skylos 1.0.10__py3-none-any.whl → 2.5.2__py3-none-any.whl

skylos/rules/danger/danger_sql/sql_flow.py

@@ -0,0 +1,245 @@
+from __future__ import annotations
+import ast
+import sys
+from skylos.rules.danger.taint import TaintVisitor
+
+
+def _qualified_name_from_call(node):
+    func = node.func
+    parts = []
+
+    while isinstance(func, ast.Attribute):
+        parts.append(func.attr)
+        func = func.value
+    if isinstance(func, ast.Name):
+        parts.append(func.id)
+        parts.reverse()
+        return ".".join(parts)
+    return None
+
+
+def _is_interpolated_string(node):
+    if isinstance(node, ast.JoinedStr):
+        return True
+    if isinstance(node, ast.BinOp) and isinstance(node.op, (ast.Add, ast.Mod)):
+        return True
+    if (
+        isinstance(node, ast.Call)
+        and isinstance(node.func, ast.Attribute)
+        and node.func.attr == "format"
+    ):
+        return True
+    return False
+
+
+def _is_passthrough_return(node: ast.AST, param_names):
+    if isinstance(node, ast.Name) and node.id in param_names:
+        return True
+
+    if isinstance(node, ast.JoinedStr):
+        for v in node.values:
+            if (
+                isinstance(v, ast.FormattedValue)
+                and isinstance(v.value, ast.Name)
+                and v.value.id in param_names
+            ):
+                return True
+        return True
+
+    if (
+        isinstance(node, ast.Call)
+        and isinstance(node.func, ast.Attribute)
+        and node.func.attr == "format"
+    ):
+        return True
+    if isinstance(node, ast.BinOp):
+        return True
+    return False
+
+
+def _func_name(node):
+    return node.name
+
+
+def get_query_expression(call: ast.Call, names=("sql", "query", "statement")):
+    expression = None
+    if call.args and len(call.args) > 0:
+        expression = call.args[0]
+    if expression is None:
+        for keyword in call.keywords or []:
+            if keyword.arg in names and keyword.value is not None:
+                expression = keyword.value
+                break
+    return expression
+
+
+def is_parameterized_query(call: ast.Call, query_expr: ast.AST):
+    if _is_interpolated_string(query_expr):
+        return False
+
+    if len(call.args) >= 2:
+        return True
+
+    for keyword in call.keywords or []:
+        if keyword.arg in {"params", "parameters"}:
+            return True
+    return False
+
+
+def is_sqlalchemy_text(expr: ast.AST):
+    if not isinstance(expr, ast.Call):
+        return False
+
+    func = expr.func
+
+    if isinstance(func, ast.Attribute) and func.attr == "text":
+        return True
+
+    if isinstance(func, ast.Name) and func.id == "text":
+        return True
+    return False
+
+
+class _SQLFlowChecker(TaintVisitor):
+    RULE_ID_SQLI = "SKY-D211"
+    SEVERITY_CRITICAL = "CRITICAL"
+    SEVERITY_HIGH = "HIGH"
+    DBAPI_SQL_SINK_SUFFIXES = (".execute", ".executemany", ".executescript")
+
+    def __init__(self, file_path, findings):
+        super().__init__(file_path, findings)
+        self.passthrough_functions = set()
+
+    def visit_FunctionDef(self, node):
+        self._push()
+
+        param_names = {a.arg for a in node.args.args}
+        for statement in node.body:
+            if isinstance(statement, ast.Return) and statement.value is not None:
+                if _is_passthrough_return(statement.value, param_names):
+                    self.passthrough_functions.add(_func_name(node))
+                    break
+
+        self.generic_visit(node)
+        self._pop()
+
+    def visit_AsyncFunctionDef(self, node):
+        self._push()
+
+        param_names = {a.arg for a in node.args.args}
+        for statement in node.body:
+            if isinstance(statement, ast.Return) and statement.value is not None:
+                if _is_passthrough_return(statement.value, param_names):
+                    self.passthrough_functions.add(_func_name(node))
+                    break
+
+        self.generic_visit(node)
+        self._pop()
+
+    def visit_Call(self, node):
+        qual_name = _qualified_name_from_call(node)
+
+        if qual_name and qual_name in self.passthrough_functions:
+            pass
+
