Merge pull request #16812 from porcupineyhairs/pyloadSsl

Python: Pycurl SSL Disabled
2025-12-16 16:53:25 +01:00 · 2024-10-25 16:23:25 +02:00
parent ab1b48d687 c78aeec2ec
commit 7338eafbd4
2 changed files with 43 additions and 2 deletions
--- a/python/ql/lib/semmle/python/frameworks/Pycurl.qll
+++ b/python/ql/lib/semmle/python/frameworks/Pycurl.qll
@@ -37,6 +37,15 @@ module Pycurl {
    /** Gets a reference to an instance of `pycurl.Curl`. */
    private API::Node instance() { result = classRef().getReturn() }

+    /** Gets a reference to `pycurl.Curl.setopt`. */
+    private API::Node setopt() { result = instance().getMember("setopt") }
+
+    /** Gets a reference to the constant `pycurl.Curl.SSL_VERIFYPEER`. */
+    private API::Node sslverifypeer() {
+      result = API::moduleImport("pycurl").getMember("SSL_VERIFYPEER") or
+      result = instance().getMember("SSL_VERIFYPEER")
+    }
+
    /**
     * When the first parameter value of the `setopt` function is set to `pycurl.URL`,
     * the second parameter value is the request resource link.
@@ -45,7 +54,7 @@ module Pycurl {
     */
    private class OutgoingRequestCall extends Http::Client::Request::Range, DataFlow::CallCfgNode {
      OutgoingRequestCall() {
-        this = instance().getMember("setopt").getACall() and
+        this = setopt().getACall() and
        this.getArg(0).asCfgNode().(AttrNode).getName() = "URL"
      }

@@ -58,9 +67,37 @@ module Pycurl {
      override predicate disablesCertificateValidation(
        DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
      ) {
-        // TODO: Look into disabling certificate validation
        none()
      }
    }
+
+    /**
+     * When the first parameter value of the `setopt` function is set to `SSL_VERIFYPEER` or `SSL_VERIFYHOST`,
+     * the second parameter value disables or enable SSL certifiacte verification.
+     *
+     * See http://pycurl.io/docs/latest/curlobject.html#pycurl.Curl.setopt.
+     */
+    private class CurlSslCall extends Http::Client::Request::Range, DataFlow::CallCfgNode {
+      CurlSslCall() {
+        this = setopt().getACall() and
+        this.getArg(0).asCfgNode().(AttrNode).getName() = ["SSL_VERIFYPEER", "SSL_VERIFYHOST"]
+      }
+
+      override DataFlow::Node getAUrlPart() { none() }
+
+      override string getFramework() { result = "pycurl.Curl" }
+
+      override predicate disablesCertificateValidation(
+        DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
+      ) {
+        sslverifypeer().getAValueReachableFromSource() = this.getArg(0) and
+        (
+          this.getArg(1).asExpr().(IntegerLiteral).getValue() = 0
+          or
+          this.getArg(1).asExpr().(BooleanLiteral).booleanValue() = false
+        ) and
+        (disablingNode = this and argumentOrigin = this.getArg(1))
+      }
+    }
  }
 }
--- a/python/ql/src/change-notes/2024-10-21-pyloadSsl.md
+++ b/python/ql/src/change-notes/2024-10-21-pyloadSsl.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved modelling for the `pycurl` framework.