Python: complete ssl.create_default_context

yoff · yoff · commit de9469bbfc17 · 2021-03-04T00:01:44.000+01:00
diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -132,6 +132,15 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
   }
 }
 
+class UnspecificSSLDefaultContextCreation extends SSLDefaultContextCreation, ProtocolUnrestriction {
+  override DataFlow::CfgNode getContext() { result = this }
+
+  // see https://docs.python.org/3/library/ssl.html#ssl.create_default_context
+  override ProtocolVersion getUnrestriction() {
+    result in ["TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
+  }
+}
+
 class Ssl extends TlsLibrary {
   Ssl() { this = "ssl" }
 
@@ -167,5 +176,7 @@ class Ssl extends TlsLibrary {
     result instanceof ContextSetVersion
     or
     result instanceof UnspecificSSLContextCreation
+    or
+    result instanceof UnspecificSSLDefaultContextCreation
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,15 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext`
`132`	`132`	`}`
`133`	`133`	`}`
`134`	`134`
	`135`	`+class UnspecificSSLDefaultContextCreation extends SSLDefaultContextCreation, ProtocolUnrestriction {`
	`136`	`+ override DataFlow::CfgNode getContext() { result = this }`
	`137`	`+`
	`138`	`+ // see https://docs.python.org/3/library/ssl.html#ssl.create_default_context`
	`139`	`+ override ProtocolVersion getUnrestriction() {`
	`140`	`+ result in ["TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]`
	`141`	`+ }`
	`142`	`+}`
	`143`	`+`
`135`	`144`	`class Ssl extends TlsLibrary {`
`136`	`145`	`Ssl() { this = "ssl" }`
`137`	`146`
`@@ -167,5 +176,7 @@ class Ssl extends TlsLibrary {`
`167`	`176`	`result instanceof ContextSetVersion`
`168`	`177`	`or`
`169`	`178`	`result instanceof UnspecificSSLContextCreation`
	`179`	`+ or`
	`180`	`+ result instanceof UnspecificSSLDefaultContextCreation`
`170`	`181`	`}`
`171`	`182`	`}`