Python: Add import test of py/insecure-protocol

RasmusWL · RasmusWL · commit fb425b73fcac · 2023-02-21T17:43:04.000+01:00
diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.expected
@@ -10,6 +10,11 @@
 | InsecureProtocol.py:19:1:19:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:19:1:19:19 | ControlFlowNode for Attribute() | call to SSL.Context |
 | InsecureProtocol.py:23:1:23:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:23:1:23:43 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
 | InsecureProtocol.py:24:1:24:35 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:24:1:24:35 | ControlFlowNode for SSLContext() | call to SSLContext |
+| import_all_one_file.py:25:14:25:45 | ControlFlowNode for copy_completely_insecure_context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | import_all_one_file.py:9:36:9:67 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| import_all_one_file.py:25:14:25:45 | ControlFlowNode for copy_completely_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_all_one_file.py:9:36:9:67 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| import_all_one_file.py:29:14:29:39 | ControlFlowNode for copy_also_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_all_one_file.py:12:30:12:61 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| import_use.py:13:14:13:40 | ControlFlowNode for completely_insecure_context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | import_def.py:7:31:7:62 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| import_use.py:13:14:13:40 | ControlFlowNode for completely_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_def.py:7:31:7:62 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv2 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
 | pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
 | pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_all_one_file.py b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_all_one_file.py
@@ -0,0 +1,30 @@
+# use to compare alerts without import
+
+import ssl
+
+copy_secure_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+copy_secure_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+
+# this is just to allow us to see how un-altered exports work
+copy_completely_insecure_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+
+# and an insecure export that is refined
+copy_also_insecure_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+copy_also_insecure_context.options |= ssl.OP_NO_TLSv1
+
+
+
+import socket
+hostname = 'www.python.org'
+
+with socket.create_connection((hostname, 443)) as sock:
+        with copy_secure_context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+with socket.create_connection((hostname, 443)) as sock:
+        with copy_completely_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+with socket.create_connection((hostname, 443)) as sock:
+        with copy_also_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_def.py b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_def.py
@@ -0,0 +1,11 @@
+import ssl
+
+secure_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+secure_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+
+# this is just to allow us to see how un-altered exports work
+completely_insecure_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+
+# and an insecure export that is refined
+also_insecure_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+also_insecure_context.options |= ssl.OP_NO_TLSv1
diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_use.py b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_use.py
@@ -0,0 +1,18 @@
+# check that query works properly with imports
+
+import socket
+from import_def import secure_context, completely_insecure_context, also_insecure_context
+
+hostname = 'www.python.org'
+
+with socket.create_connection((hostname, 443)) as sock:
+        with secure_context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+with socket.create_connection((hostname, 443)) as sock:
+        with completely_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+with socket.create_connection((hostname, 443)) as sock:
+        with also_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
