mirror of
https://github.com/github/codeql.git
synced 2025-12-20 10:46:30 +01:00
Python: Modernize via CallCfgNode
This commit is contained in:
Rasmus Lerchedahl Petersen
@@ -2,13 +2,12 @@
|
||||
* Provides modeling of SSL/TLS functionality of the `OpenSSL` module from the `pyOpenSSL` PyPI package.
|
||||
* See https://www.pyopenssl.org/en/stable/
|
||||
*/
|
||||
|
||||
private import python
|
||||
private import semmle.python.ApiGraphs
|
||||
import TlsLibraryModel
|
||||
|
||||
class PyOpenSSLContextCreation extends ContextCreation {
|
||||
override CallNode node;
|
||||
|
||||
class PyOpenSSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
|
||||
PyOpenSSLContextCreation() {
|
||||
this = API::moduleImport("OpenSSL").getMember("SSL").getMember("Context").getACall()
|
||||
}
|
||||
@@ -22,9 +21,7 @@ class PyOpenSSLContextCreation extends ContextCreation {
|
||||
}
|
||||
}
|
||||
|
||||
class ConnectionCall extends ConnectionCreation {
|
||||
override CallNode node;
|
||||
|
||||
class ConnectionCall extends ConnectionCreation, DataFlow::CallCfgNode {
|
||||
ConnectionCall() {
|
||||
this = API::moduleImport("OpenSSL").getMember("SSL").getMember("Connection").getACall()
|
||||
}
|
||||
@@ -36,9 +33,7 @@ class ConnectionCall extends ConnectionCreation {
|
||||
|
||||
// This cannot be used to unrestrict,
|
||||
// see https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_options
|
||||
class SetOptionsCall extends ProtocolRestriction {
|
||||
override CallNode node;
|
||||
|
||||
class SetOptionsCall extends ProtocolRestriction, DataFlow::CallCfgNode {
|
||||
SetOptionsCall() { node.getFunction().(AttrNode).getName() = "set_options" }
|
||||
|
||||
override DataFlow::CfgNode getContext() {
|
||||
|
||||
@@ -2,13 +2,12 @@
|
||||
* Provides modeling of SSL/TLS functionality of the `ssl` module from the standard library.
|
||||
* See https://docs.python.org/3.9/library/ssl.html
|
||||
*/
|
||||
|
||||
private import python
|
||||
private import semmle.python.ApiGraphs
|
||||
import TlsLibraryModel
|
||||
|
||||
class SSLContextCreation extends ContextCreation {
|
||||
override CallNode node;
|
||||
|
||||
class SSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
|
||||
SSLContextCreation() { this = API::moduleImport("ssl").getMember("SSLContext").getACall() }
|
||||
|
||||
override string getProtocol() {
|
||||
@@ -46,7 +45,7 @@ class WrapSocketCall extends ConnectionCreation, DataFlow::CallCfgNode {
|
||||
}
|
||||
}
|
||||
|
||||
class OptionsAugOr extends ProtocolRestriction {
|
||||
class OptionsAugOr extends ProtocolRestriction, DataFlow::CallCfgNode {
|
||||
ProtocolVersion restriction;
|
||||
|
||||
OptionsAugOr() {
|
||||
@@ -69,7 +68,7 @@ class OptionsAugOr extends ProtocolRestriction {
|
||||
override ProtocolVersion getRestriction() { result = restriction }
|
||||
}
|
||||
|
||||
class OptionsAugAndNot extends ProtocolUnrestriction {
|
||||
class OptionsAugAndNot extends ProtocolUnrestriction, DataFlow::CallCfgNode {
|
||||
ProtocolVersion restriction;
|
||||
|
||||
OptionsAugAndNot() {
|
||||
@@ -127,7 +126,7 @@ predicate impliesBitSet(BinaryExpr whole, Expr part, boolean partHasBitSet, bool
|
||||
)
|
||||
}
|
||||
|
||||
class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction {
|
||||
class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction, DataFlow::CallCfgNode {
|
||||
ProtocolVersion restriction;
|
||||
|
||||
ContextSetVersion() {
|
||||
@@ -189,8 +188,7 @@ class Ssl extends TlsLibrary {
|
||||
|
||||
override DataFlow::CfgNode insecure_connection_creation(ProtocolVersion version) {
|
||||
result = API::moduleImport("ssl").getMember("wrap_socket").getACall() and
|
||||
this.specific_version(version) =
|
||||
result.(DataFlow::CallCfgNode).getArgByName("ssl_version") and
|
||||
this.specific_version(version) = result.(DataFlow::CallCfgNode).getArgByName("ssl_version") and
|
||||
version.isInsecure()
|
||||
}
|
||||
|
||||
|
||||
@@ -30,30 +30,30 @@ class ProtocolFamily extends string {
|
||||
}
|
||||
|
||||
/** The creation of a context. */
|
||||
abstract class ContextCreation extends DataFlow::CfgNode {
|
||||
abstract class ContextCreation extends DataFlow::Node {
|
||||
/** Gets the protocol version or family for this context. */
|
||||
abstract string getProtocol();
|
||||
}
|
||||
|
||||
/** The creation of a connection from a context. */
|
||||
abstract class ConnectionCreation extends DataFlow::CfgNode {
|
||||
abstract class ConnectionCreation extends DataFlow::Node {
|
||||
/** Gets the context used to create the connection. */
|
||||
abstract DataFlow::CfgNode getContext();
|
||||
abstract DataFlow::Node getContext();
|
||||
}
|
||||
|
||||
/** A context is being restricted on which protocols it can accepts. */
|
||||
abstract class ProtocolRestriction extends DataFlow::CfgNode {
|
||||
abstract class ProtocolRestriction extends DataFlow::Node {
|
||||
/** Gets the context being restricted. */
|
||||
abstract DataFlow::CfgNode getContext();
|
||||
abstract DataFlow::Node getContext();
|
||||
|
||||
/** Gets the protocol version being disallowed. */
|
||||
abstract ProtocolVersion getRestriction();
|
||||
}
|
||||
|
||||
/** A context is being relaxed on which protocols it can accepts. */
|
||||
abstract class ProtocolUnrestriction extends DataFlow::CfgNode {
|
||||
abstract class ProtocolUnrestriction extends DataFlow::Node {
|
||||
/** Gets the context being relaxed. */
|
||||
abstract DataFlow::CfgNode getContext();
|
||||
abstract DataFlow::Node getContext();
|
||||
|
||||
/** Gets the protocol version being allowed. */
|
||||
abstract ProtocolVersion getUnrestriction();
|
||||
|
||||
Reference in New Issue
Block a user