hohn/codeql

mirror of https://github.com/github/codeql.git synced 2026-01-21 02:14:45 +01:00

Files

History

Max Schaefer 104700f6d3 Address review comment.

2023-10-27 10:19:28 +01:00

..

Python: Add py/weak-sensitive-data-hashing query

2021-04-22 15:23:41 +02:00

BrokenCryptoAlgorithm.qhelp

Python: Fix BrokenCryptoAlgorithm.qhelp

2021-04-22 15:58:28 +02:00

BrokenCryptoAlgorithm.ql

Address review comment.

2023-10-27 10:19:28 +01:00

FluentApiModel.qll

Merge branch 'main' into python/rewrite-InsecureContextConfiguration

2023-03-27 10:20:53 +02:00

InsecureDefaultProtocol.qhelp

Update python/ql/src/Security/CWE-327/InsecureDefaultProtocol.qhelp

2021-03-09 16:44:08 +01:00

InsecureDefaultProtocol.ql

Update security-severity scores

2021-06-15 13:25:17 +01:00

InsecureProtocol.qhelp

Python: remove deprecated section of qhelp file

2021-03-26 23:26:24 +01:00

InsecureProtocol.ql

spelling: printing

2022-10-13 11:21:09 -04:00

PyOpenSSL.qll

python: move comment

2023-03-24 13:24:49 +01:00

README.md

spelling: connection

2022-10-20 08:18:23 -04:00

Ssl.qll

python: remove protocol family

2023-03-07 14:41:13 +01:00

TlsLibraryModel.qll

python: remove protocol family

2023-03-07 14:41:13 +01:00

WeakSensitiveDataHashing.qhelp

Python: Apply suggestions from code review

2021-05-18 11:53:11 +02:00

WeakSensitiveDataHashing.ql

Python: Move WeakSensitiveDataHashing to new dataflow API

2023-08-28 15:27:50 +02:00

README.md

Current status (Feb 2021)

This should be kept up to date; the world is moving fast and protocols are being broken.

Protocols

All versions of SSL are insecure
TLS 1.0 and TLS 1.1 are insecure
TLS 1.2 have some issues. but TLS 1.3 is not widely supported

Connection methods

ssl.wrap_socket is creating insecure connections, use SSLContext.wrap_socket instead. link

Deprecated since version 3.7: Since Python 3.2 and 2.7.9, it is recommended to use the SSLContext.wrap_socket() instead of wrap_socket(). The top-level function is limited and creates an insecure client socket without server name indication or hostname matching.
Default constructors are fine, a fluent API is used to constrain possible protocols later.

Current recommendation

TLS 1.2 or TLS 1.3

Queries

InsecureProtocol detects uses of insecure protocols.
InsecureDefaultProtocol detect default constructions, this is no longer unsafe.