[flake8-bandit] Implement django-raw-sql (S611)

astral-sh · Nov 13, 2023 · e8603aa · e8603aa
1 parent 9d167a1
commit e8603aa
Show file tree

Hide file tree

Showing 8 changed files with 141 additions and 0 deletions.
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S611.py b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S611.py
@@ -0,0 +1,13 @@
+from django.db.models.expressions import RawSQL
+from django.contrib.auth.models import User
+
+User.objects.annotate(val=RawSQL('secure', []))
+User.objects.annotate(val=RawSQL('%secure' % 'nos', []))
+User.objects.annotate(val=RawSQL('{}secure'.format('no'), []))
+raw = '"username") AS "val" FROM "auth_user" WHERE "username"="admin" --'
+User.objects.annotate(val=RawSQL(raw, []))
+raw = '"username") AS "val" FROM "auth_user"' \
+      ' WHERE "username"="admin" OR 1=%s --'
+User.objects.annotate(val=RawSQL(raw, [0]))
+User.objects.annotate(val=RawSQL(sql='{}secure'.format('no'), params=[]))
+User.objects.annotate(val=RawSQL(params=[], sql='{}secure'.format('no')))
diff --git a/crates/ruff_linter/src/checkers/ast/analyze/expression.rs b/crates/ruff_linter/src/checkers/ast/analyze/expression.rs
@@ -612,6 +612,9 @@ pub(crate) fn expression(expr: &Expr, checker: &mut Checker) {
             ]) {
                 flake8_bandit::rules::shell_injection(checker, call);
             }
+            if checker.enabled(Rule::DjangoRawSql) {
+                flake8_bandit::rules::django_raw_sql(checker, call);
+            }
             if checker.enabled(Rule::UnnecessaryGeneratorList) {
                 flake8_comprehensions::rules::unnecessary_generator_list(
                     checker, expr, func, args, keywords,

diff --git a/crates/ruff_linter/src/codes.rs b/crates/ruff_linter/src/codes.rs
@@ -629,6 +629,7 @@ pub fn code_to_rule(linter: Linter, code: &str) -> Option<(RuleGroup, Rule)> {
         (Flake8Bandit, "607") => (RuleGroup::Stable, rules::flake8_bandit::rules::StartProcessWithPartialPath),
         (Flake8Bandit, "608") => (RuleGroup::Stable, rules::flake8_bandit::rules::HardcodedSQLExpression),
         (Flake8Bandit, "609") => (RuleGroup::Stable, rules::flake8_bandit::rules::UnixCommandWildcardInjection),
+        (Flake8Bandit, "611") => (RuleGroup::Stable, rules::flake8_bandit::rules::DjangoRawSql),
         (Flake8Bandit, "612") => (RuleGroup::Stable, rules::flake8_bandit::rules::LoggingConfigInsecureListen),
         (Flake8Bandit, "701") => (RuleGroup::Stable, rules::flake8_bandit::rules::Jinja2AutoescapeFalse),
         (Flake8Bandit, "702") => (RuleGroup::Preview, rules::flake8_bandit::rules::MakoTemplates),

diff --git a/crates/ruff_linter/src/rules/flake8_bandit/mod.rs b/crates/ruff_linter/src/rules/flake8_bandit/mod.rs
@@ -50,6 +50,7 @@ mod tests {
     #[test_case(Rule::UnixCommandWildcardInjection, Path::new("S609.py"))]
     #[test_case(Rule::UnsafeYAMLLoad, Path::new("S506.py"))]
     #[test_case(Rule::WeakCryptographicKey, Path::new("S505.py"))]
+    #[test_case(Rule::DjangoRawSql, Path::new("S611.py"))]
     fn rules(rule_code: Rule, path: &Path) -> Result<()> {
         let snapshot = format!("{}_{}", rule_code.noqa_code(), path.to_string_lossy());
         let diagnostics = test_path(

