Adding SQL Injection test, examples, and profile.

2014-09-10 15:38:27 -07:00 · 2014-09-10 15:38:27 -07:00 · 91753a4ca0
commit 91753a4ca0
parent 54364b46db
4 changed files with 52 additions and 0 deletions
--- a/bandit.yaml
+++ b/bandit.yaml
@ -25,6 +25,10 @@ profiles:
            - call_shell_true
        exclude:

+    SqlInjection:
+        include:
+            - str_sql_expression
+

 call_bad_names:
    bad_name_sets:
--- a/examples/sql_statements_with_sqlalchemy.py
+++ b/examples/sql_statements_with_sqlalchemy.py
@ -0,0 +1,6 @@
+import sqlalchemy
+
+query = "SELECT * FROM foo WHERE id = '%s'" % identifier
+query = "INSERT INTO foo VALUES ('a', 'b', '%s')" % value
+query = "DELETE FROM foo WHERE id = '%s'" % identifier
+query = "UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier
--- a/examples/sql_statements_without_sql_alchemy.py
+++ b/examples/sql_statements_without_sql_alchemy.py
@ -0,0 +1,4 @@
+query = "SELECT * FROM foo WHERE id = '%s'" % identifier
+query = "INSERT INTO foo VALUES ('a', 'b', '%s')" % value
+query = "DELETE FROM foo WHERE id = '%s'" % identifier
+query = "UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier
--- a/plugins/str_sql_expressions.py
+++ b/plugins/str_sql_expressions.py
@ -0,0 +1,38 @@
+# -*- coding:utf-8 -*-
+#
+# Copyright 2014 Hewlett-Packard Development Company, L.P.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import bandit
+from bandit.test_selector import *
+
+
+@checks_strings
+def str_sql_expression(context):
+    test_str = context.string_val.lower()
+    if (
+        (test_str.startswith('select ') and ' from ' in test_str) or
+        test_str.startswith('insert into') or
+        (test_str.startswith('update ') and ' set ' in test_str) or
+        test_str.startswith('delete from ')
+    ):
+        # if sqlalchemy is not imported and it looks like they are using SQL
+        # statements, mark it as a WARNING
+        if not context.is_module_imported_like("sqlalchemy"):
+            return(bandit.WARN, 'Possible SQL injection vector through '
+                   'string-based query construction, without SQLALCHEMY use')
+        # otherwise, if sqlalchemy is being used, mark it as INFO
+        else:
+            return(bandit.INFO, 'Possible SQL injection vector through'
+                   ' string-based query construction')