Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 8155334

Browse files
yoffyoff
committed
Python: More elaborate qldoc
also refactor code to match
1 parent 7d7cbc4 commit 8155334

1 file changed

Lines changed: 33 additions & 15 deletions

File tree

python/ql/src/Security/CWE-327/FluentApiModel.qll

Lines changed: 33 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,21 @@ import python
22
import TlsLibraryModel
33

44
/**
5-
* Configuration to track flow from the creation of a context to
6-
* that context being used to create a connection.
7-
* Flow is broken if the insecure protocol of interest is being restricted.
5+
* Configuration to determine the state of a context being used to create
6+
* a conection.
7+
*
8+
* The state is in terms of whether a specific protocol is allowed. This is
9+
* either true or false when the context is created and can then be modified
10+
* later by either restricting or unrestricting the protocol (see the predicates
11+
* `isRestriction` and `isUnrestriction`).
12+
*
13+
* Since we are interested in the final state, we want the flow to start from
14+
* the last unrestriction, so we disallow flow into unrestrictions. We also
15+
* model the creation as an unrestriction of everything it allows, to account
16+
* for the common case where the creation plays the role of "last unrestriction".
17+
*
18+
* Since we really want "the last unrestriction, not nullified by a restriction",
19+
* we also disallow flow into restrictions.
820
*/
921
class InsecureContextConfiguration extends DataFlow::Configuration {
1022
TlsLibrary library;
@@ -17,29 +29,35 @@ class InsecureContextConfiguration extends DataFlow::Configuration {
1729

1830
ProtocolVersion getTrackedVersion() { result = tracked_version }
1931

20-
override predicate isSource(DataFlow::Node source) {
21-
// source = library.unspecific_context_creation()
22-
exists(ProtocolUnrestriction pu |
23-
pu = library.protocol_unrestriction() and
24-
pu.getUnrestriction() = tracked_version
25-
|
26-
source = pu.getContext()
27-
)
28-
}
32+
override predicate isSource(DataFlow::Node source) { this.isUnrestriction(source) }
2933

3034
override predicate isSink(DataFlow::Node sink) {
3135
sink = library.connection_creation().getContext()
3236
}
3337

34-
override predicate isBarrierOut(DataFlow::Node node) {
38+
override predicate isBarrierIn(DataFlow::Node node) {
39+
this.isRestriction(node)
40+
or
41+
this.isUnrestriction(node)
42+
}
43+
44+
private predicate isRestriction(DataFlow::Node node) {
3545
exists(ProtocolRestriction r |
3646
r = library.protocol_restriction() and
37-
node = r.getContext() and
3847
r.getRestriction() = tracked_version
48+
|
49+
node = r.getContext()
3950
)
4051
}
4152

42-
override predicate isBarrierIn(DataFlow::Node node) { this.isSource(node) }
53+
private predicate isUnrestriction(DataFlow::Node node) {
54+
exists(ProtocolUnrestriction pu |
55+
pu = library.protocol_unrestriction() and
56+
pu.getUnrestriction() = tracked_version
57+
|
58+
node = pu.getContext()
59+
)
60+
}
4361
}
4462

4563
/**

0 commit comments

Comments
 (0)