@@ -8,6 +8,7 @@ private import experimental.dataflow.DataFlow
88private import experimental.dataflow.RemoteFlowSources
99private import experimental.dataflow.TaintTracking
1010private import experimental.semmle.python.Concepts
11+ private import experimental.semmle.python.frameworks.PEP249
1112private import semmle.python.regex
1213
1314/**
@@ -76,6 +77,10 @@ private module Django {
7677 /** Gets a reference to the `django.db` module. */
7778 DataFlow:: Node db ( ) { result = django_attr ( "db" ) }
7879
80+ class DjangoDb extends PEP249Module {
81+ DjangoDb ( ) { this = db ( ) }
82+ }
83+
7984 /** Provides models for the `django.db` module. */
8085 module db {
8186 /** Gets a reference to the `django.db.connection` object. */
@@ -92,45 +97,10 @@ private module Django {
9297 /** Gets a reference to the `django.db.connection` object. */
9398 DataFlow:: Node connection ( ) { result = connection ( DataFlow:: TypeTracker:: end ( ) ) }
9499
95- /** Provides models for the `django.db.connection.cursor` method. */
96- module cursor {
97- /** Gets a reference to the `django.db.connection.cursor` metod. */
98- private DataFlow:: Node methodRef ( DataFlow:: TypeTracker t ) {
99- t .start ( ) and
100- result = DataFlow:: importNode ( "django.db.connection.cursor" )
101- or
102- t .startInAttr ( "cursor" ) and
103- result = connection ( )
104- or
105- exists ( DataFlow:: TypeTracker t2 | result = methodRef ( t2 ) .track ( t2 , t ) )
106- }
107-
108- /** Gets a reference to the `django.db.connection.cursor` metod. */
109- DataFlow:: Node methodRef ( ) { result = methodRef ( DataFlow:: TypeTracker:: end ( ) ) }
110-
111- /** Gets a reference to a result of calling `django.db.connection.cursor`. */
112- private DataFlow:: Node methodResult ( DataFlow:: TypeTracker t ) {
113- t .start ( ) and
114- result .asCfgNode ( ) .( CallNode ) .getFunction ( ) = methodRef ( ) .asCfgNode ( )
115- or
116- exists ( DataFlow:: TypeTracker t2 | result = methodResult ( t2 ) .track ( t2 , t ) )
117- }
118-
119- /** Gets a reference to a result of calling `django.db.connection.cursor`. */
120- DataFlow:: Node methodResult ( ) { result = methodResult ( DataFlow:: TypeTracker:: end ( ) ) }
100+ class DjangoDbConnection extends Connection:: InstanceSource {
101+ DjangoDbConnection ( ) { this = connection ( ) }
121102 }
122103
123- /** Gets a reference to the `django.db.connection.cursor.execute` function. */
124- private DataFlow:: Node execute ( DataFlow:: TypeTracker t ) {
125- t .startInAttr ( "execute" ) and
126- result = cursor:: methodResult ( )
127- or
128- exists ( DataFlow:: TypeTracker t2 | result = execute ( t2 ) .track ( t2 , t ) )
129- }
130-
131- /** Gets a reference to the `django.db.connection.cursor.execute` function. */
132- DataFlow:: Node execute ( ) { result = execute ( DataFlow:: TypeTracker:: end ( ) ) }
133-
134104 // -------------------------------------------------------------------------
135105 // django.db.models
136106 // -------------------------------------------------------------------------
@@ -305,23 +275,6 @@ private module Django {
305275 }
306276 }
307277
308- /**
309- * A call to the `django.db.connection.cursor.execute` function.
310- *
311- * See
312- * - https://docs.djangoproject.com/en/3.1/topics/db/sql/#executing-custom-sql-directly
313- * - https://docs.djangoproject.com/en/3.1/topics/db/sql/#connections-and-cursors
314- */
315- private class DbConnectionExecute extends SqlExecution:: Range , DataFlow:: CfgNode {
316- override CallNode node ;
317-
318- DbConnectionExecute ( ) { node .getFunction ( ) = django:: db:: execute ( ) .asCfgNode ( ) }
319-
320- override DataFlow:: Node getSql ( ) {
321- result .asCfgNode ( ) in [ node .getArg ( 0 ) , node .getArgByName ( "sql" ) ]
322- }
323- }
324-
325278 /**
326279 * A call to the `annotate` function on a model using a `RawSQL` argument.
327280 *
0 commit comments