mirror of
https://github.com/github/codeql.git
synced 2026-07-05 11:35:30 +02:00
The `instanceFieldStep` disjunct of `TypeTrackingInput::levelStepCall` that was added in 7.2.0 uses `classInstanceTracker(cls)` -- which is itself a type-tracker -- inside `levelStepCall`. That creates a structural mutual recursion between the main type-tracker fixpoint and `classInstanceTracker`, causing the type-tracker delta to blow up to ~100M tuples per iteration on some OOP-heavy Python codebases. Verified on the python/mypy database: SSRF query wall time goes from ~12s before the offending commit to >40 minutes after it. This hotfix temporarily drops the `instanceFieldStep` disjunct and keeps only `inheritedFieldStep`, which does not pull on the call graph and is well-behaved (verified at ~12s on mypy). The `instanceFieldStep` helper predicate itself is kept in place, and the `levelStepCall` body has a commented-out call to it so the change is trivial to re-enable once the recursion issue is properly addressed.
53 lines
1.5 KiB
Python
53 lines
1.5 KiB
Python
from fastapi import FastAPI
|
|
from hdbcli import dbapi
|
|
from db_connection import get_conn
|
|
from db_connection import hdb_con
|
|
from db_connection import hdb_con2
|
|
from db_connection import hdb_con3
|
|
app = FastAPI()
|
|
|
|
class DatabaseConnection:
|
|
|
|
def __init__(self):
|
|
self._conn = dbapi.connect(address='localhost', port=30015, user='system', password='Password123')
|
|
|
|
def get_conn(self):
|
|
return self._conn
|
|
|
|
db_connection = DatabaseConnection()
|
|
|
|
@app.get("/unsafe1/")
|
|
async def unsafe(name: str): # $ Source
|
|
query = "select * from users where name=" + name
|
|
cursor = hdb_con.cursor()
|
|
cursor.execute(query) # $ Alert
|
|
cursor.close()
|
|
|
|
@app.get("/unsafe2/")
|
|
async def unsafe2(name: str): # $ Source
|
|
query = "select * from users where name=" + name
|
|
cursor = hdb_con2.cursor()
|
|
cursor.execute(query) # $ Alert
|
|
cursor.close()
|
|
|
|
@app.get("/unsafe3/")
|
|
async def unsafe3(name: str): # $ MISSING: Source
|
|
query = "select * from users where name=" + name
|
|
cursor = hdb_con3.cursor()
|
|
cursor.execute(query) # $ MISSING: Alert
|
|
cursor.close()
|
|
|
|
@app.get("/unsafe4/")
|
|
async def unsafe4(name: str): # $ Source
|
|
query = "select * from users where name=" + name
|
|
cursor = get_conn().cursor()
|
|
cursor.execute(query) # $ Alert
|
|
cursor.close()
|
|
|
|
@app.get("/unsafe5/")
|
|
async def unsafe5(name: str): # $ Source
|
|
query = "select * from users where name=" + name
|
|
cursor = db_connection.get_conn().cursor()
|
|
cursor.execute(query) # $ Alert
|
|
cursor.close()
|