Support from ssl import PROTOCOL_....

Author: taus-semmle

python/ql/src/Security/CWE-327/InsecureProtocol.ql

@@ -40,6 +40,22 @@ private ModuleObject the_pyOpenSSL_module() {
     result = any(ModuleObject m | m.getName() = "pyOpenSSL.SSL")
 }
 
+/* A syntactic check for cases where points-to analysis cannot infer the presence of
+ * a protocol constant, e.g. if it has been removed in later versions of the `ssl`
+ * library.
+ */
+predicate probable_insecure_ssl_constant(CallNode call, string insecure_version) {
+    exists(ControlFlowNode arg | arg = call.getArgByName("ssl_version") |
+        arg.(AttrNode).getObject(insecure_version).refersTo(the_ssl_module())
+        or
+        arg.(NameNode).getId() = insecure_version and
+        exists(Import imp |
+            imp.getAnImportedModuleName() = "ssl" and
+            imp.getAName().getAsname().(Name).getId() = insecure_version
+        )
+    )
+}
+
 predicate unsafe_ssl_wrap_socket_call(CallNode call, string method_name, string insecure_version) {
     (
         call = ssl_wrap_socket().getACall() and
@@ -54,10 +70,7 @@ predicate unsafe_ssl_wrap_socket_call(CallNode call, string method_name, string
     (
         call.getArgByName("ssl_version").refersTo(the_ssl_module().getAttribute(insecure_version))
         or
-        // syntactic match, in case the version in question has been deprecated
-        exists(ControlFlowNode arg | arg = call.getArgByName("ssl_version") |
-            arg.(AttrNode).getObject(insecure_version).refersTo(the_ssl_module())
-        )
+        probable_insecure_ssl_constant(call, insecure_version)
     )
 }
 

python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected

@@ -9,3 +9,5 @@
 | InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3_METHOD specified in call to pyOpenSSL.SSL.Context. |
 | InsecureProtocol.py:17:1:17:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1_METHOD specified in call to pyOpenSSL.SSL.Context. |
 | InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |
+| InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to deprecated method ssl.wrap_socket. |
+| InsecureProtocol.py:49:1:49:38 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to ssl.SSLContext. |

python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py

@@ -40,3 +40,11 @@
 # possibly insecure default
 ssl.wrap_socket()
 context = SSLContext()
+
+# importing the protocol constant directly
+
+from ssl import PROTOCOL_SSLv2
+
+ssl.wrap_socket(ssl_version=PROTOCOL_SSLv2)
+SSLContext(ssl_version=PROTOCOL_SSLv2)
+