Add support for ssl.SSLContext.

2026-05-05 05:35:13 +02:00 · 2018-11-28 17:48:09 +01:00
parent 0a839f8468
commit a893dca06e
5 changed files with 66 additions and 24 deletions
--- a/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
@@ -16,11 +16,23 @@ FunctionObject ssl_wrap_socket() {
    result = any(ModuleObject ssl | ssl.getName() = "ssl").getAttribute("wrap_socket")
 }
-from CallNode call
+ClassObject ssl_Context_class() {
    result = any(ModuleObject ssl | ssl.getName() = "ssl").getAttribute("SSLContext")
 }
 CallNode unsafe_call(string method_name) {
    result = ssl_wrap_socket().getACall() and
    method_name = "deprecated method ssl.wrap_socket"
    or
    result = ssl_Context_class().getACall() and
    method_name = "ssl.SSLContext"
 }
 from CallNode call, string method_name
 where 
-    call = ssl_wrap_socket().getACall() and
+    call = unsafe_call(method_name) and
    not exists(call.getArgByName("ssl_version"))
-select call, "Call to ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used."
+select call, "Call to " + method_name + " does not specify a protocol, which may result in an insecure default being used."
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -13,7 +13,11 @@
 import python
 FunctionObject ssl_wrap_socket() {
-    result = any(ModuleObject ssl | ssl.getName() = "ssl").getAttribute("wrap_socket")
+    result = the_ssl_module().getAttribute("wrap_socket")
 }
 ClassObject ssl_Context_class() {
    result = the_ssl_module().getAttribute("SSLContext")
 }
 string insecure_version_name() {
@@ -33,13 +37,27 @@ private ModuleObject the_ssl_module() {
 }
 private ModuleObject the_pyOpenSSL_module() {
-    result = any(ModuleObject m | m.getName() = "pyOpenSSL").getAttribute("SSL")
+    result = any(ModuleObject m | m.getName() = "pyOpenSSL.SSL")
 }
-predicate unsafe_ssl_wrap_method_call(CallNode call) {
+predicate unsafe_ssl_wrap_socket_call(CallNode call, string method_name, string insecure_version) {
-    call = ssl_wrap_socket().getACall() and
+    (
-    exists(ControlFlowNode arg | arg = call.getArgByName("ssl_version") |
+        call = ssl_wrap_socket().getACall() and
-        arg.(AttrNode).getObject(insecure_version_name()).refersTo(the_ssl_module())
+        method_name = "deprecated method ssl.wrap_socket"
        or
        call = ssl_Context_class().getACall() and
        method_name = "ssl.SSLContext"
    )
    and
    insecure_version = insecure_version_name()
    and
    (
        call.getArgByName("ssl_version").refersTo(the_ssl_module().getAttribute(insecure_version))
        or
        // syntactic match, in case the version in question has been deprecated
        exists(ControlFlowNode arg | arg = call.getArgByName("ssl_version") |
            arg.(AttrNode).getObject(insecure_version).refersTo(the_ssl_module())
        )
    )
 }
@@ -47,14 +65,15 @@ ClassObject the_pyOpenSSL_Context_class() {
    result = any(ModuleObject m | m.getName() = "pyOpenSSL.SSL").getAttribute("Context")
 }
-predicate unsafe_pyOpenSSL_Context_call(CallNode call) {
+predicate unsafe_pyOpenSSL_Context_call(CallNode call, string insecure_version) {
    call = the_pyOpenSSL_Context_class().getACall() and
-    call.getArgByName("method").refersTo(the_pyOpenSSL_module().getAttribute(insecure_version_name()))
+    insecure_version = insecure_version_name() and
    call.getArgByName("method").refersTo(the_pyOpenSSL_module().getAttribute(insecure_version))
 }
-from CallNode call, string method_name
+from CallNode call, string method_name, string insecure_version
 where
-    unsafe_ssl_wrap_method_call(call) and method_name = "ssl.wrap_socket"
+    unsafe_ssl_wrap_socket_call(call, method_name, insecure_version)
 or
-    unsafe_pyOpenSSL_Context_call(call) and method_name = "pyOpenSSL.SSL.Context"
+    unsafe_pyOpenSSL_Context_call(call, insecure_version) and method_name = "pyOpenSSL.SSL.Context"
-select call, "Insecure SSL/TLS protocol version specified in call to " + method_name + "."
