-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Python: Implement module ClickHouseDriver.qll #5889
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
intrigus-lgtm
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some simple comments.
I did not look at the qll file.
(Note that I'm not a member of the github/codeql team)
python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py
Outdated
Show resolved
Hide resolved
python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py
Outdated
Show resolved
Hide resolved
python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp
Outdated
Show resolved
Hide resolved
| </p> | ||
|
|
||
| <p> | ||
| In the first case, the query executed via aioch Client. aioch - is a module |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I know query help files should not contain too many examples.
I think one/two "BAD" cases (maybe one aioch case and one `Client class case) and one "GOOD" case should be enough.
RasmusWL
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @japroc, thanks for this contribution 👍
I'll take a deeper look at reviewing your code tomorrow.
From a very superficial look, I can see that you've added a new query in this PR. While that's not necessarily a bad idea for local development, to be able to test out your changes, I think we'll delete that after promoting your modeling out of experimental. If there are any of the textual comments in qhelp file that are important to keep, I would like to request that you add these to python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.py instead 😊
Very nice to see python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.ql, we usually use a slightly different approach with ConceptsTest.ql and writing expectations inline with special comment syntax (which you can see in action here), but I think your test does the job pretty nicely as well 👍
python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.ql
Outdated
Show resolved
Hide resolved
RasmusWL
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall this code looks good to me 👍 (good job)
I have one question on client subclasses, but I don't think anything is a major blocker for us merging this PR 👍 (I might do a few minor stylistic cleanups when promoting this out of experimental)
| private DataFlow::Node client_ref() { | ||
| result = clickhouse_driver().getMember("Client").getASubclass*().getAUse() | ||
| or | ||
| result = aioch().getMember("Client").getASubclass*().getAUse() | ||
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This part surprised me. Do you have an example of someone who provides their own Client subclass in a real project? (or is this just something that you thought might happen and you wanted to capture?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am sure i have seen few projects where there are custom subclasses of clickhouse-driver's Client. I did not save links to these projects. And actually dont remember how popular these projects are. I can spend some time on weekends to find them. I will put links here. And we will resolve this moment further.
What do you think? :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With a fast search, i have found this one https://github.com/Altinity/clickhouse-mysql-data-reader/blob/3b1b7088751b05e5bbf45890c5949b58208c2343/clickhouse_mysql/dbclient/chclient.py#L10
There are many stars, so here came the idea to support that kind of subclasses.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting, thanks for providing those examples 👍 having seen those, I think that it makes good sense to have support for that usage pattern 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks really good 💪
This needs a few minor adjustments after being merged, but I'm happy to do that myself 👍
(tests needs to complete, then I can merge)
|
Thanks, @RasmusWL! Gonna celebrate my very first PR to codeql 😄 Have a good day! |
|
Nice 🎉 I did some adjustments in #5950, so when that is merged, your contributions will be part of our standard analysis 💪 |
Hello!
The idea of this PR is to improve default SQLInjection query by adding ClickHouseDriver.qll module with describes
clickhouse-driverPyPI package. This module hsa self Client with several methods to execute query. Alsoclickhouse-driverhas a PEP249 interface.When this module will be moved from experimental folder to standart library, it would automatically improve existing Sqlnjection.ql query. But for now, for a demonstration, i created a separate query which imports experimental module and repeats standart query. I also added python snippet for
clickhouse-driverusage and qhelp which describes different cases from that example code.Thanks,
Evgenii.