hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add support for ssl.SSLContext.

Browse Source
This commit is contained in:
Taus Brock-Nannestad
2018-11-28 17:48:09 +01:00
parent 0a839f8468
commit a893dca06e
5 changed files with 66 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected
View File

@@ -1 +1,2 @@
| InsecureProtocol.py:35:1:35:17 | ControlFlowNode for Attribute() | Call to ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used. |
| InsecureProtocol.py:41:1:41:17 | ControlFlowNode for Attribute() | Call to deprecated method ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used. |
| InsecureProtocol.py:42:11:42:22 | ControlFlowNode for SSLContext() | Call to ssl.SSLContext does not specify a protocol, which may result in an insecure default being used. |

19
python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
View File

@@ -1,8 +1,11 @@
| InsecureProtocol.py:5:1:5:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to ssl.wrap_socket. |
| InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to ssl.wrap_socket. |
| InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to ssl.wrap_socket. |
| InsecureProtocol.py:9:1:9:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
| InsecureProtocol.py:10:1:10:37 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
| InsecureProtocol.py:11:1:11:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
| InsecureProtocol.py:12:1:12:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
| InsecureProtocol.py:27:1:27:26 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
| InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to deprecated method ssl.wrap_socket. |
| InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv3 specified in call to deprecated method ssl.wrap_socket. |
| InsecureProtocol.py:8:1:8:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_TLSv1 specified in call to deprecated method ssl.wrap_socket. |
| InsecureProtocol.py:10:1:10:42 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to ssl.SSLContext. |
| InsecureProtocol.py:11:1:11:42 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv3 specified in call to ssl.SSLContext. |
| InsecureProtocol.py:12:1:12:42 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_TLSv1 specified in call to ssl.SSLContext. |
| InsecureProtocol.py:14:1:14:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |
| InsecureProtocol.py:15:1:15:37 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv23_METHOD specified in call to pyOpenSSL.SSL.Context. |
| InsecureProtocol.py:16:1:16:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3_METHOD specified in call to pyOpenSSL.SSL.Context. |
| InsecureProtocol.py:17:1:17:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1_METHOD specified in call to pyOpenSSL.SSL.Context. |
| InsecureProtocol.py:32:1:32:26 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |

7
python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
View File

@@ -1,11 +1,16 @@
import ssl
from pyOpenSSL import SSL
from ssl import SSLContext
# true positives
ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)
ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)
ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)
SSLContext(ssl_version=ssl.PROTOCOL_SSLv2)
SSLContext(ssl_version=ssl.PROTOCOL_SSLv3)
SSLContext(ssl_version=ssl.PROTOCOL_TLSv1)
SSL.Context(method=SSL.SSLv2_METHOD)
SSL.Context(method=SSL.SSLv23_METHOD)
SSL.Context(method=SSL.SSLv3_METHOD)
@@ -29,7 +34,9 @@ SSL.Context(method=METHOD)
# secure versions
ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_1)
SSLContext(ssl_version=ssl.PROTOCOL_TLSv1_1)
SSL.Context(method=SSL.TLSv1_1_METHOD)
# possibly insecure default
ssl.wrap_socket()
context = SSLContext()