+        if qual_name and qual_name.endswith(self.DBAPI_SQL_SINK_SUFFIXES):
+            query_expr = get_query_expression(node, names=("sql", "query", "statement"))
+
+            if query_expr is not None:
+                if _is_interpolated_string(query_expr) or self.is_tainted(query_expr):
+                    self.findings.append(
+                        {
+                            "rule_id": self.RULE_ID_SQLI,
+                            "severity": self.SEVERITY_CRITICAL,
+                            "message": "Possible SQL injection: tainted or string-built query.",
+                            "file": str(self.file_path),
+                            "line": node.lineno,
+                            "col": node.col_offset,
+                        }
+                    )
+                else:
+                    is_literal = isinstance(query_expr, ast.Constant) and isinstance(
+                        query_expr.value, str
+                    )
+                    if not is_literal and not is_parameterized_query(node, query_expr):
+                        self.findings.append(
+                            {
+                                "rule_id": self.RULE_ID_SQLI,
+                                "severity": self.SEVERITY_HIGH,
+                                "message": "Likely unparameterized SQL execution.",
+                                "file": str(self.file_path),
+                                "line": node.lineno,
+                                "col": node.col_offset,
+                            }
+                        )
+
+            self.generic_visit(node)
+            return
+
+        if qual_name and (
+            qual_name.endswith(".read_sql") or qual_name.endswith(".read_sql_query")
+        ):
+            query_expr = get_query_expression(node, names=("sql", "query"))
+
+            if query_expr is not None and (
+                _is_interpolated_string(query_expr) or self.is_tainted(query_expr)
+            ):
+                self.findings.append(
+                    {
+                        "rule_id": self.RULE_ID_SQLI,
+                        "severity": self.SEVERITY_CRITICAL,
+                        "message": "Possible SQL injection in read_sql.",
+                        "file": str(self.file_path),
+                        "line": node.lineno,
+                        "col": node.col_offset,
+                    }
+                )
+            self.generic_visit(node)
+            return
+
+        if isinstance(node.func, ast.Attribute) and node.func.attr == "execute":
+            statement_expression = get_query_expression(
+                node, names=("statement", "sql", "query")
+            )
+            if statement_expression is not None:
+                if _is_interpolated_string(statement_expression) or self.is_tainted(
+                    statement_expression
+                ):
+                    self.findings.append(
+                        {
+                            "rule_id": self.RULE_ID_SQLI,
+                            "severity": self.SEVERITY_CRITICAL,
+                            "message": "Possible SQL injection: tainted statement passed to execute().",
+                            "file": str(self.file_path),
+                            "line": node.lineno,
+                            "col": node.col_offset,
+                        }
+                    )
+
+            self.generic_visit(node)
+            return
+
+        if is_sqlalchemy_text(node):
+            for argument in node.args:
+                if _is_interpolated_string(argument) or self.is_tainted(argument):
+                    self.findings.append(
+                        {
+                            "rule_id": self.RULE_ID_SQLI,
+                            "severity": self.SEVERITY_CRITICAL,
+                            "message": "Possible SQL injection: tainted string used in sqlalchemy.text().",
+                            "file": str(self.file_path),
+                            "line": node.lineno,
+                            "col": node.col_offset,
+                        }
+                    )
+                    break
+
+        self.generic_visit(node)
+
+
+def scan(tree, file_path, findings):
