Support from ssl import PROTOCOL_....

2026-05-03 04:39:29 +02:00 · 2018-11-30 16:57:43 +01:00
parent e8a41f719c
commit 46973f4305
3 changed files with 27 additions and 4 deletions
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -40,6 +40,22 @@ private ModuleObject the_pyOpenSSL_module() {
    result = any(ModuleObject m | m.getName() = "pyOpenSSL.SSL")
 }

+/* A syntactic check for cases where points-to analysis cannot infer the presence of
+ * a protocol constant, e.g. if it has been removed in later versions of the `ssl`
+ * library.
+ */
+predicate probable_insecure_ssl_constant(CallNode call, string insecure_version) {
+    exists(ControlFlowNode arg | arg = call.getArgByName("ssl_version") |
+        arg.(AttrNode).getObject(insecure_version).refersTo(the_ssl_module())
+        or
+        arg.(NameNode).getId() = insecure_version and
+        exists(Import imp |
+            imp.getAnImportedModuleName() = "ssl" and
+            imp.getAName().getAsname().(Name).getId() = insecure_version
+        )
+    )
+}
+
 predicate unsafe_ssl_wrap_socket_call(CallNode call, string method_name, string insecure_version) {
    (
        call = ssl_wrap_socket().getACall() and
@@ -54,10 +70,7 @@ predicate unsafe_ssl_wrap_socket_call(CallNode call, string method_name, string
    (
        call.getArgByName("ssl_version").refersTo(the_ssl_module().getAttribute(insecure_version))
        or
-        // syntactic match, in case the version in question has been deprecated
-        exists(ControlFlowNode arg | arg = call.getArgByName("ssl_version") |
-            arg.(AttrNode).getObject(insecure_version).refersTo(the_ssl_module())
-        )
+        probable_insecure_ssl_constant(call, insecure_version)
    )
 }

--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -9,3 +9,5 @@
 | InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3_METHOD specified in call to pyOpenSSL.SSL.Context. |
 | InsecureProtocol.py:17:1:17:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1_METHOD specified in call to pyOpenSSL.SSL.Context. |
 | InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to deprecated method ssl.wrap_socket. |
+| InsecureProtocol.py:49:1:49:38 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to ssl.SSLContext. |
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
@@ -40,3 +40,11 @@ SSL.Context(SSL.TLSv1_1_METHOD)
 # possibly insecure default
 ssl.wrap_socket()
 context = SSLContext()
+
+# importing the protocol constant directly
+
+from ssl import PROTOCOL_SSLv2
+
+ssl.wrap_socket(ssl_version=PROTOCOL_SSLv2)
+SSLContext(ssl_version=PROTOCOL_SSLv2)
+