Fix false positive and add test.

taus-semmle · taus-semmle · commit 5eb63ae0486c · 2019-03-21T14:10:05.000+01:00
diff --git a/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql b/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
@@ -27,6 +27,7 @@ CallNode unsafe_call(string method_name) {
     or
     result = ssl_Context_class().getACall() and
     not exists(result.getArgByName("protocol")) and
+    not exists(result.getArg(0)) and
     method_name = "ssl.SSLContext"
 }
 
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -11,3 +11,4 @@
 | InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |
 | InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to deprecated method ssl.wrap_socket. |
 | InsecureProtocol.py:49:1:49:35 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to ssl.SSLContext. |
+| InsecureProtocol.py:52:1:52:33 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv23_METHOD specified in call to ssl.SSLContext. |
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
@@ -48,3 +48,5 @@
 ssl.wrap_socket(ssl_version=PROTOCOL_SSLv2)
 SSLContext(protocol=PROTOCOL_SSLv2)
 
+# FP for insecure default
+ssl.SSLContext(ssl.SSLv23_METHOD)

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ CallNode unsafe_call(string method_name) {`
`27`	`27`	`or`
`28`	`28`	`result = ssl_Context_class().getACall() and`
`29`	`29`	`not exists(result.getArgByName("protocol")) and`
	`30`	`+ not exists(result.getArg(0)) and`
`30`	`31`	`method_name = "ssl.SSLContext"`
`31`	`32`	`}`
`32`	`33`