Python: update qhelp and example

2026-04-30 11:15:13 +02:00 · 2021-03-14 09:22:47 +01:00
parent 7d556b354d
commit 41c9394b4b
2 changed files with 27 additions and 10 deletions
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
@@ -38,12 +38,33 @@
            <code>ssl.SSLContext</code>, which is supported in Python 2.7.9 and
            3.2 and later versions.
          </p>
+          <p>
+            Note that <code>ssl.wrap_socket</code> has been deprecated in
+            Python 3.7. The recommended alternatives are:
+          </p>
+          <ul>
+            <li><code>ssl.SSLContext</code> - supported in Python 2.7.9,
+                  3.2, and later versions</li>
+            <li><code>ssl.create_default_context</code> - a convenience function,
+                  supported in Python 3.4 and later versions.</li>
+          </ul>
+          <p>
+            Even when you use these alternatives, you should
+            ensure that a safe protocol is used. The following code illustrates
+            how to use flags (available since Python 3.2) or the `minimum_version`
+            field (favored since Python 3.7) to restrict the protocols accepted when
+            creating a connection.
+          </p>
+
+          <sample src="examples/secure_default_protocol.py" />
     </example>

     <references>
       <li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security"> Transport Layer Security</a>.</li>
       <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.SSLContext"> class ssl.SSLContext</a>.</li>
       <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.wrap_socket"> ssl.wrap_socket</a>.</li>
+       <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#functions-constants-and-exceptions"> notes on context creation</a>.</li>
+       <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl-security"> notes on security considerations</a>.</li>
       <li>pyOpenSSL documentation: <a href="https://pyopenssl.org/en/stable/api/ssl.html"> An interface to the SSL-specific parts of OpenSSL</a>.</li>
     </references>

--- a/python/ql/src/Security/CWE-327/examples/secure_default_protocol.py
+++ b/python/ql/src/Security/CWE-327/examples/secure_default_protocol.py
@@ -1,13 +1,9 @@
-# taken from https://docs.python.org/3/library/ssl.html?highlight=ssl#ssl.SSLContext
-
-import socket
 import ssl

-hostname = 'www.python.org'
-context = ssl.create_default_context()
-context.options |= ssl.OP_NO_TLSv1 # This added by me
-context.options |= ssl.OP_NO_TLSv1_1 # This added by me
+# Using flags to restrict the protocol
+context = ssl.SSLContext()
+context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1

-with socket.create_connection((hostname, 443)) as sock:
-    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
-        print(ssock.version())
+# Declaring a minimum version to restrict the protocol
+context = ssl.create_default_context()
+context.minimum_version = ssl.TLSVersion.TLSv1_2