pyt icon indicating copy to clipboard operation
pyt copied to clipboard

Published 20 hours ago verified publisher icon python-security

RecursionError: maximum recursion depth exceeded while calling a Python object

Open maage opened this issue 6 years ago • 3 comments

python-taint==0.42 python 3.7

File a/sys.py

from sys import path
print(path)

% python3 ./a/sys.py
['/home/user/a', '/usr/lib64/python37.zip', '/usr/lib64/python3.7', '/usr/lib64/python3.7/lib-dynload', '/usr/lib64/python3.7/site-packages', '/usr/lib/python3.7/site-packages']

% ./.tox/pyt/bin/pyt -v -v -v -v a/sys.py
[DEBUG] pyt.__main__: Discovered file: a/a.py
[INFO] pyt.__main__: Processing a/a.py
Traceback (most recent call last):
  File "./.tox/pyt/bin/pyt", line 10, in <module>
    sys.exit(main())
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/__main__.py", line 106, in main
    allow_local_directory_imports=args.allow_local_imports
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/cfg/make_cfg.py", line 42, in make_cfg
    allow_local_directory_imports
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/cfg/expr_visitor.py", line 69, in __init__
    self.init_cfg(node)
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/cfg/expr_visitor.py", line 76, in init_cfg
    module_statements = self.visit(node)
  File "/usr/lib64/python3.7/ast.py", line 262, in visit
    return visitor(node)
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/cfg/stmt_visitor.py", line 67, in visit_Module
    return self.stmt_star_handler(node.body)
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/cfg/stmt_visitor.py", line 88, in stmt_star_handler
    node = self.visit(stmt)
  File "/usr/lib64/python3.7/ast.py", line 262, in visit
    return visitor(node)
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/cfg/stmt_visitor.py", line 1057, in visit_ImportFrom
    from_from=True
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/cfg/stmt_visitor.py", line 807, in add_module
    self.visit(tree)
  File "/usr/lib64/python3.7/ast.py", line 262, in visit
    return visitor(node)
...
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/cfg/stmt_visitor.py", line 67, in visit_Module
    return self.stmt_star_handler(node.body)
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/cfg/stmt_visitor.py", line 88, in stmt_star_handler
    node = self.visit(stmt)
  File "/usr/lib64/python3.7/ast.py", line 262, in visit
    return visitor(node)
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/cfg/stmt_visitor.py", line 1057, in visit_ImportFrom
    from_from=True
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/cfg/stmt_visitor.py", line 802, in add_module
    self.local_modules = get_directory_modules(module_path) if self._allow_local_modules else []
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/core/project_handler.py", line 26, in get_directory_modules
    if _is_python_file(path):
  File "/home/user/.tox/pyt/lib/python3.7/site-packages/pyt/core/project_handler.py", line 74, in _is_python_file
    if os.path.splitext(path)[1] == '.py':
  File "/home/user/.tox/pyt/lib64/python3.7/posixpath.py", line 129, in splitext
    return genericpath._splitext(p, sep, None, extsep)
  File "/home/user/.tox/pyt/lib64/python3.7/genericpath.py", line 124, in _splitext
    sepIndex = p.rfind(sep)
RecursionError: maximum recursion depth exceeded while calling a Python object

maage avatar Mar 23 '19 15:03 maage

Hi,

I'm running into this same issue while running pyt against our DRF codebase. I cannot share the source since it is proprietary but would be delighted to provide any details I can.

Edit: I am using python-taint 0.42 and Python 3.6.9

najamansari avatar Oct 30 '19 07:10 najamansari

I apologize that I don't have time to work on this project anymore :/

For posterity, I think this is duplicate of https://github.com/python-security/pyt/issues/185.

KevinHock avatar Oct 30 '19 17:10 KevinHock

I painstakingly fixed all the recursion errors and errors such as https://github.com/python-security/pyt/issues/195 in my clone used for scan.

https://github.com/ShiftLeftSecurity/sast-scan/pull/165/files

Unfortunately, there is a small decrease in the number of findings as a tradeoff for a non-crashing version. The particular PR has other unrelated changes but the changes only to lib/pyt folder should give an idea if someone wants to back-port them to this repo.

Alternatively, I have made numerous other improvements to my pyt clone:

  • pysa based taint config to construct proper error messages based on source and sink
  • Categorized the trigger words for various sources and sinks
  • Brand new sensitive data leak detection logic
  • Tested against top 100 github repos to address defects and performance

While pysa is great new toy, I felt the need for manually creating models for every repo is a showstopper. pyt just works has decent quality and performance.

prabhu avatar Aug 18 '20 18:08 prabhu