hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: small refactor

Browse Source
This commit is contained in:
Rasmus Lerchedahl Petersen
2021-03-03 23:46:18 +01:00
parent cbbc7b2bcd
commit ee03837357
3 changed files with 6 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
python/ql/src/Security/CWE-327/PyOpenSSL.qll
View File

@@ -51,10 +51,7 @@ class UnspecificPyOpenSSLContextCreation extends PyOpenSSLContextCreation, Unspe
class PyOpenSSL extends TlsLibrary {
PyOpenSSL() { this = "pyOpenSSL" }
override string specific_insecure_version_name(ProtocolVersion version) {
version in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1"] and
result = version + "_METHOD"
}
override string specific_version_name(ProtocolVersion version) { result = version + "_METHOD" }
override string unspecific_version_name(ProtocolFamily family) {
// `"TLS_METHOD"` is not actually available in pyOpenSSL yet, but should be coming soon..

5
python/ql/src/Security/CWE-327/Ssl.qll
View File

@@ -135,10 +135,7 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
class Ssl extends TlsLibrary {
Ssl() { this = "ssl" }
override string specific_insecure_version_name(ProtocolVersion version) {
version in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1"] and
result = "PROTOCOL_" + version
}
override string specific_version_name(ProtocolVersion version) { result = "PROTOCOL_" + version }
override string unspecific_version_name(ProtocolFamily family) { result = "PROTOCOL_" + family }

7
python/ql/src/Security/CWE-327/TlsLibraryModel.qll
View File

@@ -80,8 +80,8 @@ abstract class UnspecificContextCreation extends ContextCreation, ProtocolUnrest
abstract class TlsLibrary extends string {
TlsLibrary() { this in ["ssl", "pyOpenSSL"] }
/** The name of a specific protocol version, known to be insecure. */
abstract string specific_insecure_version_name(ProtocolVersion version);
/** The name of a specific protocol version. */
abstract string specific_version_name(ProtocolVersion version);
/** The name of an unspecific protocol version, say TLS, known to have insecure instances. */
abstract string unspecific_version_name(ProtocolFamily family);
@@ -91,7 +91,8 @@ abstract class TlsLibrary extends string {
/** A dataflow node representing a specific protocol version, known to be insecure. */
DataFlow::Node insecure_version(ProtocolVersion version) {
result = version_constants().getMember(specific_insecure_version_name(version)).getAUse()
version.isInsecure() and
result = version_constants().getMember(specific_version_name(version)).getAUse()
}
/** A dataflow node representing an unspecific protocol version, say TLS, known to have insecure instances. */