Skip to content

Commit 9fe031d

Browse files
tausbntausbn
authored
Merge pull request #19594 from sylwia-budzynska/pandas-sqli
Python: Add Pandas SQLi sinks
2 parents bf39058 + e666592 commit 9fe031d

File tree

3 files changed

+21
-3
lines changed

3 files changed

+21
-3
lines changed

python/ql/lib/semmle/python/frameworks/Pandas.qll

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,4 +151,17 @@ private module Pandas {
151151

152152
override DataFlow::Node getCode() { result = this.getParameter(0, "expr").asSink() }
153153
}
154+
155+
/**
156+
* A Call to `pandas.read_sql` or `pandas.read_sql_query`
157+
* which allows for executing raw SQL queries against a database.
158+
* See https://pandas.pydata.org/docs/reference/api/pandas.read_sql.html
159+
*/
160+
class ReadSqlCall extends SqlExecution::Range, DataFlow::CallCfgNode {
161+
ReadSqlCall() {
162+
this = API::moduleImport("pandas").getMember(["read_sql", "read_sql_query"]).getACall()
163+
}
164+
165+
override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("sql")] }
166+
}
154167
}

python/ql/src/change-notes/2025-05-26-pandas-sqli-sinks.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* Added SQL injection models from the `pandas` PyPI package.

python/ql/test/library-tests/frameworks/pandas/dataframe_query.py

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
import pandas as pd
2-
2+
import sqlite3
33

44
df = pd.DataFrame({'temp_c': [17.0, 25.0]}, index=['Portland', 'Berkeley'])
55
df.sample().query("query") # $getCode="query"
@@ -55,11 +55,12 @@
5555
df.query("query") # $getCode="query"
5656
df.eval("query") # $getCode="query"
5757

58-
df = pd.read_sql_query("filepath", 'postgres:///db_name')
58+
connection = sqlite3.connect("pets.db")
59+
df = pd.read_sql_query("sql query", connection) # $getSql="sql query"
5960
df.query("query") # $getCode="query"
6061
df.eval("query") # $getCode="query"
6162

62-
df = pd.read_sql("filepath", 'postgres:///db_name')
63+
df = pd.read_sql("sql query", connection) # $getSql="sql query"
6364
df.query("query") # $getCode="query"
6465
df.eval("query") # $getCode="query"
6566

0 commit comments

Comments
 (0)