search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.71k stars 1.55k forks source link

General issue Python:Unable to recognize calling a method through an instance member of a class #14899

Open luke10481 opened 12 months ago

luke10481 commented 12 months ago

when evaluate """private API::Node connection()""", the query result should find """self.orm.connection()""".But the query result is none

private API::Node dbClient() {
    result = API::moduleImport("dbutils").getMember("pooled_db").getMember("PooledDB").getReturn()
  }

  private API::Node connection() {
    result = dbClient().getMember("connection").getReturn()
  }

python demo here

import flask
import pymysql
from flask import request
from dbutils.pooled_db import PooledDB

app = flask.Flask(__name__)

class Database:
    def __init__(self):
        self.orm = self.dbpool()

    def dbpool(self):
        pool = PooledDB(
            creator=pymysql
        )
        return pool

    def conn(self):
        self.orm.connection()

@app.route('/search')
def search():
    query = request.args.get('query')
    database = Database()
    database.conn()
    database.orm.connection()
    return f"Search query: {query}"

if __name__ == '__main__':
    app.run()
MathiasVP commented 12 months ago

Hi @luke10481,

Can you quick-eval any of the sub-expressions to figure out where you lose your result? Here is a couple of questions I'd ask if I were to debug this:

By quick-eval'ing iteratively larger sub expressions you can investigate which expression is causing the full evaluation to give no results.

luke10481 commented 12 months ago

Hi @luke10481,

Can you quick-eval any of the sub-expressions to figure out where you lose your result? Here is a couple of questions I'd ask if I were to debug this:

  • Does quick-evaluation of the dbClient predicate give any results?

    • If yes: Does dbClient().getMember("connection") give any results?
    • If no: Does quick-evaluation of API::moduleImport("dbutils") give any results?

By quick-eval'ing iteratively larger sub expressions you can investigate which expression is causing the full evaluation to give no results.

My test result is here.After I run quick evaluation:connection.It should display three result.But just one result. image

image

If the connection() is in function,but not in class.That's no problem. image

MathiasVP commented 12 months ago

Thanks for those screenshots 🙇.

I talked with the Python team, and they said that they will investigate this issue more closely.

Will make sure to keep you updated!

luke10481 commented 10 months ago

Can this problem be solved through the API of codeql-python now? Do I need to wait for you to fix it? This problem will lead to some vulnerabilities that cannot be discovered.

sidshank commented 10 months ago

Hi @luke10481 👋 My apologies for the delayed response. The issue you have encountered here is a known limitation in Python CodeQL analysis. We will take your report into account as we prioritize and act on this gap. I am not aware of any workarounds you could employ, but now that we've had some time to consider the issue, I'll check again with the team and get back to you here.

sidshank commented 9 months ago

I am not aware of any workarounds you could employ, but now that we've had some time to consider the issue, I'll check again with the team and get back to you here.

I can confirm that there are no known workarounds to this issue.