skylos 2.2.4__py3-none-any.whl → 2.4.0__py3-none-any.whl

{skylos-2.2.4.dist-info → skylos-2.4.0.dist-info}/RECORD

@@ -1,13 +1,25 @@
-skylos/__init__.py,sha256=YwPfQwovq4tgmZty1bPKmaNXjqgsmv6wbi94D2oEo6Y,229
-skylos/analyzer.py,sha256=iiymCNg3LphPSHhR3TYLmObR2vlGC99wKligDtHHzDE,17449
-skylos/cli.py,sha256=oEZHS8ogV8pZloj_EIk4qzPVbJS7QenHKJDIp7q2OGg,19882
+skylos/__init__.py,sha256=lFWlWOwKfByIoAoQkdpcEMF5UisQQuVzdtSNPApOoXI,229
+skylos/analyzer.py,sha256=nwf1pDsXaEhrLm6AkQgaJObVgp8YPP9UzU2NzZ2088o,18791
+skylos/cli.py,sha256=372vGiWC4Z4ZDQbP-P4PYRaEokv8xS9-ko152ejfqcE,25970
 skylos/codemods.py,sha256=-1ehjFLc1MmtK3inoSZF_RyBNWF7XZSOq2KH5_MDzuA,9519
 skylos/constants.py,sha256=kU-2FKQAV-ju4rYw62Tw25uRvqauzjZFUqtvGWaI6Es,1571
 skylos/server.py,sha256=oHuevjdDFvJVbvpTtCDjSLOJ6Zy1jL4BYLYV4VFNMXs,15903
 skylos/visitor.py,sha256=o_2JxjXKXAcWLQr8nmoatGAz2EhBk225qE_piHf3hDg,20458
 skylos/rules/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-skylos/rules/dangerous.py,sha256=a1P2wpjxxAHOG_pa83xSKDOnb1HFGPlHzATtkgQtd8Y,4111
 skylos/rules/secrets.py,sha256=xZOKJwfeyx2el-HlGjTflc50XtjUL7R-8mLOJUkwf30,10092
+skylos/rules/danger/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/rules/danger/danger.py,sha256=oTG_dK-CAqV4X4DP_AOzKPsOzmYbtgq0pfq0aILmxik,4398
+skylos/rules/danger/danger_cmd/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/rules/danger/danger_cmd/cmd_flow.py,sha256=b2VOkZ1Lt5ht5AreQrzqcu19BrR8N8xWjYeMqwtRJr8,6675
+skylos/rules/danger/danger_fs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/rules/danger/danger_fs/path_flow.py,sha256=bhs1HHrxsHVilvQG6-PsZIJ7GpF20Yj7pcavPXFKq2g,5627
+skylos/rules/danger/danger_net/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/rules/danger/danger_net/ssrf_flow.py,sha256=jyLmMDq7WlCqB2t3O1bKyrOmrr9yAqhEUjytek1Ymbg,5937
+skylos/rules/danger/danger_sql/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/rules/danger/danger_sql/sql_flow.py,sha256=00QpJTgdwE6lGuiv416o3MW54MkioiMzSlI5jNsYCK4,5212
+skylos/rules/danger/danger_sql/sql_raw_flow.py,sha256=7pYidj8_KCu9UkpHUyFoiDch3Hjc0CHEhTBM-bRXlew,6504
+skylos/rules/danger/danger_web/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/rules/danger/danger_web/xss_flow.py,sha256=9cK65470f8ulK0aNa8pRFsH3p-7gpenMJvExbJqmjG8,8991
 skylos/visitors/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 skylos/visitors/framework_aware.py,sha256=eX4oU0jQwDWejkkW4kjRNctre27sVLHK1CTDDiqPqRw,13054
 skylos/visitors/test_aware.py,sha256=kxYoMG2m02kbMlxtFOM-MWJO8qqxHviP9HgAMbKRfvU,2304
@@ -18,14 +30,18 @@ test/diagnostics.py,sha256=ExuFOCVpc9BDwNYapU96vj9RXLqxji32Sv6wVF4nJYU,13802
