Python: small refactor

yoff · yoff · commit ee038373571b · 2021-03-03T23:46:18.000+01:00
diff --git a/python/ql/src/Security/CWE-327/PyOpenSSL.qll b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
@@ -51,10 +51,7 @@ class UnspecificPyOpenSSLContextCreation extends PyOpenSSLContextCreation, Unspe
 class PyOpenSSL extends TlsLibrary {
   PyOpenSSL() { this = "pyOpenSSL" }
 
-  override string specific_insecure_version_name(ProtocolVersion version) {
-    version in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1"] and
-    result = version + "_METHOD"
-  }
+  override string specific_version_name(ProtocolVersion version) { result = version + "_METHOD" }
 
   override string unspecific_version_name(ProtocolFamily family) {
     // `"TLS_METHOD"` is not actually available in pyOpenSSL yet, but should be coming soon..
diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -135,10 +135,7 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
 class Ssl extends TlsLibrary {
   Ssl() { this = "ssl" }
 
-  override string specific_insecure_version_name(ProtocolVersion version) {
-    version in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1"] and
-    result = "PROTOCOL_" + version
-  }
+  override string specific_version_name(ProtocolVersion version) { result = "PROTOCOL_" + version }
 
   override string unspecific_version_name(ProtocolFamily family) { result = "PROTOCOL_" + family }
 
diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -80,8 +80,8 @@ abstract class UnspecificContextCreation extends ContextCreation, ProtocolUnrest
 abstract class TlsLibrary extends string {
   TlsLibrary() { this in ["ssl", "pyOpenSSL"] }
 
-  /** The name of a specific protocol version, known to be insecure. */
-  abstract string specific_insecure_version_name(ProtocolVersion version);
+  /** The name of a specific protocol version. */
+  abstract string specific_version_name(ProtocolVersion version);
 
   /** The name of an unspecific protocol version, say TLS, known to have insecure instances. */
   abstract string unspecific_version_name(ProtocolFamily family);
@@ -91,7 +91,8 @@ abstract class TlsLibrary extends string {
 
   /** A dataflow node representing a specific protocol version, known to be insecure. */
   DataFlow::Node insecure_version(ProtocolVersion version) {
-    result = version_constants().getMember(specific_insecure_version_name(version)).getAUse()
+    version.isInsecure() and
+    result = version_constants().getMember(specific_version_name(version)).getAUse()
   }
 
   /** A dataflow node representing an unspecific protocol version, say TLS, known to have insecure instances. */
