MCPcopy Create free account
hub / github.com/SourceCode-AI/aura / node_Call

Method node_Call

aura/analyzers/python/sqli.py:56–80  ·  view source on GitHub ↗

Query: "SELECT * FROM users WHERE id = {}".format(uid) AST: Call(Attribute(String(value='SELECT * FROM users WHERE id = {}') . 'format'))(*['uid'])

(self, context)

Source from the content-addressed store, hash-verified

54 )
55
56 def node_Call(self, context):
57 """
58 Query:
59 "SELECT * FROM users WHERE id = {}".format(uid)
60 AST:
61 Call(Attribute(String(value='SELECT * FROM users WHERE id = {}') . 'format'))(*['uid'])
62 """
63 n = context.node
64 if not (
65 isinstance(n.func, Attribute)
66 and isinstance(n.func.source, String)
67 and n.func.attr == "format"
68 ):
69 return
70 if not is_sql(n.func.source.value):
71 return
72
73 yield Detection(
74 detection_type="SQLInjection",
75 score=50,
76 message="Possible SQL injection found",
77 signature=f"vuln#sqli#{context.signature}",
78 node = context.node,
79 line_no=context.node.line_no,
80 )

Callers

nothing calls this directly

Calls 2

is_sqlFunction · 0.85
DetectionClass · 0.85

Tested by

no test coverage detected