 test/test_analyzer.py,sha256=WhEYSI1atRee2Gqd9-Edw6F-tdRS9DBqS0D0aqK6MKc,21093
 test/test_changes_analyzer.py,sha256=l1hspCFz-sF8gqOilJvntUDuGckwhYsVtzvSRB13ZWw,5085
 test/test_cli.py,sha256=rtdKzanDRJT_F92jKkCQFdhvlfwVJxfXKO8Hrbn-mIg,13180
+test/test_cmd_injection.py,sha256=sG5Ryq18kPKhawB4ZxbGYeXPcCHagFTcWultNoX9XxY,1160
 test/test_codemods.py,sha256=Tbp9jE95HDl77EenTmyTtB1Sc3L8fwY9xiMNVDN5lxo,4522
 test/test_constants.py,sha256=pMuDy0UpC81zENMDCeK6Bqmm3BR_HHZQSlMG-9TgOm0,12602
-test/test_dangerous.py,sha256=zFc2Fi43T824yWY-nKziP1YH_Z4on5rXwxsvgYQ6EN4,2523
+test/test_dangerous.py,sha256=aaksXFYrNb0gSCdbrYmL77EMmQC6F395NKzUmV8opYA,3427
 test/test_framework_aware.py,sha256=G9va1dEQ31wsvd4X7ROf_1YhhAQG5CogB7v0hYCojQ8,8802
 test/test_integration.py,sha256=bNKGUe-w0xEZEdnoQNHbssvKMGs9u9fmFQTOz1lX9_k,12398
 test/test_new_behaviours.py,sha256=vAON8rR09RXawZT1knYtZHseyRcECKz5bdOspJoMjUA,1472
+test/test_path_traversal.py,sha256=CI49yJwLqHIHwqrPkJwjEBz7pY7dy5B8A62H8qu_YGk,1098
 test/test_secrets.py,sha256=cxbe8zH6lv5aKgazCW01q-mX5F2dRsiH6N2lDXb7ueY,6010
 test/test_skylos.py,sha256=kz77STrS4k3Eez5RDYwGxOg2WH3e7zNZPUYEaTLbGTs,15608
+test/test_sql_injection.py,sha256=BvwGTKgshFWWF8on1Qoa2_wKKgF5noBfpq-dtnx6DsM,1634
+test/test_ssrf.py,sha256=ob3D36o_Me0TjOcVeFUwHBAVERbsgdBqtuW6F2smgGM,1445
 test/test_test_aware.py,sha256=VmbR_MQY0m941CAxxux8OxJHIr7l8crfWRouSeBMhIo,9390
 test/test_visitor.py,sha256=xAbGv-XaozKm_0WJJhr0hMb6mLaJcbPz57G9-SWkxFU,22764
 test/sample_repo/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -35,8 +51,8 @@ test/sample_repo/sample_repo/commands.py,sha256=b6gQ9YDabt2yyfqGbOpLo0osF7wya8O4
 test/sample_repo/sample_repo/models.py,sha256=xXIg3pToEZwKuUCmKX2vTlCF_VeFA0yZlvlBVPIy5Qw,3320
 test/sample_repo/sample_repo/routes.py,sha256=8yITrt55BwS01G7nWdESdx8LuxmReqop1zrGUKPeLi8,2475
 test/sample_repo/sample_repo/utils.py,sha256=S56hEYh8wkzwsD260MvQcmUFOkw2EjFU27nMLFE6G2k,1103
-skylos-2.2.4.dist-info/METADATA,sha256=S5mGNVK7yVnSeqxS_5pr1PEXqaUrCcdu3NDZEqDHdYo,314
-skylos-2.2.4.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-skylos-2.2.4.dist-info/entry_points.txt,sha256=zzRpN2ByznlQoLeuLolS_TFNYSQxUGBL1EXQsAd6bIA,43
-skylos-2.2.4.dist-info/top_level.txt,sha256=f8GA_7KwfaEopPMP8-EXDQXaqd4IbsOQPakZy01LkdQ,12
-skylos-2.2.4.dist-info/RECORD,,
+skylos-2.4.0.dist-info/METADATA,sha256=_zgyV0RiF1UQMnVYxfWzNzW5fa-vt3y1kNIu0xD32eU,314
+skylos-2.4.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+skylos-2.4.0.dist-info/entry_points.txt,sha256=zzRpN2ByznlQoLeuLolS_TFNYSQxUGBL1EXQsAd6bIA,43
+skylos-2.4.0.dist-info/top_level.txt,sha256=f8GA_7KwfaEopPMP8-EXDQXaqd4IbsOQPakZy01LkdQ,12
+skylos-2.4.0.dist-info/RECORD,,

