Module SqlAlchemy::TextClause

Provides models for the sqlalchemy.sql.expression.TextClause class, which represents a textual SQL string directly.

session.query(For14).filter_by(description=sqlalchemy.text(f"'{user_input}'")).all()

Initially I wanted to add lots of additional taint steps for such that the normal SQL injection query would be able to find cases as the one above where an ORM query includes a TextClause that includes user-input directly… But that presented 2 problems:

• which part of the query construction above should be marked as SQL to fit our SqlExecution concept. Nothing really fits this well, since all the SQL execution happens under the hood.
• This would require a LOT of modeling for these additional taint steps, since there are many many constructs we would need to have models for. (see the 2 examples below)

So instead we extended the SQL injection query to include TextClause construction as a sink. And so we don’t highlight any parts of an ORM constructed query such as these as containing SQL, and don’t need the additional taint steps either.

See

• https://docs.sqlalchemy.org/en/14/core/sqlelement.html#sqlalchemy.sql.expression.TextClause.
• https://docs.sqlalchemy.org/en/14/core/sqlelement.html#sqlalchemy.sql.expression.text