Python: More tests

2026-04-30 11:15:13 +02:00 · 2021-03-02 22:46:01 +01:00
parent 60525ec301
commit 7a1d953fca
2 changed files with 107 additions and 3 deletions
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -19,6 +19,14 @@
 | ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:34:15:34:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:34:15:34:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:47:14:47:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:43:15:43:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:77:14:77:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:73:15:73:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:96:14:96:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:92:15:92:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
-| ssl_fluent.py:96:14:96:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:92:15:92:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
+| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:71:15:71:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:71:15:71:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:128:15:128:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:128:15:128:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:104:14:104:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:104:14:104:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:173:14:173:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:169:15:169:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:192:14:192:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:188:15:188:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
+| ssl_fluent.py:192:14:192:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:188:15:188:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
--- a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
+++ b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
@@ -66,6 +66,102 @@ def test_fluent_ssl_safe_combined():
        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
            print(ssock.version())

+def test_fluent_ssl_unsafe_combined_wrongly():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1 & ssl.OP_NO_TLSv1_1
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_fluent_ssl_safe_combined_multiple():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+
+def create_relaxed_context():
+    return ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+
+def create_secure_context():
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+    return context
+
+def create_connection(context):
+    with socket.create_connection(('www.python.org', 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_delegated_context_unsafe():
+    context = create_relaxed_context()
+    with socket.create_connection(('www.python.org', 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_delegated_context_safe():
+    context = create_secure_context()
+    with socket.create_connection(('www.python.org', 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_delegated_context_made_safe():
+    context = create_relaxed_context()
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+    with socket.create_connection(('www.python.org', 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_delegated_context_made_unsafe():
+    context = create_secure_context()
+    context.options &= ~ssl.OP_NO_TLSv1_1
+    with socket.create_connection(('www.python.org', 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_delegated_connection_unsafe():
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    create_connection(context)
+
+def test_delegated_connection_safe():
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+    create_connection(context)
+
+def test_delegated_connection_made_safe():
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+    create_connection(context)
+
+def test_delegated_connection_made_unsafe():
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+    context.options &= ~ssl.OP_NO_TLSv1_1
+    create_connection(context)
+
+def test_delegated_unsafe():
+    context = create_relaxed_context()
+    create_connection(context)
+
+def test_delegated_safe():
+    context = create_secure_context()
+    create_connection(context)
+
+def test_delegated_made_safe():
+    context = create_relaxed_context()
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+    create_connection(context)
+
+def test_delegated_made_unsafe():
+    context = create_secure_context()
+    context.options &= ~ssl.OP_NO_TLSv1_1
+    create_connection(context)
+
 # From Python 3.7
 # see https://docs.python.org/3/library/ssl.html#ssl.SSLContext.minimum_version
 def test_fluent_ssl_unsafe_version():