Add support for ssl.SSLContext.

2025-12-17 01:03:14 +01:00 · 2018-11-28 17:48:09 +01:00
parent 0a839f8468
commit a893dca06e
5 changed files with 66 additions and 24 deletions
--- a/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
@@ -16,11 +16,23 @@ FunctionObject ssl_wrap_socket() {
    result = any(ModuleObject ssl | ssl.getName() = "ssl").getAttribute("wrap_socket")
 }

-from CallNode call
+ClassObject ssl_Context_class() {
+    result = any(ModuleObject ssl | ssl.getName() = "ssl").getAttribute("SSLContext")
+}
+
+CallNode unsafe_call(string method_name) {
+    result = ssl_wrap_socket().getACall() and
+    method_name = "deprecated method ssl.wrap_socket"
+    or
+    result = ssl_Context_class().getACall() and
+    method_name = "ssl.SSLContext"
+}
+
+from CallNode call, string method_name
 where 
-    call = ssl_wrap_socket().getACall() and
+    call = unsafe_call(method_name) and
    not exists(call.getArgByName("ssl_version"))
-select call, "Call to ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used."
+select call, "Call to " + method_name + " does not specify a protocol, which may result in an insecure default being used."



--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -13,7 +13,11 @@
 import python

 FunctionObject ssl_wrap_socket() {
-    result = any(ModuleObject ssl | ssl.getName() = "ssl").getAttribute("wrap_socket")
+    result = the_ssl_module().getAttribute("wrap_socket")
+}
+
+ClassObject ssl_Context_class() {
+    result = the_ssl_module().getAttribute("SSLContext")
 }

 string insecure_version_name() {
@@ -33,13 +37,27 @@ private ModuleObject the_ssl_module() {
 }

 private ModuleObject the_pyOpenSSL_module() {
-    result = any(ModuleObject m | m.getName() = "pyOpenSSL").getAttribute("SSL")
+    result = any(ModuleObject m | m.getName() = "pyOpenSSL.SSL")
 }

-predicate unsafe_ssl_wrap_method_call(CallNode call) {
-    call = ssl_wrap_socket().getACall() and
-    exists(ControlFlowNode arg | arg = call.getArgByName("ssl_version") |
-        arg.(AttrNode).getObject(insecure_version_name()).refersTo(the_ssl_module())
+predicate unsafe_ssl_wrap_socket_call(CallNode call, string method_name, string insecure_version) {
+    (
+        call = ssl_wrap_socket().getACall() and
+        method_name = "deprecated method ssl.wrap_socket"
+        or
+        call = ssl_Context_class().getACall() and
+        method_name = "ssl.SSLContext"
+    )
+    and
+    insecure_version = insecure_version_name()
+    and
+    (
+        call.getArgByName("ssl_version").refersTo(the_ssl_module().getAttribute(insecure_version))
+        or
+        // syntactic match, in case the version in question has been deprecated
+        exists(ControlFlowNode arg | arg = call.getArgByName("ssl_version") |
+            arg.(AttrNode).getObject(insecure_version).refersTo(the_ssl_module())
+        )
    )
 }

@@ -47,14 +65,15 @@ ClassObject the_pyOpenSSL_Context_class() {
    result = any(ModuleObject m | m.getName() = "pyOpenSSL.SSL").getAttribute("Context")
 }

-predicate unsafe_pyOpenSSL_Context_call(CallNode call) {
+predicate unsafe_pyOpenSSL_Context_call(CallNode call, string insecure_version) {
    call = the_pyOpenSSL_Context_class().getACall() and
-    call.getArgByName("method").refersTo(the_pyOpenSSL_module().getAttribute(insecure_version_name()))
+    insecure_version = insecure_version_name() and
+    call.getArgByName("method").refersTo(the_pyOpenSSL_module().getAttribute(insecure_version))
 }

-from CallNode call, string method_name
+from CallNode call, string method_name, string insecure_version
 where
-    unsafe_ssl_wrap_method_call(call) and method_name = "ssl.wrap_socket"
+    unsafe_ssl_wrap_socket_call(call, method_name, insecure_version)
 or
-    unsafe_pyOpenSSL_Context_call(call) and method_name = "pyOpenSSL.SSL.Context"
-select call, "Insecure SSL/TLS protocol version specified in call to " + method_name + "."
+    unsafe_pyOpenSSL_Context_call(call, insecure_version) and method_name = "pyOpenSSL.SSL.Context"
+select call, "Insecure SSL/TLS protocol version " + insecure_version + " specified in call to " + method_name + "."
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected
@@ -1 +1,2 @@
-| InsecureProtocol.py:35:1:35:17 | ControlFlowNode for Attribute() | Call to ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used. |
+| InsecureProtocol.py:41:1:41:17 | ControlFlowNode for Attribute() | Call to deprecated method ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used. |
+| InsecureProtocol.py:42:11:42:22 | ControlFlowNode for SSLContext() | Call to ssl.SSLContext does not specify a protocol, which may result in an insecure default being used. |
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -1,8 +1,11 @@
-| InsecureProtocol.py:5:1:5:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to ssl.wrap_socket. |
-| InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to ssl.wrap_socket. |
-| InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to ssl.wrap_socket. |
-| InsecureProtocol.py:9:1:9:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
-| InsecureProtocol.py:10:1:10:37 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
-| InsecureProtocol.py:11:1:11:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
-| InsecureProtocol.py:12:1:12:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
-| InsecureProtocol.py:27:1:27:26 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to deprecated method ssl.wrap_socket. |
+| InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv3 specified in call to deprecated method ssl.wrap_socket. |
+| InsecureProtocol.py:8:1:8:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_TLSv1 specified in call to deprecated method ssl.wrap_socket. |
+| InsecureProtocol.py:10:1:10:42 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to ssl.SSLContext. |
+| InsecureProtocol.py:11:1:11:42 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv3 specified in call to ssl.SSLContext. |
+| InsecureProtocol.py:12:1:12:42 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_TLSv1 specified in call to ssl.SSLContext. |
+| InsecureProtocol.py:14:1:14:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:15:1:15:37 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv23_METHOD specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:16:1:16:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3_METHOD specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:17:1:17:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1_METHOD specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:32:1:32:26 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
@@ -1,11 +1,16 @@
 import ssl
 from pyOpenSSL import SSL
+from ssl import SSLContext

 # true positives
 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)
 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)
 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)

+SSLContext(ssl_version=ssl.PROTOCOL_SSLv2)
+SSLContext(ssl_version=ssl.PROTOCOL_SSLv3)
+SSLContext(ssl_version=ssl.PROTOCOL_TLSv1)
+
 SSL.Context(method=SSL.SSLv2_METHOD)
 SSL.Context(method=SSL.SSLv23_METHOD)
 SSL.Context(method=SSL.SSLv3_METHOD)
@@ -29,7 +34,9 @@ SSL.Context(method=METHOD)
 # secure versions

 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_1)
+SSLContext(ssl_version=ssl.PROTOCOL_TLSv1_1)
 SSL.Context(method=SSL.TLSv1_1_METHOD)

 # possibly insecure default
 ssl.wrap_socket()
+context = SSLContext()