Python: Move ControlFlowNode.toString() to AST cached stage

This means points-to is no longer evaluated for sql injection 🎉 Thanks @asgerf 💪
2025-12-21 19:26:31 +01:00 · 2022-11-24 10:14:39 +01:00
parent 69b43f147a
commit d151e21f15
2 changed files with 3 additions and 4 deletions
--- a/python/ql/lib/semmle/python/Flow.qll
+++ b/python/ql/lib/semmle/python/Flow.qll
@@ -125,7 +125,7 @@ class ControlFlowNode extends @py_flow_node {
  /** Gets a textual representation of this element. */
  cached
  string toString() {
-    Stages::PointsTo::ref() and
+    Stages::AST::ref() and
    exists(Scope s | s.getEntryNode() = this | result = "Entry node for " + s.toString())
    or
    exists(Scope s | s.getANormalExit() = this | result = "Exit node for " + s.toString())
--- a/python/ql/lib/semmle/python/internal/CachedStages.qll
+++ b/python/ql/lib/semmle/python/internal/CachedStages.qll
@@ -93,6 +93,8 @@ module Stages {
      exists(PyFlow::DefinitionNode b)
      or
      exists(any(PyFlow::SequenceNode n).getElement(_))
+      or
+      exists(any(PyFlow::ControlFlowNode c).toString())
    }
  }

@@ -140,7 +142,6 @@ module Stages {
    private import semmle.python.pointsto.Base as PointsToBase
    private import semmle.python.types.Object as TypeObject
    private import semmle.python.objects.TObject as TObject
-    private import semmle.python.Flow as Flow
    private import semmle.python.objects.ObjectInternal as ObjectInternal
    // have to alias since this module is also called PointsTo
    private import semmle.python.pointsto.PointsTo as RealPointsTo
@@ -159,8 +160,6 @@ module Stages {
      or
      exists(TObject::TObject f)
      or
-      exists(any(Flow::ControlFlowNode c).toString())
-      or
      exists(any(ObjectInternal::ObjectInternal o).toString())
      or
      RealPointsTo::AttributePointsTo::variableAttributePointsTo(_, _, _, _, _)