Python: Also track offending call

update test expectations at this point
2025-12-20 10:46:30 +01:00 · 2021-02-26 21:58:30 +01:00
parent 9e696ff0fb
commit 60525ec301
3 changed files with 51 additions and 25 deletions
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -48,22 +48,30 @@ class AllowsTLSv1_1 extends InsecureContextConfiguration {
 * A connection is created from a context allowing an insecure protocol,
 * and that protocol has not been restricted appropriately.
 */
-predicate unsafe_connection_creation(DataFlow::Node node, ProtocolVersion insecure_version) {
+predicate unsafe_connection_creation(
+  DataFlow::Node node, ProtocolVersion insecure_version, CallNode call
+) {
  // Connection created from a context allowing TLS 1.0.
-  exists(AllowsTLSv1 c | c.hasFlowTo(node)) and
+  exists(AllowsTLSv1 c, ContextCreation cc | c.hasFlow(cc, node) | cc.getNode() = call) and
  insecure_version = "TLSv1"
  or
  // Connection created from a context allowing TLS 1.1.
-  exists(AllowsTLSv1_1 c | c.hasFlowTo(node)) and
+  exists(AllowsTLSv1_1 c, ContextCreation cc | c.hasFlow(cc, node) | cc.getNode() = call) and
  insecure_version = "TLSv1_1"
  or
  // Connection created from a context for an insecure protocol.
-  exists(TlsLibrary l | l.insecure_connection_creation(insecure_version) = node)
+  exists(TlsLibrary l, DataFlow::CfgNode cc |
+    cc = l.insecure_connection_creation(insecure_version)
+  |
+    cc = node and
+    cc.getNode() = call
+  )
 }

 /** A connection is created insecurely without reference to a context. */
-predicate unsafe_context_creation(DataFlow::Node node, string insecure_version) {
+predicate unsafe_context_creation(DataFlow::Node node, string insecure_version, CallNode call) {
  exists(TlsLibrary l, ContextCreation cc | cc = l.insecure_context_creation(insecure_version) |
-    cc = node
+    cc = node and
+    cc.getNode() = call
  )
 }
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -12,9 +12,17 @@
 import python
 import FluentApiModel

-from DataFlow::Node node, string insecure_version
-where
-  unsafe_connection_creation(node, insecure_version)
+string callName(AstNode call) {
+  result = call.(Name).getId()
  or
-  unsafe_context_creation(node, insecure_version)
-select node, "Insecure SSL/TLS protocol version " + insecure_version //+ " specified in call to " + method_name + "."
+  exists(Attribute a | a = call | result = callName(a.getObject()) + "." + a.getName())
+}
+
+from DataFlow::Node node, string insecure_version, CallNode call
+where
+  unsafe_connection_creation(node, insecure_version, call)
+  or
+  unsafe_context_creation(node, insecure_version, call)
+select node, "Insecure SSL/TLS protocol version " + insecure_version + " specified in $@ ", call,
+  "call to " + callName(call.getFunction().getNode())
+//+ " specified in call to " + method_name + "."