File tree Expand file tree Collapse file tree
python/ql/src/Security/CWE-327 Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1010 * external/cwe/cwe-327
1111 */
1212
13- // This query is based on the premise that default constructors are always a security concern.
14- // This has become untrue since Python 3.2 where the `SSLContext` was introduced. Such contexts
15- // are designed to later be modified by flags such as `OP_NO_TLSv1_1`, and so the default values
16- // are not necessarity problematic .
13+ // Connections are generally created based on a context which controls the range of acceptable
14+ // protocols. This query alerts on the deprecated way of creating connections without referring
15+ // to a context (via `ssl.wrap_socket`). Doing this and not specifying which protocols are
16+ // acceptable means that connections will be created with the insecure default settings .
1717//
18- // Detecting that a connection is created with a context that has not been suitably modified is
19- // handled by the data-flow query py/insecure-protocol, while the present query is restricted
20- // to alerting on the one deprecated default constructor whch does not refer to a contex, namely
21- // `ssl.wrap_socket`.
18+ // Detecting that a connection is created with a context that has not been suitably configured
19+ // is handled by the data-flow query py/insecure-protocol.
2220import python
2321import semmle.python.ApiGraphs
2422
You can’t perform that action at this time.
0 commit comments