+    try:
+        checker = _SQLFlowChecker(file_path, findings)
+        checker.visit(tree)
+    except Exception as e:
+        print(f"SQL flow analysis failed for {file_path}: {e}", file=sys.stderr)

skylos/rules/danger/danger_sql/sql_raw_flow.py

@@ -0,0 +1,96 @@
+from __future__ import annotations
+import ast
+import sys
+from skylos.rules.danger.taint import TaintVisitor
+
+
+def _qualified_name(node: ast.Call):
+    f = node.func
+    parts = []
+
+    while isinstance(f, ast.Attribute):
+        parts.append(f.attr)
+        f = f.value
+
+    if isinstance(f, ast.Name):
+        parts.append(f.id)
+        parts.reverse()
+        return ".".join(parts)
+
+    if isinstance(f, ast.Name):
+        return f.id
+    return None
+
+
+def _is_interpolated_string(n: ast.AST):
+    if isinstance(n, ast.JoinedStr):
+        return True
+    if isinstance(n, ast.BinOp) and isinstance(n.op, (ast.Add, ast.Mod)):
+        return True
+    if (
+        isinstance(n, ast.Call)
+        and isinstance(n.func, ast.Attribute)
+        and n.func.attr == "format"
+    ):
+        return True
+    return False
+
+
+class _SQLRawFlowChecker(TaintVisitor):
+    def visit_Call(self, node: ast.Call):
+        qn = _qualified_name(node)
+        if not qn:
+            self.generic_visit(node)
+            return
+
+        if qn.endswith(".text") and node.args:
+            sql = node.args[0]
+            if _is_interpolated_string(sql) or self.is_tainted(sql):
+                self.findings.append(
+                    {
+                        "rule_id": "SKY-D217",
+                        "severity": "CRITICAL",
+                        "message": "Possible SQL injection: tainted SQL passed to sqlalchemy.text().",
+                        "file": str(self.file_path),
+                        "line": node.lineno,
+                        "col": node.col_offset,
+                    }
+                )
+
+        if (qn.endswith(".read_sql") or qn.endswith(".read_sql_query")) and node.args:
+            sql = node.args[0]
+            if _is_interpolated_string(sql) or self.is_tainted(sql):
+                self.findings.append(
+                    {
+                        "rule_id": "SKY-D217",
+                        "severity": "CRITICAL",
+                        "message": "Possible SQL injection: tainted SQL passed to pandas.read_sql().",
+                        "file": str(self.file_path),
+                        "line": node.lineno,
+                        "col": node.col_offset,
+                    }
+                )
+
+        if qn.endswith(".objects.raw") and node.args:
+            sql = node.args[0]
+            if _is_interpolated_string(sql) or self.is_tainted(sql):
+                self.findings.append(
+                    {
+                        "rule_id": "SKY-D217",
+                        "severity": "CRITICAL",
+                        "message": "Possible SQL injection: tainted SQL passed to Django .raw().",
+                        "file": str(self.file_path),
+                        "line": node.lineno,
+                        "col": node.col_offset,
+                    }
+                )
+
+        self.generic_visit(node)
+
+
+def scan(tree: ast.AST, file_path, findings):
+    try:
+        checker = _SQLRawFlowChecker(file_path, findings)
+        checker.visit(tree)
+    except Exception as e:
+        print(f"Raw SQL flow analysis failed for {file_path}: {e}", file=sys.stderr)

skylos/rules/danger/danger_web/xss_flow.py

@@ -0,0 +1,170 @@
+from __future__ import annotations
+import ast
+import sys
+from skylos.rules.danger.taint import TaintVisitor
+
+
+def _qualified_name_from_call(node: ast.Call):
+    func = node.func
+    parts = []
+    while isinstance(func, ast.Attribute):
+        parts.append(func.attr)
+        func = func.value
+    if isinstance(func, ast.Name):
+        parts.append(func.id)
+        parts.reverse()
+        return ".".join(parts)
+    if isinstance(func, ast.Name):
+        return func.id
+    return None
+
+
+def _is_interpolated_string(node: ast.AST):
+    if isinstance(node, ast.JoinedStr):
+        return True
+    if isinstance(node, ast.BinOp) and isinstance(node.op, (ast.Add, ast.Mod)):
