From de9469bbfc1769e6e705165b6e53efa12a0c97eb Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 4 Mar 2021 00:01:44 +0100
Subject: [PATCH] Python: complete `ssl.create_default_context`

---
 python/ql/src/Security/CWE-327/Ssl.qll | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index 66a821e83ac..d4886219d08 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -132,6 +132,15 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
   }
 }
 
+class UnspecificSSLDefaultContextCreation extends SSLDefaultContextCreation, ProtocolUnrestriction {
+  override DataFlow::CfgNode getContext() { result = this }
+
+  // see https://docs.python.org/3/library/ssl.html#ssl.create_default_context
+  override ProtocolVersion getUnrestriction() {
+    result in ["TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
+  }
+}
+
 class Ssl extends TlsLibrary {
   Ssl() { this = "ssl" }
 
@@ -167,5 +176,7 @@ class Ssl extends TlsLibrary {
     result instanceof ContextSetVersion
     or
     result instanceof UnspecificSSLContextCreation
+    or
+    result instanceof UnspecificSSLDefaultContextCreation
   }
 }