test/test_cmd_injection.py

@@ -0,0 +1,41 @@
+from pathlib import Path
+from skylos.rules.danger import scan_ctx
+
+def _write(tmp_path: Path, name, code):
+    p = tmp_path / name
+    p.write_text(code, encoding="utf-8")
+    return p
+
+def _rule_ids(findings):
+    return {f["rule_id"] for f in findings}
+
+def _scan_one(tmp_path: Path, name, code):
+    file_path = _write(tmp_path, name, code)
+    return scan_ctx(tmp_path, [file_path])
+
+def test_os_system_tainted_flags(tmp_path):
+    code = (
+        "import os\n"
+        "def f(x):\n"
+        "    os.system('echo ' + x)\n"
+    )
+    out = _scan_one(tmp_path, "cmd_os.py", code)
+    assert 'SKY-D212' in _rule_ids(out)
+
+def test_subprocess_shell_true_tainted_flags(tmp_path):
+    code = (
+        "import subprocess\n"
+        "def f(cmd):\n"
+        "    subprocess.run('sh -c ' + cmd, shell=True)\n"
+    )
+    out = _scan_one(tmp_path, "cmd_subp.py", code)
+    assert 'SKY-D212' in _rule_ids(out)
+
+def test_os_system_constant_does_not_trigger_D212(tmp_path):
+    code = (
+        "import os\n"
+        "def f():\n"
+        "    os.system('echo hi')\n"
+    )
+    out = _scan_one(tmp_path, "cmd_const.py", code)
+    assert 'SKY-D212' not in _rule_ids(out)

test/test_dangerous.py

@@ -1,5 +1,5 @@
 from pathlib import Path
-from skylos.rules.dangerous import scan_ctx
+from skylos.rules.danger import scan_ctx
 
 def _write(tmp_path: Path, name, code):
     p = tmp_path / name
@@ -68,3 +68,34 @@ def test_requests_default_verify_true_is_ok(tmp_path):
     code = "import requests\nrequests.get('https://example.com')\n"
     out = _scan_one(tmp_path, "b_requests_ok.py", code)
     assert "SKY-D210" not in _rule_ids(out)
+
+def test_sql_execute_interpolated_flags(tmp_path):
+    code = """
+def f(cur, name):
+    # f-string interpolation -> should flag SKY-D211
+    cur.execute(f"SELECT * FROM users WHERE name = '{name}'")
+"""
+    out = _scan_one(tmp_path, "sql_interp.py", code)
+    assert "SKY-D211" in _rule_ids(out)
+
+
+def test_sql_execute_parameterized_ok(tmp_path):
+    code = """
+def f(cur, name):
+    cur.execute("SELECT * FROM users WHERE name = %s", (name,))
+"""
+    out = _scan_one(tmp_path, "sql_param_ok.py", code)
+    assert "SKY-D211" not in _rule_ids(out)
+
+
+def test_sql_executescript_or_executemany_interpolated_flags(tmp_path):
+    code = """
+def g(cur, tbl):
+    cur.executescript("CREATE TABLE " + tbl)
+
+def h(cur, values):
+    cur.executemany("INSERT INTO t (a,b) VALUES (" + values + ")", [])
+"""
+    out = _scan_one(tmp_path, "sql_execscripts.py", code)
+    ids = _rule_ids(out)
+    assert "SKY-D211" in ids

test/test_path_traversal.py

@@ -0,0 +1,40 @@
+from pathlib import Path
+from skylos.rules.danger import scan_ctx
+
+def _write(tmp_path: Path, name, code):
+    p = tmp_path / name
+    p.write_text(code, encoding="utf-8")
+    return p
+
+def _rule_ids(findings):
+    return {f["rule_id"] for f in findings}
+
+def _scan_one(tmp_path: Path, name, code):
+    file_path = _write(tmp_path, name, code)
+    return scan_ctx(tmp_path, [file_path])
+
+def test_open_tainted_flags(tmp_path):
+    code = (
+        "def f(p):\n"
+        "    with open(p, 'r', encoding='utf-8', errors='ignore') as fh:\n"
+        "        fh.read()\n"
+    )
+    out = _scan_one(tmp_path, "pt_open.py", code)
+    assert 'SKY-D215' in _rule_ids(out)
+
+def test_os_remove_tainted_flags(tmp_path):
+    code = (
+        "import os\n"
+        "def f(p):\n"
+        "    os.remove(p)\n"
+    )
+    out = _scan_one(tmp_path, "pt_os.py", code)
+    assert 'SKY-D215' in _rule_ids(out)
+
+def test_open_constant_ok(tmp_path):
+    code = (
+        "def f():\n"
+        "    open('README.md', 'r')\n"
+    )
+    out = _scan_one(tmp_path, "pt_ok.py", code)
+    assert 'SKY-D215' not in _rule_ids(out)

