-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[flake8-bandit] Implement django-raw-sql (S611)
- Loading branch information
Showing
8 changed files
with
141 additions
and
0 deletions.
There are no files selected for viewing
13 changes: 13 additions & 0 deletions
13
crates/ruff_linter/resources/test/fixtures/flake8_bandit/S611.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
from django.db.models.expressions import RawSQL | ||
from django.contrib.auth.models import User | ||
|
||
User.objects.annotate(val=RawSQL('secure', [])) | ||
User.objects.annotate(val=RawSQL('%secure' % 'nos', [])) | ||
User.objects.annotate(val=RawSQL('{}secure'.format('no'), [])) | ||
raw = '"username") AS "val" FROM "auth_user" WHERE "username"="admin" --' | ||
User.objects.annotate(val=RawSQL(raw, [])) | ||
raw = '"username") AS "val" FROM "auth_user"' \ | ||
' WHERE "username"="admin" OR 1=%s --' | ||
User.objects.annotate(val=RawSQL(raw, [0])) | ||
User.objects.annotate(val=RawSQL(sql='{}secure'.format('no'), params=[])) | ||
User.objects.annotate(val=RawSQL(params=[], sql='{}secure'.format('no'))) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
60 changes: 60 additions & 0 deletions
60
crates/ruff_linter/src/rules/flake8_bandit/rules/django_raw_sql.rs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
use ruff_diagnostics::{Diagnostic, Violation}; | ||
use ruff_macros::{derive_message_formats, violation}; | ||
use ruff_python_ast::{self as ast}; | ||
use ruff_text_size::Ranged; | ||
|
||
use crate::checkers::ast::Checker; | ||
|
||
/// ## What it does | ||
/// Checks for Django that use `RawSQL` function. | ||
/// | ||
/// ## Why is this bad? | ||
/// Django `RawSQL` function can cause SQL injection attack. | ||
/// | ||
/// ## Example | ||
/// ```python | ||
/// from django.db.models.expressions import RawSQL | ||
/// from django.contrib.auth.models import User | ||
/// | ||
/// User.objects.annotate(val=RawSQL('%secure' % 'nos', [])) | ||
/// ``` | ||
/// | ||
/// ## References | ||
/// - [Django documentation: API](https://docs.djangoproject.com/en/dev/ref/models/expressions/#django.db.models.expressions.RawSQL) | ||
/// - [Django documentation: sql injection protection](https://docs.djangoproject.com/en/dev/topics/security/#sql-injection-protection) | ||
/// - [Common Weakness Enumeration: CWE-89](https://cwe.mitre.org/data/definitions/89.html) | ||
#[violation] | ||
pub struct DjangoRawSql; | ||
|
||
impl Violation for DjangoRawSql { | ||
#[derive_message_formats] | ||
fn message(&self) -> String { | ||
format!("Use of RawSQL potential SQL attack vector.") | ||
} | ||
} | ||
|
||
/// S611 | ||
pub(crate) fn django_raw_sql(checker: &mut Checker, call: &ast::ExprCall) { | ||
if checker | ||
.semantic() | ||
.resolve_call_path(&call.func) | ||
.is_some_and(|call_path| { | ||
matches!( | ||
call_path.as_slice(), | ||
["django", "db", "models", "expressions", "RawSQL"] | ||
) | ||
}) | ||
{ | ||
let sql = if let Some(arg) = call.arguments.find_argument("sql", 0) { | ||
arg | ||
} else { | ||
&call.arguments.find_keyword("sql").unwrap().value | ||
}; | ||
|
||
if !sql.is_string_literal_expr() { | ||
checker | ||
.diagnostics | ||
.push(Diagnostic::new(DjangoRawSql, call.func.range())); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
60 changes: 60 additions & 0 deletions
60
...rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S611_S611.py.snap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
--- | ||
source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs | ||
--- | ||
S611.py:5:27: S611 Use of RawSQL potential SQL attack vector. | ||
| | ||
4 | User.objects.annotate(val=RawSQL('secure', [])) | ||
5 | User.objects.annotate(val=RawSQL('%secure' % 'nos', [])) | ||
| ^^^^^^ S611 | ||
6 | User.objects.annotate(val=RawSQL('{}secure'.format('no'), [])) | ||
7 | raw = '"username") AS "val" FROM "auth_user" WHERE "username"="admin" --' | ||
| | ||
|
||
S611.py:6:27: S611 Use of RawSQL potential SQL attack vector. | ||
| | ||
4 | User.objects.annotate(val=RawSQL('secure', [])) | ||
5 | User.objects.annotate(val=RawSQL('%secure' % 'nos', [])) | ||
6 | User.objects.annotate(val=RawSQL('{}secure'.format('no'), [])) | ||
| ^^^^^^ S611 | ||
7 | raw = '"username") AS "val" FROM "auth_user" WHERE "username"="admin" --' | ||
8 | User.objects.annotate(val=RawSQL(raw, [])) | ||
| | ||
|
||
S611.py:8:27: S611 Use of RawSQL potential SQL attack vector. | ||
| | ||
6 | User.objects.annotate(val=RawSQL('{}secure'.format('no'), [])) | ||
7 | raw = '"username") AS "val" FROM "auth_user" WHERE "username"="admin" --' | ||
8 | User.objects.annotate(val=RawSQL(raw, [])) | ||
| ^^^^^^ S611 | ||
9 | raw = '"username") AS "val" FROM "auth_user"' \ | ||
10 | ' WHERE "username"="admin" OR 1=%s --' | ||
| | ||
|
||
S611.py:11:27: S611 Use of RawSQL potential SQL attack vector. | ||
| | ||
9 | raw = '"username") AS "val" FROM "auth_user"' \ | ||
10 | ' WHERE "username"="admin" OR 1=%s --' | ||
11 | User.objects.annotate(val=RawSQL(raw, [0])) | ||
| ^^^^^^ S611 | ||
12 | User.objects.annotate(val=RawSQL(sql='{}secure'.format('no'), params=[])) | ||
13 | User.objects.annotate(val=RawSQL(params=[], sql='{}secure'.format('no'))) | ||
| | ||
|
||
S611.py:12:27: S611 Use of RawSQL potential SQL attack vector. | ||
| | ||
10 | ' WHERE "username"="admin" OR 1=%s --' | ||
11 | User.objects.annotate(val=RawSQL(raw, [0])) | ||
12 | User.objects.annotate(val=RawSQL(sql='{}secure'.format('no'), params=[])) | ||
| ^^^^^^ S611 | ||
13 | User.objects.annotate(val=RawSQL(params=[], sql='{}secure'.format('no'))) | ||
| | ||
|
||
S611.py:13:27: S611 Use of RawSQL potential SQL attack vector. | ||
| | ||
11 | User.objects.annotate(val=RawSQL(raw, [0])) | ||
12 | User.objects.annotate(val=RawSQL(sql='{}secure'.format('no'), params=[])) | ||
13 | User.objects.annotate(val=RawSQL(params=[], sql='{}secure'.format('no'))) | ||
| ^^^^^^ S611 | ||
| | ||
|
||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.