Python: Rename and add docs

Author: yoff

python/ql/src/experimental/semmle/python/Frameworks.qll

@@ -8,6 +8,6 @@ private import experimental.semmle.python.frameworks.Fabric
 private import experimental.semmle.python.frameworks.Flask
 private import experimental.semmle.python.frameworks.Invoke
 private import experimental.semmle.python.frameworks.MySQLdb
-private import experimental.semmle.python.frameworks.Mysql
+private import experimental.semmle.python.frameworks.MysqlConnectorPython
 private import experimental.semmle.python.frameworks.Stdlib
 private import experimental.semmle.python.frameworks.Yaml

python/ql/src/experimental/semmle/python/frameworks/MySQLdb.qll

@@ -1,23 +1,38 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `MySQLdb` PyPI package.
+ * See
+ * - https://mysqlclient.readthedocs.io/index.html
+ * - https://pypi.org/project/MySQL-python/
+ */
+
 private import python
 private import experimental.dataflow.DataFlow
 private import experimental.dataflow.RemoteFlowSources
 private import experimental.semmle.python.Concepts
 private import PEP249
 
-// ---------------------------------------------------------------------------
-// MySQLdb
-// ---------------------------------------------------------------------------
-/** Gets a reference to the `MySQLdb` module. */
-private DataFlow::Node moduleMySQLdb(DataFlow::TypeTracker t) {
-  t.start() and
-  result = DataFlow::importNode("MySQLdb")
-  or
-  exists(DataFlow::TypeTracker t2 | result = moduleMySQLdb(t2).track(t2, t))
-}
+/**
+ * Provides models for the `MySQLdb` PyPI package.
+ * See
+ * - https://mysqlclient.readthedocs.io/index.html
+ * - https://pypi.org/project/MySQL-python/
+ */
+module MySQLdb {
+  // ---------------------------------------------------------------------------
+  // MySQLdb
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `MySQLdb` module. */
+  private DataFlow::Node moduleMySQLdb(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importNode("MySQLdb")
+    or
+    exists(DataFlow::TypeTracker t2 | result = moduleMySQLdb(t2).track(t2, t))
+  }
 
-/** Gets a reference to the `MySQLdb` module. */
-DataFlow::Node moduleMySQLdb() { result = moduleMySQLdb(DataFlow::TypeTracker::end()) }
+  /** Gets a reference to the `MySQLdb` module. */
+  DataFlow::Node moduleMySQLdb() { result = moduleMySQLdb(DataFlow::TypeTracker::end()) }
 
-class MySQLdb extends PEP249Module {
-  MySQLdb() { this = moduleMySQLdb() }
+  class MySQLdb extends PEP249Module {
+    MySQLdb() { this = moduleMySQLdb() }
+  }
 }

python/ql/src/experimental/semmle/python/frameworks/MysqlConnectorPython.qll

@@ -0,0 +1,80 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `mysql-connector-python` package.
+ * See https://dev.mysql.com/doc/dev/connector-python/.
+ */
+
+private import python
+private import experimental.dataflow.DataFlow
+private import experimental.dataflow.RemoteFlowSources
+private import experimental.semmle.python.Concepts
+private import PEP249
+
+/**
+ * Provides models for the `mysql-connector-python` package.
+ * See https://dev.mysql.com/doc/dev/connector-python/.
+ */
+module MysqlConnectorPython {
+  // ---------------------------------------------------------------------------
+  // mysql
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `mysql` module. */
+  private DataFlow::Node mysql(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importNode("mysql")
+    or
+    exists(DataFlow::TypeTracker t2 | result = mysql(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `mysql` module. */
+  DataFlow::Node mysql() { result = mysql(DataFlow::TypeTracker::end()) }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `mysql` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node mysql_attr(DataFlow::TypeTracker t, string attr_name) {
+    attr_name in ["connector"] and
+    (
+      t.start() and
+      result = DataFlow::importNode("mysql" + "." + attr_name)
+      or
+      t.startInAttr(attr_name) and
+      result = mysql()
+    )
+    or
+    // Due to bad performance when using normal setup with `mysql_attr(t2, attr_name).track(t2, t)`
+    // we have inlined that code and forced a join
+    exists(DataFlow::TypeTracker t2 |
+      exists(DataFlow::StepSummary summary |
+        mysql_attr_first_join(t2, attr_name, result, summary) and
+        t = t2.append(summary)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate mysql_attr_first_join(
+    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
+  ) {
+    DataFlow::StepSummary::step(mysql_attr(t2, attr_name), res, summary)
+  }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `mysql` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node mysql_attr(string attr_name) {
+    result = mysql_attr(DataFlow::TypeTracker::end(), attr_name)
+  }
+
+  /** Provides models for the `mysql` module. */
+  module mysql {
+    /**
+     * The mysql.connector module
+     * See https://dev.mysql.com/doc/connector-python/en/connector-python-example-connecting.html
+     */
+    class MysqlConnector extends PEP249Module {
+      MysqlConnector() { this = mysql_attr("connector") }
+    }
+  }
+}