test/test_sql_injection.py

@@ -0,0 +1,54 @@
+from pathlib import Path
+from skylos.rules.danger import scan_ctx
+
+def _write(tmp_path: Path, name, code):
+    p = tmp_path / name
+    p.write_text(code, encoding="utf-8")
+    return p
+
+def _rule_ids(findings):
+    return {f["rule_id"] for f in findings}
+
+def _scan_one(tmp_path: Path, name, code):
+    file_path = _write(tmp_path, name, code)
+    return scan_ctx(tmp_path, [file_path])
+
+def test_sqlalchemy_text_tainted_flags(tmp_path):
+    code = (
+        "import sqlalchemy as sa\n"
+        "def f(ip):\n"
+        "    sa.text('DELETE FROM logs WHERE ip=' + ip)\n"
+    )
+    out = _scan_one(tmp_path, "raw_sa.py", code)
+    assert 'SKY-D217' in _rule_ids(out)
+
+def test_pandas_read_sql_tainted_flags(tmp_path):
+    code = (
+        "import pandas as pd\n"
+        "def f(conn, name):\n"
+        "    pd.read_sql(f\"SELECT * FROM users WHERE name='{name}'\", conn)\n"
+    )
+    out = _scan_one(tmp_path, "raw_pd.py", code)
+    assert 'SKY-D217' in _rule_ids(out)
+
+def test_django_objects_raw_tainted_flags(tmp_path):
+    code = (
+        "class _O:\n"
+        "    def raw(self, *a, **k):\n"
+        "        return []\n"
+        "class User:\n"
+        "    objects = _O()\n"
+        "def f(u):\n"
+        "    User.objects.raw('SELECT * FROM auth_user WHERE username=' + u)\n"
+    )
+    out = _scan_one(tmp_path, "raw_dj.py", code)
+    assert 'SKY-D217' in _rule_ids(out)
+
+def test_raw_constant_ok(tmp_path):
+    code = (
+        "import pandas as pd\n"
+        "def f(conn):\n"
+        "    pd.read_sql('SELECT 1 AS x', conn)\n"
+    )
+    out = _scan_one(tmp_path, "raw_ok.py", code)
+    assert 'SKY-D217' not in _rule_ids(out)

test/test_ssrf.py

@@ -0,0 +1,51 @@
+from pathlib import Path
+from skylos.rules.danger import scan_ctx
+
+def _write(tmp_path: Path, name, code):
+    p = tmp_path / name
+    p.write_text(code, encoding="utf-8")
+    return p
+
+def _rule_ids(findings):
+    return {f["rule_id"] for f in findings}
+
+def _scan_one(tmp_path: Path, name, code):
+    file_path = _write(tmp_path, name, code)
+    return scan_ctx(tmp_path, [file_path])
+
+def test_requests_tainted_url_flags(tmp_path):
+    code = (
+        "import requests\n"
+        "def f():\n"
+        "    u = input()\n"
+        "    requests.get(u)\n"
+    )
+    out = _scan_one(tmp_path, "ssrf_req.py", code)
+    assert 'SKY-D216' in _rule_ids(out)
+
+def test_httpx_tainted_url_flags(tmp_path):
+    code = (
+        "import httpx\n"
+        "def f(url):\n"
+        "    httpx.post('http://' + url)\n"
+    )
+    out = _scan_one(tmp_path, "ssrf_httpx.py", code)
+    assert 'SKY-D216' in _rule_ids(out)
+
+def test_urllib_urlopen_tainted_url_flags(tmp_path):
+    code = (
+        "import urllib.request as u\n"
+        "def f(x):\n"
+        "    u.urlopen(f'http://{x}')\n"
+    )
+    out = _scan_one(tmp_path, "ssrf_urlopen.py", code)
+    assert 'SKY-D216' in _rule_ids(out)
+
+def test_requests_constant_url_ok(tmp_path):
+    code = (
+        "import requests\n"
+        "def f():\n"
+        "    requests.get('https://example.com', timeout=3)\n"
+    )
+    out = _scan_one(tmp_path, "ssrf_ok.py", code)
+    assert 'SKY-D216' not in _rule_ids(out)