+        return True
+    if (
+        isinstance(node, ast.Call)
+        and isinstance(node.func, ast.Attribute)
+        and node.func.attr == "format"
+    ):
+        return True
+    return False
+
+
+def _const_str_value(node: ast.AST):
+    if isinstance(node, ast.Constant) and isinstance(node.value, str):
+        return node.value
+    return None
+
+
+def _const_contains_html(node: ast.AST):
+    if isinstance(node, ast.Constant) and isinstance(node.value, str):
+        s = node.value
+        return ("<" in s) and (">" in s)
+    return False
+
+
+class _XSSFlowChecker(TaintVisitor):
+    SAFE_MARK_FUNCS = {"Markup", "mark_safe"}
+
+    def _template_is_unsafe_literal(self, node: ast.AST):
+        s = _const_str_value(node)
+        if not s:
+            return False
+        low = s.lower()
+        if "|safe" in low:
+            return True
+        if "{% autoescape false %}" in low:
+            return True
+        return False
+
+    def _binop_has_html_const(self, node: ast.AST):
+        if _const_contains_html(node):
+            return True
+        if isinstance(node, ast.BinOp) and isinstance(node.op, (ast.Add, ast.Mod)):
+            return self._binop_has_html_const(node.left) or self._binop_has_html_const(
+                node.right
+            )
+        return False
+
+    def _html_built_with_taint(self, node: ast.AST):
+        if isinstance(node, ast.JoinedStr):
+            has_html = False
+            for v in node.values:
+                if isinstance(v, ast.Constant) and _const_contains_html(v):
+                    has_html = True
+                    break
+            if not has_html:
+                return False
+
+            for v in node.values:
+                if isinstance(v, ast.FormattedValue) and self.is_tainted(v.value):
+                    return True
+            return False
+
+        if isinstance(node, ast.BinOp) and isinstance(node.op, (ast.Add, ast.Mod)):
+            left_html = _const_contains_html(node.left)
+            right_html = _const_contains_html(node.right)
+            any_html = (
+                left_html
+                or right_html
+                or self._binop_has_html_const(node.left)
+                or self._binop_has_html_const(node.right)
+            )
+
+            if not any_html:
+                return False
+            return self.is_tainted(node.left) or self.is_tainted(node.right)
+
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Attribute)
+            and node.func.attr == "format"
+        ):
+            base = node.func.value
+            if _const_contains_html(base):
+                for a in node.args:
+                    if self.is_tainted(a):
+                        return True
+            return False
+        return False
+
+    def visit_Call(self, node: ast.Call):
+        qn = _qualified_name_from_call(node)
+
+        if qn and node.args:
+            func_name = qn.split(".")[-1]
+            if func_name in self.SAFE_MARK_FUNCS:
+                arg0 = node.args[0]
+                if _is_interpolated_string(arg0) or self.is_tainted(arg0):
+                    self.findings.append(
+                        {
+                            "rule_id": "SKY-D226",
+                            "severity": "CRITICAL",
+                            "message": "Possible XSS: untrusted content marked safe",
+                            "file": str(self.file_path),
+                            "line": node.lineno,
+                            "col": node.col_offset,
+                        }
+                    )
+
+        if qn and qn.split(".")[-1] == "render_template_string" and node.args:
+            tmpl = node.args[0]
+            if self._template_is_unsafe_literal(tmpl):
+                self.findings.append(
+                    {
+                        "rule_id": "SKY-D227",
+                        "severity": "HIGH",
+                        "message": "Possible XSS: unsafe inline template disables escaping",
+                        "file": str(self.file_path),
+                        "line": node.lineno,
+                        "col": node.col_offset,
+                    }
+                )
+
