--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/djangoSqlInjection.py Wed Jul 13 11:16:20 2022 +0200
+++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/djangoSqlInjection.py Wed Jul 13 14:55:47 2022 +0200
@@ -23,7 +23,7 @@
def getChecks():
"""
Public method to get a dictionary with checks handled by this module.
-
+
@return dictionary containing checker lists containing checker function and
list of codes
@rtype dict
@@ -39,7 +39,7 @@
def keywords2dict(keywords):
"""
Function to extract keywords arguments into a dictionary.
-
+
@param keywords list of keyword nodes
@type list of ast.keyword
@return dictionary with keyword name and value
@@ -55,7 +55,7 @@
def checkDjangoExtraUsed(reportError, context, config):
"""
Function to check for potential SQL injection on extra function.
-
+
@param reportError function to be used to report errors
@type func
@param context security context object
@@ -63,24 +63,24 @@
@param config dictionary with configuration data
@type dict
"""
- if context.callFunctionName == 'extra':
+ if context.callFunctionName == "extra":
kwargs = keywords2dict(context.node.keywords)
args = context.node.args
if args:
if len(args) >= 1:
- kwargs['select'] = args[0]
+ kwargs["select"] = args[0]
if len(args) >= 2:
- kwargs['where'] = args[1]
+ kwargs["where"] = args[1]
if len(args) >= 3:
- kwargs['params'] = args[2]
+ kwargs["params"] = args[2]
if len(args) >= 4:
- kwargs['tables'] = args[3]
+ kwargs["tables"] = args[3]
if len(args) >= 5:
- kwargs['order_by'] = args[4]
+ kwargs["order_by"] = args[4]
if len(args) >= 6:
- kwargs['select_params'] = args[5]
+ kwargs["select_params"] = args[5]
insecure = False
- for key in ['where', 'tables']:
+ for key in ["where", "tables"]:
if key in kwargs:
if isinstance(kwargs[key], ast.List):
for val in kwargs[key].elts:
@@ -90,34 +90,30 @@
else:
insecure = True
break
- if not insecure and 'select' in kwargs:
- if isinstance(kwargs['select'], ast.Dict):
- for k in kwargs['select'].keys:
+ if not insecure and "select" in kwargs:
+ if isinstance(kwargs["select"], ast.Dict):
+ for k in kwargs["select"].keys:
if not AstUtilities.isString(k):
insecure = True
break
if not insecure:
- for v in kwargs['select'].values:
+ for v in kwargs["select"].values:
if not AstUtilities.isString(v):
insecure = True
break
else:
insecure = True
-
+
if insecure:
reportError(
- context.node.lineno - 1,
- context.node.col_offset,
- "S610",
- "M",
- "M"
+ context.node.lineno - 1, context.node.col_offset, "S610", "M", "M"
)
def checkDjangoRawSqlUsed(reportError, context, config):
"""
Function to check for potential SQL injection on RawSQL function.
-
+
@param reportError function to be used to report errors
@type func
@param context security context object
@@ -126,15 +122,11 @@
@type dict
"""
if (
- context.isModuleImportedLike('django.db.models') and
- context.callFunctionName == 'RawSQL'
+ context.isModuleImportedLike("django.db.models")
+ and context.callFunctionName == "RawSQL"
):
sql = context.node.args[0]
if not AstUtilities.isString(sql):
reportError(
- context.node.lineno - 1,
- context.node.col_offset,
- "S611",
- "M",
- "M"
+ context.node.lineno - 1, context.node.col_offset, "S611", "M", "M"
)
