Python: Fix bad join in crypto models

2025-12-20 10:46:30 +01:00 · 2021-02-16 11:07:58 +01:00
parent 32d0790500
commit 8d3170bcb4
1 changed files with 14 additions and 1 deletions
--- a/python/ql/src/semmle/python/frameworks/Cryptography.qll
+++ b/python/ql/src/semmle/python/frameworks/Cryptography.qll
@@ -432,11 +432,24 @@ private module CryptographyModel {
                curveClassWithKeySize(keySize).asCfgNode() and
              origin = result
              or
+              // Due to bad performance when using normal setup with we have inlined that code and forced a join
              exists(DataFlow::TypeTracker t2 |
-                result = curveClassInstanceWithKeySize(t2, keySize, origin).track(t2, t)
+                exists(DataFlow::StepSummary summary |
+                  curveClassInstanceWithKeySize_first_join(t2, keySize, origin, result, summary) and
+                  t = t2.append(summary)
+                )
              )
            }

+            pragma[nomagic]
+            private predicate curveClassInstanceWithKeySize_first_join(
+              DataFlow::TypeTracker t2, int keySize, DataFlow::Node origin, DataFlow::Node res,
+              DataFlow::StepSummary summary
+            ) {
+              DataFlow::StepSummary::step(curveClassInstanceWithKeySize(t2, keySize, origin), res,
+                summary)
+            }
+
            /** Gets a reference to a predefined curve class instance with a specific key size (in bits), as well as the origin of the class. */
            DataFlow::Node curveClassInstanceWithKeySize(int keySize, DataFlow::Node origin) {
              result = curveClassInstanceWithKeySize(DataFlow::TypeTracker::end(), keySize, origin)