pyt icon indicating copy to clipboard operation
pyt copied to clipboard

Published 20 hours ago verified publisher icon python-security

Pathological code causes RecursionError

Open bcaller opened this issue 7 years ago • 1 comments

I noticed some code I had crashed pyt. I managed to reduce it to what I think is the minimum required for the RecursionError. In the original code we had a source which reached a sink and then further operations were carried out on the return value of the sink function.

def f(x):  # having this function defined is optional
    return 123


@blueprint.route("/x/<query>/", methods=["POST"])
def bad_route(query):
    if 123:
        res = execute(query)
    else:
        res = execute(query)

    for r in res:
        r["a"] = f(r)

If I collapse the if statement simply to res = execute(query) there is no RecursionError. If r["a"] = f(r) is replaced by r["a"] = r["b"] there is no RecursionError.

Traceback (most recent call last):
  File "/usr/lib/python3.6/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/lib/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/pack/pyt/pyt/__main__.py", line 141, in <module>
    main()
  File "/pack/pyt/pyt/__main__.py", line 125, in main
    nosec_lines
  File "/pack/pyt/pyt/vulnerabilities/vulnerabilities.py", line 547, in find_vulnerabilities
    nosec_lines
  File "/pack/pyt/pyt/vulnerabilities/vulnerabilities.py", line 509, in find_vulnerabilities_in_cfg
    blackbox_mapping
  File "/pack/pyt/pyt/vulnerabilities/vulnerabilities.py", line 451, in get_vulnerability
    def_use
  File "/pack/pyt/pyt/vulnerabilities/vulnerabilities.py", line 299, in get_vulnerability_chains
    vuln_chain
  File "/pack/pyt/pyt/vulnerabilities/vulnerabilities.py", line 299, in get_vulnerability_chains
    vuln_chain
  File "/pack/pyt/pyt/vulnerabilities/vulnerabilities.py", line 299, in get_vulnerability_chains
    vuln_chain
  [Previous line repeated 987 more times]
  File "/pack/pyt/pyt/vulnerabilities/vulnerabilities.py", line 290, in get_vulnerability_chains
    if use == sink:
RecursionError: maximum recursion depth exceeded in comparison

Not sure what is going on.

bcaller avatar Jul 23 '18 12:07 bcaller

I wrote this code in https://github.com/python-security/pyt/pull/81 :) I'll try to fix it after my current PR is merged, (just have inner_most_function_call equivalent in my expr_star_handler function left, I think, atm, along with existing tests.)

KevinHock avatar Jul 24 '18 18:07 KevinHock