[Python]: Add SqlAlchemy support for SQL injection query

[mrthankyou]

Query

Relevant PR: github/codeql#5680

CVE ID(s)

WIP

Report

SQLAlchemy is one of the most popular ORM engines for working with SQL databases within the Python ecosystem. This query identifies a variety of cases where SQL injection can occur when the developer accidentally allows SQL injection to be injected into SQL queries.

• Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Result(s)

WIP

Misc

Please split the bounty 50/50 between myself and @jorgectf. After a discussion with @jorgectf I will be taking the full bounty.

[ghsecuritylab]

Your submission is now in status Generate Query Results.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status FP Check.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[pwntester]

Hi @mrthankyou, Thanks for the submission,

I'm reviewing some of the results returned by this query and I can see many of them following this pattern:

session.query(CommonsDivision).get(commons_division_id)

Where commons_division_id is tainted. I'm not sure how this (or any other matched by the SqlAlchemyQueryCall sink). Can you please elaborate on why you added SqlAlchemyQueryCall as SQL injection sinks?

[RasmusWL]

I think it's to cover cases such as session.query(User).filter(sqlalchemy.sql.text(user_input)), but the matching in SqlAlchemyQueryCall is just too broad, since it flags the first argument to any method called. (something I overlooked while reviewing the PR)

@mrthankyou to fix this, I think you need to specify the exact method names that are vulnerable (as per your research here).

[mrthankyou]

Will do. I'll see what I can do and fix this by tomorrow. Thanks for everyones input thus far.

[mrthankyou]

Thank you for bearing with my delays.

I have updated the query so that the query only accounts for vulnerable methods discovered through this research here. Rasmus has confirmed and I ran locally that all tests still pass. Please let me know if there is anything else needed.

After next Wednesday my life will be back to normal and I will be more responsive. Thank you.

[ghsecuritylab]

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[xcorail]

Created Hackerone report 1287576 for bounty 323072 : [390] [Python]: Add SqlAlchemy support for SQL injection query

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed