mirror of
https://github.com/github/codeql.git
synced 2026-06-20 20:31:09 +02:00
89 lines
3.1 KiB
Plaintext
89 lines
3.1 KiB
Plaintext
/**
|
|
* Provides modeling of SSL/TLS functionality of the `OpenSSL` module from the `pyOpenSSL` PyPI package.
|
|
* See https://www.pyopenssl.org/en/stable/
|
|
*/
|
|
|
|
private import python
|
|
private import semmle.python.ApiGraphs
|
|
import TlsLibraryModel
|
|
|
|
class PyOpenSslContextCreation extends ContextCreation, DataFlow::CallCfgNode {
|
|
PyOpenSslContextCreation() {
|
|
this = API::moduleImport("OpenSSL").getMember("SSL").getMember("Context").getACall()
|
|
}
|
|
|
|
override ProtocolVersion getProtocol() {
|
|
exists(DataFlow::Node protocolArg, PyOpenSsl pyo |
|
|
protocolArg in [this.getArg(0), this.getArgByName("method")]
|
|
|
|
|
protocolArg = pyo.specific_version(result).getAValueReachableFromSource()
|
|
or
|
|
protocolArg = pyo.unspecific_version().getAValueReachableFromSource() and
|
|
result = any(ProtocolVersion pv)
|
|
)
|
|
}
|
|
}
|
|
|
|
class ConnectionCall extends ConnectionCreation, DataFlow::CallCfgNode {
|
|
ConnectionCall() {
|
|
this = API::moduleImport("OpenSSL").getMember("SSL").getMember("Connection").getACall()
|
|
}
|
|
|
|
override DataFlow::CfgNode getContext() {
|
|
result in [this.getArg(0), this.getArgByName("context")]
|
|
}
|
|
}
|
|
|
|
// This cannot be used to unrestrict,
|
|
// see https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_options
|
|
class SetOptionsCall extends ProtocolRestriction, DataFlow::CallCfgNode {
|
|
SetOptionsCall() { node.getFunction().(AttrNode).getName() = "set_options" }
|
|
|
|
override DataFlow::CfgNode getContext() {
|
|
result.getNode() = node.getFunction().(AttrNode).getObject()
|
|
}
|
|
|
|
override ProtocolVersion getRestriction() {
|
|
API::moduleImport("OpenSSL")
|
|
.getMember("SSL")
|
|
.getMember("OP_NO_" + result)
|
|
.getAValueReachableFromSource() in [this.getArg(0), this.getArgByName("options")]
|
|
}
|
|
}
|
|
|
|
class PyOpenSsl extends TlsLibrary {
|
|
PyOpenSsl() { this = "pyOpenSSL" }
|
|
|
|
override string specific_version_name(ProtocolVersion version) { result = version + "_METHOD" }
|
|
|
|
override string unspecific_version_name() {
|
|
// See
|
|
// - https://www.pyopenssl.org/en/23.0.0/api/ssl.html#module-OpenSSL.SSL
|
|
// - https://www.openssl.org/docs/manmaster/man3/DTLS_server_method.html#NOTES
|
|
//
|
|
// PyOpenSSL also allows DTLS
|
|
// see https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context
|
|
// although they are not mentioned here:
|
|
// https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.TLS_METHOD
|
|
result = ["TLS", "SSLv23"] + "_METHOD"
|
|
or
|
|
result = "TLS_" + ["CLIENT", "SERVER"] + "_METHOD"
|
|
}
|
|
|
|
override API::Node version_constants() { result = API::moduleImport("OpenSSL").getMember("SSL") }
|
|
|
|
override ContextCreation default_context_creation() { none() }
|
|
|
|
override ContextCreation specific_context_creation() {
|
|
result instanceof PyOpenSslContextCreation
|
|
}
|
|
|
|
override DataFlow::Node insecure_connection_creation(ProtocolVersion version) { none() }
|
|
|
|
override ConnectionCreation connection_creation() { result instanceof ConnectionCall }
|
|
|
|
override ProtocolRestriction protocol_restriction() { result instanceof SetOptionsCall }
|
|
|
|
override ProtocolUnrestriction protocol_unrestriction() { none() }
|
|
}
|