Django Raw SQL Scanner, a PoC static analysis tool

[Craig Younkins]

Continuing the focus on Django security, I've hacked up a scanner for raw SQL queries that should aid in an application audit. Please see [1] for source code and sample output.

This project started with Adam Baldwin's regex to find raw SQL queries:

grep -R ".raw(" *
grep -R ".execute(" *

However, the scanner [1] is a bit more powerful. It checks that string interpolation is actually being used on the first parameter to those methods. Using the ast module with Python's native parser gives us more flexibility than regex ever will, and this basic proof of concept could be extended into a a full-blown static analysis tool. Who's interested?

The only downside I see is that because we "unparse" the AST into a string, you won't be able to do a search of the source file for the matched calls. The line numbers that are output will have to suffice.

Could someone please add recursive directory traversal to send all the *.py files under a directory through the scanner?

Craig Younkins

[1] http://gist.github.com/492780  (If anyone knows of a Mercurial-based version of this kind of pastebin, let me know!)

[Craig Younkins]

I updated the gist [1] to make it more modular and a bit smarter.

* Went from recursion to stack-based DFS

* Detects string interpolation anywhere in the call, even if it's nested a few levels down

* Cleaned it up and added some comments

Another advantage of this scanner as opposed to a grep query is that it will find these calls even when they are spread out over multiple lines.

Any comments?

Craig Younkins

[1] http://gist.github.com/492780