Fix false positive and add test.

2026-04-30 19:26:02 +02:00 · 2019-03-21 14:10:05 +01:00
parent 9cb35a8ca9
commit 5eb63ae048
3 changed files with 4 additions and 0 deletions
--- a/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
@@ -27,6 +27,7 @@ CallNode unsafe_call(string method_name) {
    or
    result = ssl_Context_class().getACall() and
    not exists(result.getArgByName("protocol")) and
+    not exists(result.getArg(0)) and
    method_name = "ssl.SSLContext"
 }

--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -11,3 +11,4 @@
 | InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |
 | InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to deprecated method ssl.wrap_socket. |
 | InsecureProtocol.py:49:1:49:35 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to ssl.SSLContext. |
+| InsecureProtocol.py:52:1:52:33 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv23_METHOD specified in call to ssl.SSLContext. |
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
@@ -48,3 +48,5 @@ from ssl import PROTOCOL_SSLv2
 ssl.wrap_socket(ssl_version=PROTOCOL_SSLv2)
 SSLContext(protocol=PROTOCOL_SSLv2)

+# FP for insecure default
+ssl.SSLContext(ssl.SSLv23_METHOD)