Python: Add import test of py/insecure-protocol

2025-12-18 18:10:39 +01:00 · 2023-02-21 15:47:36 +01:00
parent 27e2307d0c
commit fb425b73fc
4 changed files with 64 additions and 0 deletions
--- a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.expected
@@ -10,6 +10,11 @@
 | InsecureProtocol.py:19:1:19:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:19:1:19:19 | ControlFlowNode for Attribute() | call to SSL.Context |
 | InsecureProtocol.py:23:1:23:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:23:1:23:43 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
 | InsecureProtocol.py:24:1:24:35 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:24:1:24:35 | ControlFlowNode for SSLContext() | call to SSLContext |
 | import_all_one_file.py:25:14:25:45 | ControlFlowNode for copy_completely_insecure_context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | import_all_one_file.py:9:36:9:67 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | import_all_one_file.py:25:14:25:45 | ControlFlowNode for copy_completely_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_all_one_file.py:9:36:9:67 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | import_all_one_file.py:29:14:29:39 | ControlFlowNode for copy_also_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_all_one_file.py:12:30:12:61 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | import_use.py:13:14:13:40 | ControlFlowNode for completely_insecure_context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | import_def.py:7:31:7:62 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | import_use.py:13:14:13:40 | ControlFlowNode for completely_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_def.py:7:31:7:62 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv2 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
 | pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
 | pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
--- a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_all_one_file.py
+++ b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_all_one_file.py
@@ -0,0 +1,30 @@
 # use to compare alerts without import
 import ssl
 copy_secure_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
 copy_secure_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
 # this is just to allow us to see how un-altered exports work
 copy_completely_insecure_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
 # and an insecure export that is refined
 copy_also_insecure_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
 copy_also_insecure_context.options |= ssl.OP_NO_TLSv1
 import socket
 hostname = 'www.python.org'
 with socket.create_connection((hostname, 443)) as sock:
        with copy_secure_context.wrap_socket(sock, server_hostname=hostname) as ssock:
            print(ssock.version())
 with socket.create_connection((hostname, 443)) as sock:
        with copy_completely_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock:
            print(ssock.version())
 with socket.create_connection((hostname, 443)) as sock:
        with copy_also_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock:
            print(ssock.version())
--- a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_def.py
+++ b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_def.py
@@ -0,0 +1,11 @@
 import ssl
 secure_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
 secure_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
 # this is just to allow us to see how un-altered exports work
 completely_insecure_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
 # and an insecure export that is refined
 also_insecure_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
 also_insecure_context.options |= ssl.OP_NO_TLSv1
--- a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_use.py
+++ b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_use.py
@@ -0,0 +1,18 @@
 # check that query works properly with imports
 import socket
 from import_def import secure_context, completely_insecure_context, also_insecure_context
 hostname = 'www.python.org'
 with socket.create_connection((hostname, 443)) as sock:
        with secure_context.wrap_socket(sock, server_hostname=hostname) as ssock:
            print(ssock.version())
 with socket.create_connection((hostname, 443)) as sock:
        with completely_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock:
            print(ssock.version())
 with socket.create_connection((hostname, 443)) as sock:
        with also_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock:
            print(ssock.version())