Python: Alter disablesCertificateValidation to fit our needs

For the snippet below, our current query is able to show _why_ we consider `var` to be a falsey value that would disable SSL/TLS verification. I'm not sure we're going to need the part that Ruby did, for being able to specify _where_ the verification was removed, but we'll see. ``` requests.get(url, verify=var) ```
2026-05-03 04:39:29 +02:00 · 2021-12-13 11:25:55 +01:00
parent 08f6d1ab80
commit 7bf285a52e
2 changed files with 25 additions and 6 deletions
--- a/python/ql/lib/semmle/python/Concepts.qll
+++ b/python/ql/lib/semmle/python/Concepts.qll
@@ -837,10 +837,14 @@ module HTTP {
      /**
       * Holds if this request is made using a mode that disables SSL/TLS
       * certificate validation, where `disablingNode` represents the point at
-       * which the validation was disabled.
+       * which the validation was disabled, and `argumentOrigin` represents the origin
+       * of the argument that disabled the validation (which could be the same node as
+       * `disablingNode`).
       */
-      predicate disablesCertificateValidation(DataFlow::Node disablingNode) {
-        super.disablesCertificateValidation(disablingNode)
+      predicate disablesCertificateValidation(
+        DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
+      ) {
+        super.disablesCertificateValidation(disablingNode, argumentOrigin)
      }
    }

@@ -868,9 +872,13 @@ module HTTP {
        /**
         * Holds if this request is made using a mode that disables SSL/TLS
         * certificate validation, where `disablingNode` represents the point at
-         * which the validation was disabled.
+         * which the validation was disabled, and `argumentOrigin` represents the origin
+         * of the argument that disabled the validation (which could be the same node as
+         * `disablingNode`).
         */
-        abstract predicate disablesCertificateValidation(DataFlow::Node disablingNode);
+        abstract predicate disablesCertificateValidation(
+          DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
+        );
      }
    }

--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -479,7 +479,9 @@ class CryptographicOperationTest extends InlineExpectationsTest {
 class HttpClientRequestTest extends InlineExpectationsTest {
  HttpClientRequestTest() { this = "HttpClientRequestTest" }

-  override string getARelevantTag() { result = "clientRequestUrl" }
+  override string getARelevantTag() {
+    result in ["clientRequestUrl", "clientRequestDisablesCertValidation"]
+  }

  override predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(location.getFile().getRelativePath()) and
@@ -490,5 +492,14 @@ class HttpClientRequestTest extends InlineExpectationsTest {
      value = prettyNodeForInlineTest(url) and
      tag = "clientRequestUrl"
    )
+    or
+    exists(location.getFile().getRelativePath()) and
+    exists(HTTP::Client::Request req, DataFlow::Node disablingNode |
+      req.disablesCertificateValidation(disablingNode, _) and
+      location = disablingNode.getLocation() and
+      element = disablingNode.toString() and
+      value = prettyNodeForInlineTest(disablingNode) and
+      tag = "clientRequestDisablesCertValidation"
+    )
  }
 }