Mercurial Repositories > eric / file comparison

comparison: src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/djangoSqlInjection.py

src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/djangoSqlInjection.py

branch
eric7
changeset 9221
bf71ee032bb4
parent 9209
b99e7fd55fd3
child 9653
e67609152c5e
equal deleted inserted replaced
9220:e9e7eca7efee 9221:bf71ee032bb4
21 21
22 22
23 def getChecks(): 23 def getChecks():
24 """ 24 """
25 Public method to get a dictionary with checks handled by this module. 25 Public method to get a dictionary with checks handled by this module.
26 26
27 @return dictionary containing checker lists containing checker function and 27 @return dictionary containing checker lists containing checker function and
28 list of codes 28 list of codes
29 @rtype dict 29 @rtype dict
30 """ 30 """
31 return { 31 return {
37 37
38 38
39 def keywords2dict(keywords): 39 def keywords2dict(keywords):
40 """ 40 """
41 Function to extract keywords arguments into a dictionary. 41 Function to extract keywords arguments into a dictionary.
42 42
43 @param keywords list of keyword nodes 43 @param keywords list of keyword nodes
44 @type list of ast.keyword 44 @type list of ast.keyword
45 @return dictionary with keyword name and value 45 @return dictionary with keyword name and value
46 @rtype dict 46 @rtype dict
47 """ 47 """
53 53
54 54
55 def checkDjangoExtraUsed(reportError, context, config): 55 def checkDjangoExtraUsed(reportError, context, config):
56 """ 56 """
57 Function to check for potential SQL injection on extra function. 57 Function to check for potential SQL injection on extra function.
58 58
59 @param reportError function to be used to report errors 59 @param reportError function to be used to report errors
60 @type func 60 @type func
61 @param context security context object 61 @param context security context object
62 @type SecurityContext 62 @type SecurityContext
63 @param config dictionary with configuration data 63 @param config dictionary with configuration data
64 @type dict 64 @type dict
65 """ 65 """
66 if context.callFunctionName == 'extra': 66 if context.callFunctionName == "extra":
67 kwargs = keywords2dict(context.node.keywords) 67 kwargs = keywords2dict(context.node.keywords)
68 args = context.node.args 68 args = context.node.args
69 if args: 69 if args:
70 if len(args) >= 1: 70 if len(args) >= 1:
71 kwargs['select'] = args[0] 71 kwargs["select"] = args[0]
72 if len(args) >= 2: 72 if len(args) >= 2:
73 kwargs['where'] = args[1] 73 kwargs["where"] = args[1]
74 if len(args) >= 3: 74 if len(args) >= 3:
75 kwargs['params'] = args[2] 75 kwargs["params"] = args[2]
76 if len(args) >= 4: 76 if len(args) >= 4:
77 kwargs['tables'] = args[3] 77 kwargs["tables"] = args[3]
78 if len(args) >= 5: 78 if len(args) >= 5:
79 kwargs['order_by'] = args[4] 79 kwargs["order_by"] = args[4]
80 if len(args) >= 6: 80 if len(args) >= 6:
81 kwargs['select_params'] = args[5] 81 kwargs["select_params"] = args[5]
82 insecure = False 82 insecure = False
83 for key in ['where', 'tables']: 83 for key in ["where", "tables"]:
84 if key in kwargs: 84 if key in kwargs:
85 if isinstance(kwargs[key], ast.List): 85 if isinstance(kwargs[key], ast.List):
86 for val in kwargs[key].elts: 86 for val in kwargs[key].elts:
87 if not AstUtilities.isString(val): 87 if not AstUtilities.isString(val):
88 insecure = True 88 insecure = True
89 break 89 break
90 else: 90 else:
91 insecure = True 91 insecure = True
92 break 92 break
93 if not insecure and 'select' in kwargs: 93 if not insecure and "select" in kwargs:
94 if isinstance(kwargs['select'], ast.Dict): 94 if isinstance(kwargs["select"], ast.Dict):
95 for k in kwargs['select'].keys: 95 for k in kwargs["select"].keys:
96 if not AstUtilities.isString(k): 96 if not AstUtilities.isString(k):
97 insecure = True 97 insecure = True
98 break 98 break
99 if not insecure: 99 if not insecure:
100 for v in kwargs['select'].values: 100 for v in kwargs["select"].values:
101 if not AstUtilities.isString(v): 101 if not AstUtilities.isString(v):
102 insecure = True 102 insecure = True
103 break 103 break
104 else: 104 else:
105 insecure = True 105 insecure = True
106 106
107 if insecure: 107 if insecure:
108 reportError( 108 reportError(
109 context.node.lineno - 1, 109 context.node.lineno - 1, context.node.col_offset, "S610", "M", "M"
110 context.node.col_offset,
111 "S610",
112 "M",
113 "M"
114 ) 110 )
115 111
116 112
117 def checkDjangoRawSqlUsed(reportError, context, config): 113 def checkDjangoRawSqlUsed(reportError, context, config):
118 """ 114 """
119 Function to check for potential SQL injection on RawSQL function. 115 Function to check for potential SQL injection on RawSQL function.
120 116
121 @param reportError function to be used to report errors 117 @param reportError function to be used to report errors
122 @type func 118 @type func
123 @param context security context object 119 @param context security context object
124 @type SecurityContext 120 @type SecurityContext
125 @param config dictionary with configuration data 121 @param config dictionary with configuration data
126 @type dict 122 @type dict
127 """ 123 """
128 if ( 124 if (
129 context.isModuleImportedLike('django.db.models') and 125 context.isModuleImportedLike("django.db.models")
130 context.callFunctionName == 'RawSQL' 126 and context.callFunctionName == "RawSQL"
131 ): 127 ):
132 sql = context.node.args[0] 128 sql = context.node.args[0]
133 if not AstUtilities.isString(sql): 129 if not AstUtilities.isString(sql):
134 reportError( 130 reportError(
135 context.node.lineno - 1, 131 context.node.lineno - 1, context.node.col_offset, "S611", "M", "M"
136 context.node.col_offset,
137 "S611",
138 "M",
139 "M"
140 ) 132 )

Mercurial Repository: eric

eric ide

mercurial