Files
codeql/python/ql/test/query-tests/Security/CWE-089-SqlInjection/app.py
Taus f251a572e1 Python: hotfix - disable instanceFieldStep to avoid type-tracker blowup
The `instanceFieldStep` disjunct of `TypeTrackingInput::levelStepCall`
that was added in 7.2.0 uses `classInstanceTracker(cls)` -- which is
itself a type-tracker -- inside `levelStepCall`. That creates a
structural mutual recursion between the main type-tracker fixpoint and
`classInstanceTracker`, causing the type-tracker delta to blow up to
~100M tuples per iteration on some OOP-heavy Python codebases.
Verified on the python/mypy database: SSRF query wall time goes from
~12s before the offending commit to >40 minutes after it.

This hotfix temporarily drops the `instanceFieldStep` disjunct and
keeps only `inheritedFieldStep`, which does not pull on the call
graph and is well-behaved (verified at ~12s on mypy). The
`instanceFieldStep` helper predicate itself is kept in place, and
the `levelStepCall` body has a commented-out call to it so the
change is trivial to re-enable once the recursion issue is properly
addressed.
2026-06-30 14:41:12 +00:00

53 lines
1.5 KiB
Python

from fastapi import FastAPI
from hdbcli import dbapi
from db_connection import get_conn
from db_connection import hdb_con
from db_connection import hdb_con2
from db_connection import hdb_con3
app = FastAPI()
class DatabaseConnection:
def __init__(self):
self._conn = dbapi.connect(address='localhost', port=30015, user='system', password='Password123')
def get_conn(self):
return self._conn
db_connection = DatabaseConnection()
@app.get("/unsafe1/")
async def unsafe(name: str): # $ Source
query = "select * from users where name=" + name
cursor = hdb_con.cursor()
cursor.execute(query) # $ Alert
cursor.close()
@app.get("/unsafe2/")
async def unsafe2(name: str): # $ Source
query = "select * from users where name=" + name
cursor = hdb_con2.cursor()
cursor.execute(query) # $ Alert
cursor.close()
@app.get("/unsafe3/")
async def unsafe3(name: str): # $ MISSING: Source
query = "select * from users where name=" + name
cursor = hdb_con3.cursor()
cursor.execute(query) # $ MISSING: Alert
cursor.close()
@app.get("/unsafe4/")
async def unsafe4(name: str): # $ Source
query = "select * from users where name=" + name
cursor = get_conn().cursor()
cursor.execute(query) # $ Alert
cursor.close()
@app.get("/unsafe5/")
async def unsafe5(name: str): # $ Source
query = "select * from users where name=" + name
cursor = db_connection.get_conn().cursor()
cursor.execute(query) # $ Alert
cursor.close()