Merge pull request #317 from github/hvitved/disable-operation-resolution

Temporarily disable operation call resolution
2026-04-24 08:15:14 +02:00 · 2021-09-29 14:17:05 +02:00
parent 5219b1a8b9 10d19bf05b
commit c69762bc14
1 changed files with 31 additions and 27 deletions
--- a/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
+++ b/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
@@ -180,38 +180,42 @@ private module Cached {

  cached
  CfgScope getTarget(CfgNodes::ExprNodes::CallCfgNode call) {
-    exists(string method |
-      exists(Module tp |
-        instanceMethodCall(call, tp, method) and
-        result = lookupMethod(tp, method) and
-        if result.(Method).isPrivate()
-        then
-          exists(Self self |
-            self = call.getReceiver().getExpr() and
-            pragma[only_bind_out](self.getEnclosingModule().getModule().getSuperClass*()) =
-              pragma[only_bind_out](result.getEnclosingModule().getModule())
-          ) and
-          // For now, we restrict the scope of top-level declarations to their file.
-          // This may remove some plausible targets, but also removes a lot of
-          // implausible targets
-          if result.getEnclosingModule() instanceof Toplevel
-          then result.getFile() = call.getFile()
+    // Temporarily disable operation resolution (due to bad performance)
+    not call.getExpr() instanceof Operation and
+    (
+      exists(string method |
+        exists(Module tp |
+          instanceMethodCall(call, tp, method) and
+          result = lookupMethod(tp, method) and
+          if result.(Method).isPrivate()
+          then
+            exists(Self self |
+              self = call.getReceiver().getExpr() and
+              pragma[only_bind_out](self.getEnclosingModule().getModule().getSuperClass*()) =
+                pragma[only_bind_out](result.getEnclosingModule().getModule())
+            ) and
+            // For now, we restrict the scope of top-level declarations to their file.
+            // This may remove some plausible targets, but also removes a lot of
+            // implausible targets
+            if result.getEnclosingModule() instanceof Toplevel
+            then result.getFile() = call.getFile()
+            else any()
          else any()
-        else any()
+        )
+        or
+        exists(DataFlow::LocalSourceNode sourceNode |
+          methodCall(call, sourceNode, method) and
+          sourceNode = trackSingletonMethod(result, method)
+        )
      )
      or
-      exists(DataFlow::LocalSourceNode sourceNode |
-        methodCall(call, sourceNode, method) and
-        sourceNode = trackSingletonMethod(result, method)
+      exists(Module superClass, string method |
+        superCall(call, superClass, method) and
+        result = lookupMethod(superClass, method)
      )
+      or
+      result = yieldCall(call)
    )
-    or
-    exists(Module superClass, string method |
-      superCall(call, superClass, method) and
-      result = lookupMethod(superClass, method)
-    )
-    or
-    result = yieldCall(call)
  }
 }