Closed cyounkins closed 4 months ago
I did find this commit that maybe breaks SQLAlchemy 1.4? https://github.com/facebook/pyre-check/commit/c93e0a16f1dac523a81f1c0350474663a454adde
Hi, thanks for reaching out. I am able to reproduce, I will need more time to look into this.
This is a simple mistake.
my_source()
returns a source with kind Test
.
engine.execute()
has a sink with kind SQL
.
There is a rule from source Test
to sink Test
: https://github.com/cyounkins/pysa-testing/blob/63395fc6b3ba826b1ebb9dec1c55abcadf4c7622/stubs/taint.config#L184-L192
but there is no rule for source Test
to sink SQL
. There is only one for UserControlled
to SQL
: https://github.com/cyounkins/pysa-testing/blob/63395fc6b3ba826b1ebb9dec1c55abcadf4c7622/stubs/taint.config#L197-L205
If I change that rule to also accept Test
as a source, it does find the flows:
[
{
"line": 20,
"column": 28,
"stop_line": 20,
"stop_column": 33,
"path": "vuln.py",
"code": 5005,
"name": "SQL injection.",
"description": "SQL injection. [5005]: Data from [Test] source(s) may reach [SQL] sink(s)",
"define": "vuln.vulnerable_func"
},
{
"line": 20,
"column": 28,
"stop_line": 20,
"stop_column": 33,
"path": "vuln.py",
"code": 5005,
"name": "SQL injection.",
"description": "SQL injection. [5005]: Data from [Test] source(s) may reach [SQL] sink(s)",
"define": "vuln.vulnerable_func"
},
{
"line": 23,
"column": 12,
"stop_line": 23,
"stop_column": 17,
"path": "vuln.py",
"code": 5002,
"name": "Test flow",
"description": "Test flow [5002]: Data from [Test] source(s) may reach [Test] sink(s)",
"define": "vuln.vulnerable_func"
}
]
Ahh thank you! I apologize for the waste of time.
Pysa Bug
Pre-submission checklist [x] I've checked the list of common issues and mine does not appear
Bug description I've been unable to get pysa to work for a minimal sqlalchemy project. I have set it up using the sqlalchemy types from the
pyre-check
repo. I have set up two flows that should be detected - one to SQLAlchemy'sexecute
, andmy_sink
.my_sink
works as expected, SQLAlchemy does not.Reproduction steps Try my repo: https://github.com/cyounkins/pysa-testing/tree/63395fc6b3ba826b1ebb9dec1c55abcadf4c7622
Expected behavior Both flows should be detected.
Logs Please run your reproduction steps with
--noninteractive
(eg.pyre --noninteractive analyze
) and paste the output here:Additional context Add any other context about the problem here. (like dependencies in your venv, third party stub files being used, overall goals, etc.)
reveal_type
only seems to work some of time, and I haven't been able to figure out why. https://github.com/facebook/pyre-check/issues/825 In the beginning when it worked,reveal_type(engine.execute)
printed outƛ vuln:21:4-21:15: Revealed type for engine.execute: unknown
, which is obviously a problem.I ran
pyre infer
andpyre infer -i --annotate-from-existing-stubs
to try to fix the types. It added some, and explicitly assigned a type toengine
asengine: Engine = create_engine('sqlite:///test.db')
. Nowreveal_type
prints outThat... seems like it should work.
The engine.execute call should match one of these sink rules:
The second is mine because I was wondering if the one supplied in the repo was somehow wrong. Neither one works.
I have
types-SQLAlchemy==1.4.52
to get types for the older SQLAlchemy. I did try a bit with 2.0 and couldn't get it to work.Any pointers would be appreciated. What version of SQLAlchemy should I be trying? Are the flows here expected to work or no?