psycopg-sqli.yaml

rules:
- id: psycopg-sqli
  languages:
  - python
  message: >-
    Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the
    variable is user-controlled
    and not properly sanitized. In order to prevent SQL injection,
    use parameterized queries or prepared statements instead.
    You can use parameterized statements like so:
    `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`
  mode: taint
  metadata:
    references:
    - https://www.psycopg.org/docs/cursor.html#cursor.execute
    - https://www.psycopg.org/docs/cursor.html#cursor.executemany
    - https://www.psycopg.org/docs/cursor.html#cursor.mogrify
    category: security
    owasp:
    - A01:2017 - Injection
    - A03:2021 - Injection
    cwe:
    - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
    technology:
    - aws-lambda
    - psycopg
    - psycopg2
    cwe2022-top25: true
    cwe2021-top25: true
    subcategory:
    - vuln
    likelihood: HIGH
    impact: MEDIUM
    confidence: MEDIUM
  pattern-sinks:
  - patterns:
    - focus-metavariable: $QUERY
    - pattern-either:
      - pattern: $CURSOR.execute($QUERY,...)
      - pattern: $CURSOR.executemany($QUERY,...)
      - pattern: $CURSOR.mogrify($QUERY,...)
    - pattern-inside: |
        import psycopg2
        ...
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  severity: WARNING