+        self.generic_visit(node)
+
+    def visit_Return(self, node: ast.Return):
+        if node.value is not None:
+            if self._html_built_with_taint(node.value):
+                self.findings.append(
+                    {
+                        "rule_id": "SKY-D228",
+                        "severity": "HIGH",
+                        "message": "XSS (HTML built from unescaped user input)",
+                        "file": str(self.file_path),
+                        "line": node.lineno,
+                        "col": node.col_offset,
+                    }
+                )
+        self.generic_visit(node)
+
+
+def scan(tree, file_path, findings):
+    try:
+        checker = _XSSFlowChecker(file_path, findings)
+        checker.visit(tree)
+    except Exception as e:
+        print(f"XSS analysis failed for {file_path}: {e}", file=sys.stderr)

skylos/rules/danger/taint.py

@@ -0,0 +1,110 @@
+import ast
+
+
+class TaintVisitor(ast.NodeVisitor):
+    def __init__(self, file_path, findings):
+        self.file_path = file_path
+        self.findings = findings
+        self.env_stack = [{}]
+        self.sources = {"input", "request"}
+        self.request_obj = "request"
+
+    def _push(self):
+        self.env_stack.append({})
+
+    def _pop(self):
+        if self.env_stack:
+            self.env_stack.pop()
+
+    def _set(self, name, tainted):
+        if not self.env_stack:
+            self._push()
+        self.env_stack[-1][name] = bool(tainted)
+
+    def _get(self, name):
+        for env in reversed(self.env_stack):
+            if name in env:
+                return env[name]
+        return False
+
+    def is_tainted(self, node):
+        if node is None:
+            return False
+
+        if isinstance(node, ast.JoinedStr):
+            return any(
+                isinstance(v, ast.FormattedValue) and self.is_tainted(v.value)
+                for v in node.values
+            )
+        if isinstance(node, ast.BinOp) and isinstance(node.op, (ast.Add, ast.Mod)):
+            return self.is_tainted(node.left) or self.is_tainted(node.right)
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Attribute)
+            and node.func.attr == "format"
+        ):
+            return True
+
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id in self.sources
+        ):
+            return True
+
+        if isinstance(node, (ast.Attribute, ast.Subscript)):
+            base = node.value
+            while isinstance(base, (ast.Attribute, ast.Subscript)):
+                base = base.value
+            if isinstance(base, ast.Name) and base.id == self.request_obj:
+                return True
+            return self.is_tainted(node.value)
+
+        if isinstance(node, ast.Name):
+            return self._get(node.id)
+
+        if isinstance(node, ast.Call):
+            if isinstance(node.func, ast.Attribute):
+                if self.is_tainted(node.func.value):
+                    return True
+
+            if any(self.is_tainted(arg) for arg in node.args):
+                return True
+
+            if any(self.is_tainted(k.value) for k in node.keywords):
+                return True
+
+        return False
+
+    def generic_visit(self, node):
+        for field, value in ast.iter_fields(node):
+            if isinstance(value, list):
+                for item in value:
+                    if isinstance(item, ast.AST):
+                        self.visit(item)
+            elif isinstance(value, ast.AST):
+                self.visit(value)
+
+    def visit_FunctionDef(self, node):
+        self._push()
+        self.generic_visit(node)
+        self._pop()
+
+    def visit_AsyncFunctionDef(self, node):
+        self._push()
+        self.generic_visit(node)
+        self._pop()
+
+    def visit_Assign(self, node):
+        t = self.is_tainted(node.value)
+        for tgt in node.targets:
+            if isinstance(tgt, ast.Name):
+                self._set(tgt.id, t)
+        self.generic_visit(node)
+
+    def visit_AnnAssign(self, node):
+        if node.value:
+            t = self.is_tainted(node.value)
+            if isinstance(node.target, ast.Name):
+                self._set(node.target.id, t)
+        self.generic_visit(node)