Skip to content

Commit f4d8358

Browse files
authored
Merge pull request #22110 from github/post-release-prep/codeql-cli-2.26.0
Post-release preparation for codeql-cli-2.26.0
2 parents 0a02b16 + 5e50fc8 commit f4d8358

5 files changed

Lines changed: 24 additions & 24 deletions

File tree

python/ql/lib/CHANGELOG.md

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ No user-facing changes.
7070

7171
### Minor Analysis Improvements
7272

73-
* Added new full SSRF sanitization barrier from the new AntiSSRF library.
73+
* Added new full SSRF sanitization barrier from the new AntiSSRF library.
7474
* When a guard such as `isSafe(x)` is defined, we now also automatically handle `isSafe(x) == true` and `isSafe(x) != false`.
7575

7676
## 6.1.1
@@ -169,7 +169,7 @@ No user-facing changes.
169169
### Minor Analysis Improvements
170170

171171
- The modelling of Psycopg2 now supports the use of `psycopg2.pool` connection pools for handling database connections.
172-
* Removed `lxml` as an XML bomb sink. The underlying libxml2 library now includes [entity reference loop detection](https://github.com/lxml/lxml/blob/f33ac2c2f5f9c4c4c1fc47f363be96db308f2fa6/doc/FAQ.txt#L1077) that prevents XML bomb attacks.
172+
* Removed `lxml` as an XML bomb sink. The underlying libxml2 library now includes [entity reference loop detection](https://github.com/lxml/lxml/blob/f33ac2c2f5f9c4c4c1fc47f363be96db308f2fa6/doc/FAQ.txt#L1077) that prevents XML bomb attacks.
173173

174174
## 4.0.13
175175

@@ -262,7 +262,7 @@ No user-facing changes.
262262
### Minor Analysis Improvements
263263

264264
* The sensitive data library has been improved so that `snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.
265-
- Additional taint steps through methods of `lxml.etree.Element` and `lxml.etree.ElementTree` objects from the `lxml` PyPI package have been modeled.
265+
- Additional taint steps through methods of `lxml.etree.Element` and `lxml.etree.ElementTree` objects from the `lxml` PyPI package have been modeled.
266266

267267
## 3.1.0
268268

@@ -316,7 +316,7 @@ No user-facing changes.
316316

317317
### Minor Analysis Improvements
318318

319-
* The common sanitizer guard `StringConstCompareBarrier` has been renamed to `ConstCompareBarrier` and expanded to cover comparisons with other constant values such as `None`. This may result in fewer false positive results for several queries.
319+
* The common sanitizer guard `StringConstCompareBarrier` has been renamed to `ConstCompareBarrier` and expanded to cover comparisons with other constant values such as `None`. This may result in fewer false positive results for several queries.
320320

321321
## 2.0.0
322322

@@ -545,7 +545,7 @@ No user-facing changes.
545545

546546
### New Features
547547

548-
* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`.
548+
* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`.
549549
Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
550550

551551
### Minor Analysis Improvements
@@ -572,7 +572,7 @@ No user-facing changes.
572572
* Deleted many deprecated predicates and classes with uppercase `API`, `HTTP`, `XSS`, `SQL`, etc. in their names. Use the PascalCased versions instead.
573573
* Deleted the deprecated `getName()` predicate from the `Container` class, use `getAbsolutePath()` instead.
574574
* Deleted many deprecated module names that started with a lowercase letter, use the versions that start with an uppercase letter instead.
575-
* Deleted many deprecated predicates in `PointsTo.qll`.
575+
* Deleted many deprecated predicates in `PointsTo.qll`.
576576
* Deleted many deprecated files from the `semmle.python.security` package.
577577
* Deleted the deprecated `BottleRoutePointToExtension` class from `Extensions.qll`.
578578
* Type tracking is now aware of flow summaries. This leads to a richer API graph, and may lead to more results in some queries.
@@ -729,7 +729,7 @@ No user-facing changes.
729729
### Deprecated APIs
730730

731731
* Some unused predicates in `SsaDefinitions.qll`, `TObject.qll`, `protocols.qll`, and the `pointsto/` folder have been deprecated.
732-
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
732+
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
733733
The old name still exists as a deprecated alias.
734734

735735
### Minor Analysis Improvements
@@ -748,9 +748,9 @@ No user-facing changes.
748748

749749
### Deprecated APIs
750750

751-
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
751+
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
752752
The old name still exists as a deprecated alias.
753-
* The utility files previously in the `semmle.python.security.performance` package have been moved to the `semmle.python.security.regexp` package.
753+
* The utility files previously in the `semmle.python.security.performance` package have been moved to the `semmle.python.security.regexp` package.
754754
The previous files still exist as deprecated aliases.
755755

756756
### Minor Analysis Improvements
@@ -843,9 +843,9 @@ No user-facing changes.
843843

844844
### Deprecated APIs
845845

846-
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
846+
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
847847
The old name still exists as a deprecated alias.
848-
* Some modules that started with a lowercase letter have been renamed to follow our style-guide.
848+
* Some modules that started with a lowercase letter have been renamed to follow our style-guide.
849849
The old name still exists as a deprecated alias.
850850

851851
### New Features

python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -170,7 +170,13 @@ module TypeTrackingInput implements Shared::TypeTrackingInput<Location> {
170170

