hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: enable diff-informedness for poly redos using approximate related locations

Browse Source
This commit is contained in:
Asger F
2025-07-01 16:05:22 +02:00
parent d65da1f8a1
commit a46b5f9529
1 changed files with 4 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll
View File

@@ -18,21 +18,13 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
// Diff-informed incremental mode is currently disabled for this query due to
// API limitations. The query exposes sink.getABacktrackingTerm() as an alert
// location, but there is no way to express that information through
// getASelectedSinkLocation() because there is no @location in the CodeQL
// database that corresponds to a term inside a regular expression. As a
// result, this query could miss alerts in diff-informed incremental mode.
//
// To address this problem, we need to have a version of
// getASelectedSinkLocation() that uses hasLocationInfo() instead of
// returning Location objects.
predicate observeDiffInformedIncrementalMode() { none() }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.(Sink).getHighlight().getLocation()
or
}
Location getASelectedSinkLocationApprox(DataFlow::Node sink) {
result = sink.(Sink).getABacktrackingTerm().getLocation()
}
}