diff --git a/crates/ruff_linter/src/rules/flake8_bandit/rules/django_raw_sql.rs b/crates/ruff_linter/src/rules/flake8_bandit/rules/django_raw_sql.rs
@@ -0,0 +1,60 @@
+use ruff_diagnostics::{Diagnostic, Violation};
+use ruff_macros::{derive_message_formats, violation};
+use ruff_python_ast::{self as ast};
+use ruff_text_size::Ranged;
+
+use crate::checkers::ast::Checker;
+
+/// ## What it does
+/// Checks for Django that use `RawSQL` function.
+///
+/// ## Why is this bad?
+/// Django `RawSQL` function can cause SQL injection attack.
+///
+/// ## Example
+/// ```python
+/// from django.db.models.expressions import RawSQL
+/// from django.contrib.auth.models import User
+///
+/// User.objects.annotate(val=RawSQL("%secure" % "nos", []))
+/// ```
+///
+/// ## References
+/// - [Django documentation: API](https://docs.djangoproject.com/en/dev/ref/models/expressions/#django.db.models.expressions.RawSQL)
+/// - [Django documentation: sql injection protection](https://docs.djangoproject.com/en/dev/topics/security/#sql-injection-protection)
+/// - [Common Weakness Enumeration: CWE-89](https://cwe.mitre.org/data/definitions/89.html)
+#[violation]
+pub struct DjangoRawSql;
+
+impl Violation for DjangoRawSql {
+    #[derive_message_formats]
+    fn message(&self) -> String {
+        format!("Use of RawSQL potential SQL attack vector.")
+    }
+}
+
+/// S611
+pub(crate) fn django_raw_sql(checker: &mut Checker, call: &ast::ExprCall) {
+    if checker
+        .semantic()
+        .resolve_call_path(&call.func)
+        .is_some_and(|call_path| {
+            matches!(
+                call_path.as_slice(),
+                ["django", "db", "models", "expressions", "RawSQL"]
+            )
+        })
+    {
+        let sql = if let Some(arg) = call.arguments.find_argument("sql", 0) {
+            arg
+        } else {
+            &call.arguments.find_keyword("sql").unwrap().value
+        };
+
+        if !sql.is_string_literal_expr() {
+            checker
+                .diagnostics
+                .push(Diagnostic::new(DjangoRawSql, call.func.range()));
+        }
+    }
+}
diff --git a/crates/ruff_linter/src/rules/flake8_bandit/rules/mod.rs b/crates/ruff_linter/src/rules/flake8_bandit/rules/mod.rs
@@ -1,5 +1,6 @@
 pub(crate) use assert_used::*;
 pub(crate) use bad_file_permissions::*;
+pub(crate) use django_raw_sql::*;
 pub(crate) use exec_used::*;
 pub(crate) use flask_debug_true::*;
 pub(crate) use hardcoded_bind_all_interfaces::*;
@@ -27,6 +28,7 @@ pub(crate) use weak_cryptographic_key::*;
 
 mod assert_used;
 mod bad_file_permissions;
+mod django_raw_sql;
 mod exec_used;
 mod flask_debug_true;
 mod hardcoded_bind_all_interfaces;

diff --git a/...rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S611_S611.py.snap b/...rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S611_S611.py.snap
@@ -0,0 +1,60 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+---
+S611.py:5:27: S611 Use of RawSQL potential SQL attack vector.
+  |
+4 | User.objects.annotate(val=RawSQL('secure', []))
+5 | User.objects.annotate(val=RawSQL('%secure' % 'nos', []))
+  |                           ^^^^^^ S611
+6 | User.objects.annotate(val=RawSQL('{}secure'.format('no'), []))
+7 | raw = '"username") AS "val" FROM "auth_user" WHERE "username"="admin" --'
+  |
+
+S611.py:6:27: S611 Use of RawSQL potential SQL attack vector.
+  |
+4 | User.objects.annotate(val=RawSQL('secure', []))
+5 | User.objects.annotate(val=RawSQL('%secure' % 'nos', []))
+6 | User.objects.annotate(val=RawSQL('{}secure'.format('no'), []))
+  |                           ^^^^^^ S611
+7 | raw = '"username") AS "val" FROM "auth_user" WHERE "username"="admin" --'
+8 | User.objects.annotate(val=RawSQL(raw, []))
+  |
+
+S611.py:8:27: S611 Use of RawSQL potential SQL attack vector.
+   |
+ 6 | User.objects.annotate(val=RawSQL('{}secure'.format('no'), []))
+ 7 | raw = '"username") AS "val" FROM "auth_user" WHERE "username"="admin" --'
+ 8 | User.objects.annotate(val=RawSQL(raw, []))
+   |                           ^^^^^^ S611
+ 9 | raw = '"username") AS "val" FROM "auth_user"' \
+10 |       ' WHERE "username"="admin" OR 1=%s --'
+   |
+
+S611.py:11:27: S611 Use of RawSQL potential SQL attack vector.
+   |
+ 9 | raw = '"username") AS "val" FROM "auth_user"' \
+10 |       ' WHERE "username"="admin" OR 1=%s --'
+11 | User.objects.annotate(val=RawSQL(raw, [0]))
+   |                           ^^^^^^ S611
+12 | User.objects.annotate(val=RawSQL(sql='{}secure'.format('no'), params=[]))
+13 | User.objects.annotate(val=RawSQL(params=[], sql='{}secure'.format('no')))
+   |
+
+S611.py:12:27: S611 Use of RawSQL potential SQL attack vector.
+   |
+10 |       ' WHERE "username"="admin" OR 1=%s --'
+11 | User.objects.annotate(val=RawSQL(raw, [0]))
+12 | User.objects.annotate(val=RawSQL(sql='{}secure'.format('no'), params=[]))
+   |                           ^^^^^^ S611
+13 | User.objects.annotate(val=RawSQL(params=[], sql='{}secure'.format('no')))
+   |
+
+S611.py:13:27: S611 Use of RawSQL potential SQL attack vector.
+   |
+11 | User.objects.annotate(val=RawSQL(raw, [0]))
+12 | User.objects.annotate(val=RawSQL(sql='{}secure'.format('no'), params=[]))
+13 | User.objects.annotate(val=RawSQL(params=[], sql='{}secure'.format('no')))
+   |                           ^^^^^^ S611
+   |
+
+
diff --git a/ruff.schema.json b/ruff.schema.json