171171
/** Holds if there is a level step from `nodeFrom` to `nodeTo`, which may depend on the call graph. */
172172
predicate levelStepCall(Node nodeFrom, LocalSourceNode nodeTo) {
173-
instanceFieldStep(nodeFrom, nodeTo)
173+
// HOTFIX: `instanceFieldStep` is temporarily disabled (via `and none()`).
174+
// It uses `classInstanceTracker(cls)` -- itself a type-tracker run --
175+
// from inside `levelStepCall`, creating a structural mutual recursion
176+
// that causes catastrophic query slowdowns on some OOP-heavy Python
177+
// codebases (e.g. mypy and dask). The `and none()` should be removed
178+
// once that recursion is redesigned.
179+
instanceFieldStep(nodeFrom, nodeTo) and none()
174180
or
175181
inheritedFieldStep(nodeFrom, nodeTo)
176182
}

python/ql/test/library-tests/dataflow/typetracking/attribute_tests.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -157,7 +157,7 @@ def possibly_uncalled_method(self): # $ MISSING: tracked=foo
157157
print(self.foo) # $ tracked MISSING: tracked=foo
158158

159159
instance = MyClass2()
160-
print(instance.foo) # $ tracked MISSING: tracked=foo
160+
print(instance.foo) # $ MISSING: tracked=foo tracked
161161
instance.print_foo() # $ MISSING: tracked=foo
162162

163163

@@ -195,7 +195,7 @@ def read_foo(self): # $ MISSING: tracked=foo
195195

196196
sub1 = Sub1()
197197
sub1.read_foo()
198-
print(sub1.foo) # $ tracked MISSING: tracked=foo
198+
print(sub1.foo) # $ MISSING: tracked=foo tracked
199199

200200

201201
# attribute written in a subclass method, read in an inherited base class method
@@ -210,7 +210,7 @@ def __init__(self): # $ tracked=bar
210210

211211
sub2 = Sub2()
212212
sub2.read_bar()
213-
print(sub2.bar) # $ tracked MISSING: tracked=bar
213+
print(sub2.bar) # $ MISSING: tracked=bar tracked
214214

215215

216216
# attribute written in a base class method, read on an instance of the subclass
@@ -223,4 +223,4 @@ class Sub3(Base3):
223223
pass
224224

225225
sub3 = Sub3()
226-
print(sub3.baz) # $ tracked MISSING: tracked=baz
226+
print(sub3.baz) # $ MISSING: tracked=baz tracked

python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
#select
22
| app.py:23:20:23:24 | ControlFlowNode for query | app.py:20:18:20:21 | ControlFlowNode for name | app.py:23:20:23:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:20:18:20:21 | ControlFlowNode for name | user-provided value |
33
| app.py:30:20:30:24 | ControlFlowNode for query | app.py:27:19:27:22 | ControlFlowNode for name | app.py:30:20:30:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:27:19:27:22 | ControlFlowNode for name | user-provided value |
4-
| app.py:37:20:37:24 | ControlFlowNode for query | app.py:34:19:34:22 | ControlFlowNode for name | app.py:37:20:37:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:34:19:34:22 | ControlFlowNode for name | user-provided value |
54
| app.py:44:20:44:24 | ControlFlowNode for query | app.py:41:19:41:22 | ControlFlowNode for name | app.py:44:20:44:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:41:19:41:22 | ControlFlowNode for name | user-provided value |
65
| app.py:51:20:51:24 | ControlFlowNode for query | app.py:48:19:48:22 | ControlFlowNode for name | app.py:51:20:51:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:48:19:48:22 | ControlFlowNode for name | user-provided value |
76
| sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value |
@@ -25,8 +24,6 @@ edges
2524
| app.py:21:5:21:9 | ControlFlowNode for query | app.py:23:20:23:24 | ControlFlowNode for query | provenance | |
2625
| app.py:27:19:27:22 | ControlFlowNode for name | app.py:28:5:28:9 | ControlFlowNode for query | provenance | |
2726
| app.py:28:5:28:9 | ControlFlowNode for query | app.py:30:20:30:24 | ControlFlowNode for query | provenance | |
28-
| app.py:34:19:34:22 | ControlFlowNode for name | app.py:35:5:35:9 | ControlFlowNode for query | provenance | |
29-
| app.py:35:5:35:9 | ControlFlowNode for query | app.py:37:20:37:24 | ControlFlowNode for query | provenance | |
3027
| app.py:41:19:41:22 | ControlFlowNode for name | app.py:42:5:42:9 | ControlFlowNode for query | provenance | |
3128
| app.py:42:5:42:9 | ControlFlowNode for query | app.py:44:20:44:24 | ControlFlowNode for query | provenance | |
3229
| app.py:48:19:48:22 | ControlFlowNode for name | app.py:49:5:49:9 | ControlFlowNode for query | provenance | |
@@ -54,9 +51,6 @@ nodes
5451
| app.py:27:19:27:22 | ControlFlowNode for name | semmle.label | ControlFlowNode for name |
5552
| app.py:28:5:28:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
5653
| app.py:30:20:30:24 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
57-
| app.py:34:19:34:22 | ControlFlowNode for name | semmle.label | ControlFlowNode for name |
58-
| app.py:35:5:35:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
59-
| app.py:37:20:37:24 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
6054
| app.py:41:19:41:22 | ControlFlowNode for name | semmle.label | ControlFlowNode for name |
6155
| app.py:42:5:42:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
6256
| app.py:44:20:44:24 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |

python/ql/test/query-tests/Security/CWE-089-SqlInjection/app.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -31,10 +31,10 @@ async def unsafe2(name: str): # $ Source
3131
cursor.close()
3232

3333
@app.get("/unsafe3/")
34-
async def unsafe3(name: str): # $ Source
34+
async def unsafe3(name: str): # $ MISSING: Source
3535
query = "select * from users where name=" + name
3636
cursor = hdb_con3.cursor()
37-
cursor.execute(query) # $ Alert
37+
cursor.execute(query) # $ MISSING: Alert
3838
cursor.close()
3939

4040
@app.get("/unsafe4/")

0 commit comments

Comments
 (0)