Merge pull request #564 from taus-semmle/python-insecure-ssl-version

Python: Check for insecure versions of SSL and TLS.
2026-05-03 12:45:27 +02:00 · 2019-01-16 12:32:30 +00:00
parent 370a9e491c 41836cdf8c
commit 65337ef835
15 changed files with 363 additions and 0 deletions
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected
@@ -0,0 +1,2 @@
+| InsecureProtocol.py:41:1:41:17 | ControlFlowNode for Attribute() | Call to deprecated method ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used. |
+| InsecureProtocol.py:42:11:42:22 | ControlFlowNode for SSLContext() | Call to ssl.SSLContext does not specify a protocol, which may result in an insecure default being used. |
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref
@@ -0,0 +1 @@
+Security/CWE-327/InsecureDefaultProtocol.ql
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -0,0 +1,13 @@
+| InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to deprecated method ssl.wrap_socket. |
+| InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv3 specified in call to deprecated method ssl.wrap_socket. |
+| InsecureProtocol.py:8:1:8:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_TLSv1 specified in call to deprecated method ssl.wrap_socket. |
+| InsecureProtocol.py:10:1:10:42 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to ssl.SSLContext. |
+| InsecureProtocol.py:11:1:11:42 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv3 specified in call to ssl.SSLContext. |
+| InsecureProtocol.py:12:1:12:42 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_TLSv1 specified in call to ssl.SSLContext. |
+| InsecureProtocol.py:14:1:14:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:15:1:15:30 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv23_METHOD specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3_METHOD specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:17:1:17:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1_METHOD specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to deprecated method ssl.wrap_socket. |
+| InsecureProtocol.py:49:1:49:38 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to ssl.SSLContext. |
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
@@ -0,0 +1,50 @@
+import ssl
+from pyOpenSSL import SSL
+from ssl import SSLContext
+
+# true positives
+ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)
+ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)
+ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)
+
+SSLContext(ssl_version=ssl.PROTOCOL_SSLv2)
+SSLContext(ssl_version=ssl.PROTOCOL_SSLv3)
+SSLContext(ssl_version=ssl.PROTOCOL_TLSv1)
+
+SSL.Context(SSL.SSLv2_METHOD)
+SSL.Context(SSL.SSLv23_METHOD)
+SSL.Context(SSL.SSLv3_METHOD)
+SSL.Context(SSL.TLSv1_METHOD)
+
+# not relevant
+wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)
+wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)
+wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)
+
+Context(SSL.SSLv3_METHOD)
+Context(SSL.TLSv1_METHOD)
+Context(SSL.SSLv2_METHOD)
+Context(SSL.SSLv23_METHOD)
+
+# true positive using flow
+
+METHOD = SSL.SSLv2_METHOD
+SSL.Context(METHOD)
+
+# secure versions
+
+ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_1)
+SSLContext(ssl_version=ssl.PROTOCOL_TLSv1_1)
+SSL.Context(SSL.TLSv1_1_METHOD)
+
+# possibly insecure default
+ssl.wrap_socket()
+context = SSLContext()
+
+# importing the protocol constant directly
+
+from ssl import PROTOCOL_SSLv2
+
+ssl.wrap_socket(ssl_version=PROTOCOL_SSLv2)
+SSLContext(ssl_version=PROTOCOL_SSLv2)
+
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref
@@ -0,0 +1 @@
+Security/CWE-327/InsecureProtocol.ql
--- a/python/ql/test/query-tests/Security/CWE-327/options
+++ b/python/ql/test/query-tests/Security/CWE-327/options
@@ -1 +1,2 @@
 semmle-extractor-options: -p ../lib/ --max-import-depth=3
+optimize: true
--- a/python/ql/test/query-tests/Security/lib/pyOpenSSL/SSL.py
+++ b/python/ql/test/query-tests/Security/lib/pyOpenSSL/SSL.py
@@ -0,0 +1,10 @@
+SSLv2_METHOD = 1
+SSLv3_METHOD = 2
+SSLv23_METHOD = 3
+TLSv1_METHOD = 4
+TLSv1_1_METHOD = 5
+TLSv1_2_METHOD = 6
+
+class Context(object):
+    def __init__(self, *args, **kwargs):
+        pass
--- a/python/ql/test/query-tests/Security/lib/pyOpenSSL/init.py
+++ b/python/ql/test/query-tests/Security/lib/pyOpenSSL/init.py
				`@@ -0,0 +1 @@`
				`Security/CWE-327/InsecureDefaultProtocol.ql`