Medium
- CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
- Location: examples/django_sql_injection_extra.py:29:0
- More Info: https://bandit.readthedocs.io/en/latest/plugins/b610_django_extra_used.html
- 28 tables_str = 'django_content_type" WHERE "auth_user"."username"="admin'
- 29 User.objects.all().extra(tables=[tables_str]).distinct()
- .. seealso::
- - https://docs.djangoproject.com/en/dev/topics/security/\
- #sql-injection-protection
- - https://cwe.mitre.org/data/definitions/89.html
- .. versionadded:: 1.5.0
- .. versionchanged:: 1.7.3
- CWE information added
- """ # noqa: E501
- description = "Use of extra potential SQL attack vector."
- if context.call_function_name == "extra":
- kwargs = keywords2dict(context.node.keywords)
- args = context.node.args
- if args:
- if len(args) >= 1:
- kwargs["select"] = args[0]
- if len(args) >= 2:
- kwargs["where"] = args[1]
- if len(args) >= 3:
- kwargs["params"] = args[2]
- if len(args) >= 4:
- kwargs["tables"] = args[3]
- if len(args) >= 5:
- kwargs["order_by"] = args[4]
- if len(args) >= 6:
- kwargs["select_params"] = args[5]
- insecure = False
- for key in ["where", "tables"]:
- if key in kwargs:
- if isinstance(kwargs[key], ast.List):
- for val in kwargs[key].elts:
- if not isinstance(val, ast.Str):
- insecure = True
- break
- else:
- insecure = True
- break
- if not insecure and "select" in kwargs:
- if isinstance(kwargs["select"], ast.Dict):
- for k in kwargs["select"].keys:
- if not isinstance(k, ast.Str):
- insecure = True
- break
- if not insecure:
- for v in kwargs["select"].values:
- if not isinstance(v, ast.Str):
- insecure = True
- break
- else:
- insecure = True
- if insecure:
- return bandit.Issue(
- severity=bandit.MEDIUM,
- confidence=bandit.MEDIUM,
- cwe=issue.Cwe.SQL_INJECTION,
- text=description,
- )
- @test.checks("Call")
- @test.test_id("B611")
- def django_rawsql_used(context):
- """**B611: Potential SQL injection on RawSQL function**
- :Example:
- .. code-block:: none
- >> Issue: [B611:django_rawsql_used] Use of RawSQL potential SQL attack vector.
- Severity: Medium Confidence: Medium
- CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
- Location: examples/django_sql_injection_raw.py:11:26
- More Info: https://bandit.readthedocs.io/en/latest/plugins/b611_django_rawsql_used.html
- 10 ' WHERE "username"="admin" OR 1=%s --'
- 11 User.objects.annotate(val=RawSQL(raw, [0]))
- .. seealso::
- - https://docs.djangoproject.com/en/dev/topics/security/\
- #sql-injection-protection
- - https://cwe.mitre.org/data/definitions/89.html
- .. versionadded:: 1.5.0
- .. versionchanged:: 1.7.3
- CWE information added
- """ # noqa: E501
- description = "Use of RawSQL potential SQL attack vector."
- if context.is_module_imported_like("django.db.models"):
- if context.call_function_name == "RawSQL":
- sql = context.node.args[0]
- if not isinstance(sql, ast.Str):
- return bandit.Issue(
- severity=bandit.MEDIUM,
- confidence=bandit.MEDIUM,
- cwe=issue.Cwe.SQL_INJECTION,
- text=description,
- )
|
