Home Explore Help
Sign In
sintez
/
py_task
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: c91ea224e8
Branches Tags
py_task
/
venv
/
lib
/
python3.9
/
site-packages
/
bandit
/
plugins
/
injection_sql.py

injection_sql.py 4.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127 
  1. #
    2. 

  2. # Copyright 2014 Hewlett-Packard Development Company, L.P.
    3. 

  3. #
    4. 

  4. # SPDX-License-Identifier: Apache-2.0
    5. 

  5. r"""
    6. 

  6. ============================
    7. 

  7. B608: Test for SQL injection
    8. 

  8. ============================
    9. 

  9. 

  10. An SQL injection attack consists of insertion or "injection" of a SQL query via
    11. 

  11. the input data given to an application. It is a very common attack vector. This
    12. 

  12. plugin test looks for strings that resemble SQL statements that are involved in
    13. 

  13. some form of string building operation. For example:
    14. 

  14. 

  15.  - "SELECT %s FROM derp;" % var
    16. 

  16.  - "SELECT thing FROM " + tab
    17. 

  17.  - "SELECT " + val + " FROM " + tab + ...
    18. 

  18.  - "SELECT {} FROM derp;".format(var)
    19. 

  19.  - f"SELECT foo FROM bar WHERE id = {product}"
    20. 

  20. 

  21. Unless care is taken to sanitize and control the input data when building such
    22. 

  22. SQL statement strings, an injection attack becomes possible. If strings of this
    23. 

  23. nature are discovered, a LOW confidence issue is reported. In order to boost
    24. 

  24. result confidence, this plugin test will also check to see if the discovered
    25. 

  25. string is in use with standard Python DBAPI calls `execute` or `executemany`.
    26. 

  26. If so, a MEDIUM issue is reported. For example:
    27. 

  27. 

  28.  - cursor.execute("SELECT %s FROM derp;" % var)
    29. 

  29. 

  30. 

  31. :Example:
    32. 

  32. 

  33. .. code-block:: none
    34. 

  34. 

  35.     >> Issue: Possible SQL injection vector through string-based query
    36. 

  36.     construction.
    37. 

  37.        Severity: Medium   Confidence: Low
    38. 

  38.        CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
    39. 

  39.        Location: ./examples/sql_statements.py:4
    40. 

  40.     3 query = "DELETE FROM foo WHERE id = '%s'" % identifier
    41. 

  41.     4 query = "UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier
    42. 

  42.     5
    43. 

  43. 

  44. .. seealso::
    45. 

  45. 

  46.  - https://www.owasp.org/index.php/SQL_Injection
    47. 

  47.  - https://security.openstack.org/guidelines/dg_parameterize-database-queries.html
    48. 

  48.  - https://cwe.mitre.org/data/definitions/89.html
    49. 

  49. 

  50. .. versionadded:: 0.9.0
    51. 

  51. 

  52. .. versionchanged:: 1.7.3
    53. 

  53.     CWE information added
    54. 

  54. 

  55. """  # noqa: E501
    56. 

  56. import ast
    57. 

  57. import re
    58. 

  58. 

  59. import bandit
    60. 

  60. from bandit.core import issue
    61. 

  61. from bandit.core import test_properties as test
    62. 

  62. from bandit.core import utils
    63. 

  63. 

  64. SIMPLE_SQL_RE = re.compile(
    65. 

  65.     r"(select\s.*from\s|"
    66. 

  66.     r"delete\s+from\s|"
    67. 

  67.     r"insert\s+into\s.*values\s|"
    68. 

  68.     r"update\s.*set\s)",
    69. 

  69.     re.IGNORECASE | re.DOTALL,
    70. 

  70. )
    71. 

  71. 

  72. 

  73. def _check_string(data):
    74. 

  74.     return SIMPLE_SQL_RE.search(data) is not None
    75. 

  75. 

  76. 

  77. def _evaluate_ast(node):
    78. 

  78.     wrapper = None
    79. 

  79.     statement = ""
    80. 

  80. 

  81.     if isinstance(node._bandit_parent, ast.BinOp):
    82. 

  82.         out = utils.concat_string(node, node._bandit_parent)
    83. 

  83.         wrapper = out[0]._bandit_parent
    84. 

  84.         statement = out[1]
    85. 

  85.     elif (
    86. 

  86.         isinstance(node._bandit_parent, ast.Attribute)
    87. 

  87.         and node._bandit_parent.attr == "format"
    88. 

  88.     ):
    89. 

  89.         statement = node.s
    90. 

  90.         # Hierarchy for "".format() is Wrapper -> Call -> Attribute -> Str
    91. 

  91.         wrapper = node._bandit_parent._bandit_parent._bandit_parent
    92. 

  92.     elif hasattr(ast, "JoinedStr") and isinstance(
    93. 

  93.         node._bandit_parent, ast.JoinedStr
    94. 

  94.     ):
    95. 

  95.         substrings = [
    96. 

  96.             child
    97. 

  97.             for child in node._bandit_parent.values
    98. 

  98.             if isinstance(child, ast.Str)
    99. 

  99.         ]
    100. 

  100.         # JoinedStr consists of list of Constant and FormattedValue
    101. 

  101.         # instances. Let's perform one test for the whole string
    102. 

  102.         # and abandon all parts except the first one to raise one
    103. 

  103.         # failed test instead of many for the same SQL statement.
    104. 

  104.         if substrings and node == substrings[0]:
    105. 

  105.             statement = "".join([str(child.s) for child in substrings])
    106. 

  106.             wrapper = node._bandit_parent._bandit_parent
    107. 

  107. 

  108.     if isinstance(wrapper, ast.Call):  # wrapped in "execute" call?
    109. 

  109.         names = ["execute", "executemany"]
    110. 

  110.         name = utils.get_called_name(wrapper)
    111. 

  111.         return (name in names, statement)
    112. 

  112.     else:
    113. 

  113.         return (False, statement)
    114. 

  114. 

  115. 

  116. @test.checks("Str")
    117. 

  117. @test.test_id("B608")
    118. 

  118. def hardcoded_sql_expressions(context):
    119. 

  119.     val = _evaluate_ast(context.node)
    120. 

  120.     if _check_string(val[1]):
    121. 

  121.         return bandit.Issue(
    122. 

  122.             severity=bandit.MEDIUM,
    123. 

  123.             confidence=bandit.MEDIUM if val[0] else bandit.LOW,
    124. 

  124.             cwe=issue.Cwe.SQL_INJECTION,
    125. 

  125.             text="Possible SQL injection vector through string-based "
    126. 

  126.             "query construction.",
    127. 

  127.         )
    128.