Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 72b37a5

Browse files
yoffyoff
committed
Python: factor out barrier
1 parent 86dde6e commit 72b37a5

1 file changed

Lines changed: 51 additions & 7 deletions

File tree

python/ql/src/Security/CWE-327/InsecureProtocol.ql

Lines changed: 51 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,46 @@ class ConnectionCall extends ConnectionCreation {
8787
}
8888
}
8989

90+
class ProtocolRestriction extends DataFlow::CfgNode {
91+
abstract DataFlow::CfgNode getContext();
92+
93+
abstract string getRestriction();
94+
}
95+
96+
class OptionsAugOr extends ProtocolRestriction {
97+
string restriction;
98+
99+
OptionsAugOr() {
100+
exists(AugAssign aa, AttrNode attr |
101+
aa.getOperation().getOp() instanceof BitOr and
102+
aa.getTarget() = attr.getNode() and
103+
attr.getName() = "options" and
104+
attr.getObject() = node and
105+
aa.getValue() = API::moduleImport("ssl").getMember(restriction).getAUse().asExpr()
106+
)
107+
}
108+
109+
override DataFlow::CfgNode getContext() { result = this }
110+
111+
override string getRestriction() { result = restriction }
112+
}
113+
114+
class SetOptionsCall extends ProtocolRestriction {
115+
override CallNode node;
116+
117+
SetOptionsCall() { node.getFunction().(AttrNode).getName() = "set_options" }
118+
119+
override DataFlow::CfgNode getContext() {
120+
result.getNode() = node.getFunction().(AttrNode).getObject()
121+
}
122+
123+
override string getRestriction() {
124+
API::moduleImport("PyOpenSSL").getMember("SSL").getMember(result).getAUse().asCfgNode() in [
125+
node.getArg(0), node.getArgByName("options")
126+
]
127+
}
128+
}
129+
90130
abstract class TlsLibrary extends string {
91131
TlsLibrary() { this in ["ssl"] }
92132

@@ -121,6 +161,8 @@ abstract class TlsLibrary extends string {
121161
}
122162

123163
abstract ConnectionCreation connection_creation();
164+
165+
abstract ProtocolRestriction protocol_restriction();
124166
}
125167

126168
class Ssl extends TlsLibrary {
@@ -143,6 +185,8 @@ class Ssl extends TlsLibrary {
143185
override ContextCreation specific_context_creation() { result instanceof SSLContextCreation }
144186

145187
override ConnectionCreation connection_creation() { result instanceof WrapSocketCall }
188+
189+
override ProtocolRestriction protocol_restriction() { result instanceof OptionsAugOr }
146190
}
147191

148192
class PyOpenSSL extends TlsLibrary {
@@ -165,6 +209,8 @@ class PyOpenSSL extends TlsLibrary {
165209
}
166210

167211
override ConnectionCreation connection_creation() { result instanceof ConnectionCall }
212+
213+
override ProtocolRestriction protocol_restriction() { result instanceof OptionsAugOr }
168214
}
169215

170216
module ssl {
@@ -212,12 +258,10 @@ class InsecureContextConfiguration extends DataFlow::Configuration {
212258
abstract string flag();
213259

214260
override predicate isBarrierOut(DataFlow::Node node) {
215-
exists(AugAssign aa, AttrNode attr |
216-
aa.getOperation().getOp() instanceof BitOr and
217-
aa.getTarget() = attr.getNode() and
218-
attr.getName() = "options" and
219-
attr.getObject() = node.asCfgNode() and
220-
aa.getValue() = API::moduleImport("ssl").getMember(flag()).getAUse().asExpr()
261+
exists(ProtocolRestriction r |
262+
r = library.protocol_restriction() and
263+
node = r.getContext() and
264+
r.getRestriction() = flag()
221265
)
222266
}
223267
}
@@ -231,7 +275,7 @@ class AllowsTLSv1 extends InsecureContextConfiguration {
231275
class AllowsTLSv1_1 extends InsecureContextConfiguration {
232276
AllowsTLSv1_1() { this = library + "AllowsTLSv1_1" }
233277

234-
override string flag() { result = "OP_NO_TLSv1_2" }
278+
override string flag() { result = "OP_NO_TLSv1_1" }
235279
}
236280

237281
predicate unsafe_connection_creation(DataFlow::Node node) {

0 commit comments

Comments
 (0)