skylos/rules/dangerous.py

@@ -1,135 +0,0 @@
-from __future__ import annotations
-import ast
-from pathlib import Path
-
-ALLOWED_SUFFIXES = (".py", ".pyi", ".pyw")
-
-## will expand this list later with more rules 
-DANGEROUS_CALLS = {
-    "eval": ("SKY-D201", "HIGH", "Use of eval()"),
-    "exec": ("SKY-D202", "HIGH", "Use of exec()"),
-    "os.system": ("SKY-D203", "MEDIUM", "Use of os.system"),
-    "pickle.load": ("SKY-D204", "CRITICAL", "Untrusted deserialization via pickle.load"),
-    "pickle.loads": ("SKY-D205", "CRITICAL", "Untrusted deserialization via pickle.loads"),
-    "yaml.load": ("SKY-D206", "HIGH", "yaml.load without SafeLoader"),
-    "hashlib.md5": ("SKY-D207", "MEDIUM", "Weak hash (MD5)"),
-    "hashlib.sha1": ("SKY-D208", "MEDIUM", "Weak hash (SHA1)"),
-    ## this is for arguments like process
-    "subprocess.*": ("SKY-D209", "HIGH", "subprocess.* with shell=True",
-                     {"kw_equals": {"shell": True}}),
-
-    "requests.*": ("SKY-D210", "HIGH", "requests call with verify=False",
-                   {"kw_equals": {"verify": False}}),
-}
-
-def _matches_rule(name, rule_key):
-    if not name:
-        return False
-    if rule_key.endswith(".*"):
-        return name.startswith(rule_key[:-2] + ".")
-    return name == rule_key
-
-def _kw_equals(node: ast.Call, requirements):
-    if not requirements:
-        return True
-    kw_map = {}
-    keywords = node.keywords or []
-    for kw in keywords:
-        if kw.arg:
-            kw_map[kw.arg] = kw.value
-        
-    for key, expected in requirements.items():
-        val = kw_map.get(key)
-        if not isinstance(val, ast.Constant):
-            return False
-        if val.value is not expected:
-            return False
-    return True
-
-def qualified_name_from_call(node: ast.Call):
-    f = node.func
-    parts = []
-    while isinstance(f, ast.Attribute):
-        parts.append(f.attr)
-        f = f.value
-    if isinstance(f, ast.Name):
-        parts.append(f.id)
-        parts.reverse()
-        return ".".join(parts)
-    if isinstance(f, ast.Name):
-        return f.id
-    return None
-
-def _yaml_load_without_safeloader(node: ast.Call):
-    name = qualified_name_from_call(node)
-    if name != "yaml.load":
-        return False
-
-    for kw in node.keywords or []:
-        if kw.arg == "Loader":
-            try:
-                text = ast.unparse(kw.value)
-                return "SafeLoader" not in text
-            except Exception:
-                return True
-    return True
-
-def _add_finding(findings,
-                 file_path: Path,
-                 node: ast.AST,
-                 rule_id,
-                 severity,
-                 message):
-    findings.append({
-        "rule_id": rule_id,
-        "severity": severity,
-        "message": message,
-        "file": str(file_path),
-        "line": getattr(node, "lineno", 1),
-        "col": getattr(node, "col_offset", 0),
-    })
-
-def scan_ctx(root, files):
-    findings = []
-
-    for file_path in files:
-        if file_path.suffix.lower() not in ALLOWED_SUFFIXES:
-            continue
-
-        try:
-            src = file_path.read_text(encoding="utf-8", errors="ignore")
-            tree = ast.parse(src)
-        except Exception:
-            continue
-
-        for node in ast.walk(tree):
-            if not isinstance(node, ast.Call):
-                continue
-
-            name = qualified_name_from_call(node)
-            if not name:
-                continue
-
-            for rule_key, tup in DANGEROUS_CALLS.items():
-                rule_id, severity, message, *rest = tup
-
-                if rest:
-                    opts = rest[0]
-                else:
-                    opts = None
-
-                if not _matches_rule(name, rule_key):
-                    continue
-                
-                if rule_key == "yaml.load":
-                    if not _yaml_load_without_safeloader(node):
-                        continue
-
-                if opts and "kw_equals" in opts:
-                    if not _kw_equals(node, opts["kw_equals"]):
-                        continue
-
-                _add_finding(findings, file_path, node, rule_id, severity, message)
-                break
-
-    return findings