+select call, "Insecure SSL/TLS protocol version " + insecure_version + " specified in call to " + method_name + "."
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected
@@ -1 +1,2 @@
-| InsecureProtocol.py:35:1:35:17 | ControlFlowNode for Attribute() | Call to ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used. |
+| InsecureProtocol.py:41:1:41:17 | ControlFlowNode for Attribute() | Call to deprecated method ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used. |
 | InsecureProtocol.py:42:11:42:22 | ControlFlowNode for SSLContext() | Call to ssl.SSLContext does not specify a protocol, which may result in an insecure default being used. |
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -1,8 +1,11 @@
-| InsecureProtocol.py:5:1:5:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to ssl.wrap_socket. |
+| InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to deprecated method ssl.wrap_socket. |
-| InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to ssl.wrap_socket. |
+| InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv3 specified in call to deprecated method ssl.wrap_socket. |
-| InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to ssl.wrap_socket. |
+| InsecureProtocol.py:8:1:8:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_TLSv1 specified in call to deprecated method ssl.wrap_socket. |
-| InsecureProtocol.py:9:1:9:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:10:1:10:42 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to ssl.SSLContext. |
-| InsecureProtocol.py:10:1:10:37 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:11:1:11:42 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv3 specified in call to ssl.SSLContext. |
-| InsecureProtocol.py:11:1:11:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:12:1:12:42 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_TLSv1 specified in call to ssl.SSLContext. |
-| InsecureProtocol.py:12:1:12:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:14:1:14:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |
-| InsecureProtocol.py:27:1:27:26 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:15:1:15:37 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv23_METHOD specified in call to pyOpenSSL.SSL.Context. |
 | InsecureProtocol.py:16:1:16:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3_METHOD specified in call to pyOpenSSL.SSL.Context. |
 | InsecureProtocol.py:17:1:17:36 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1_METHOD specified in call to pyOpenSSL.SSL.Context. |
 | InsecureProtocol.py:32:1:32:26 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
@@ -1,11 +1,16 @@
 import ssl
 from pyOpenSSL import SSL
 from ssl import SSLContext
 # true positives
 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)
 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)
 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)
 SSLContext(ssl_version=ssl.PROTOCOL_SSLv2)
 SSLContext(ssl_version=ssl.PROTOCOL_SSLv3)
 SSLContext(ssl_version=ssl.PROTOCOL_TLSv1)
 SSL.Context(method=SSL.SSLv2_METHOD)
 SSL.Context(method=SSL.SSLv23_METHOD)
 SSL.Context(method=SSL.SSLv3_METHOD)
@@ -29,7 +34,9 @@ SSL.Context(method=METHOD)
 # secure versions
 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_1)
 SSLContext(ssl_version=ssl.PROTOCOL_TLSv1_1)
 SSL.Context(method=SSL.TLSv1_1_METHOD)
 # possibly insecure default
 ssl.wrap_socket()
 context = SSLContext()
`@@ -1 +1,2 @@`
	`\| InsecureProtocol.py:35:1:35:17 \| ControlFlowNode for Attribute() \| Call to ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used. \|`	`\| InsecureProtocol.py:41:1:41:17 \| ControlFlowNode for Attribute() \| Call to deprecated method ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used. \|`
		`\| InsecureProtocol.py:42:11:42:22 \| ControlFlowNode for SSLContext() \| Call to ssl.SSLContext does not specify a protocol, which may result in an insecure default being used. \|`