SONARPY-1128 Rule S4423: Weak SSL/TLS protocols should not be used (#1221)

* SONARPY-1128 Rule S4423: Weak SSL/TLS protocols should not be used

* Fix after review

Author: rudy-regazzoni-sonarsource

python-checks/src/main/java/org/sonar/python/checks/WeakSSLProtocolCheck.java

@@ -27,6 +27,7 @@
 import org.sonar.plugins.python.api.tree.Name;
 import org.sonar.plugins.python.api.tree.Tree;
 import org.sonar.plugins.python.api.symbols.Symbol;
+import org.sonar.python.checks.cdk.WeakSSLProtocolCheckPart;
 
 @Rule(key = "S4423")
 public class WeakSSLProtocolCheck extends PythonSubscriptionCheck {
@@ -52,6 +53,8 @@ public void initialize(Context context) {
         ctx.addIssue(pyNameTree, "Change this code to use a stronger protocol.");
       }
     });
+
+    new WeakSSLProtocolCheckPart().initialize(context);
   }
 
   private static boolean isWeakProtocol(@Nullable Symbol symbol) {

python-checks/src/main/java/org/sonar/python/checks/cdk/AbstractCdkResourceCheck.java

@@ -35,6 +35,7 @@
 import org.sonar.plugins.python.api.tree.Expression;
 import org.sonar.plugins.python.api.tree.Name;
 import org.sonar.plugins.python.api.tree.RegularArgument;
+import org.sonar.plugins.python.api.tree.StringLiteral;
 import org.sonar.plugins.python.api.tree.Token;
 import org.sonar.plugins.python.api.tree.Tree;
 import org.sonar.python.checks.Expressions;
@@ -88,7 +89,7 @@ protected static Optional<ArgumentTrace> getArgument(SubscriptionContext ctx, Ca
    * For compatibility with other classes and branches.
    * TODO Can be removed at the end of the sprint to reduce complexity.
    */
-  static class ArgumentTrace extends ExpressionTrace {
+  public static class ArgumentTrace extends ExpressionTrace {
     private ArgumentTrace(SubscriptionContext ctx, List<Expression> trace) {
       super(ctx, trace);
     }
@@ -171,4 +172,37 @@ protected static Predicate<Expression> isFqn(String fqnValue) {
       .isPresent();
   }
 
+  protected static Optional<String> getStringValue(Expression expression) {
+    try {
+      return Optional.of(((StringLiteral) expression).trimmedQuotesValue());
+    } catch (ClassCastException e) {
+      return Optional.empty();
+    }
+  }
+
+  /**
+   * @return Predicate which tests if expression is a string and is equal the expected value
+   */
+  protected static Predicate<Expression> isStringValue(String expectedValue) {
+    return expression -> getStringValue(expression).filter(expectedValue::equals).isPresent();
+  }
+
+  protected static Predicate<Expression> isSensitiveMethod(SubscriptionContext ctx, String methodFqn, String argName, Predicate<Expression> sensitiveValuePredicate) {
+    return expression -> {
+      if (!isFqn(methodFqn).test(expression)) {
+        return false;
+      }
+      if (!expression.is(Tree.Kind.CALL_EXPR)) {
+        return true;
+      }
+
+      Optional<AbstractCdkResourceCheck.ArgumentTrace> argTrace = getArgument(ctx, (CallExpression) expression, argName);
+      if (argTrace.isEmpty()) {
+        return true;
+      }
+
+      return argTrace.filter(trace -> trace.hasExpression(sensitiveValuePredicate)).isPresent();
+    };
+  }
+
 }

python-checks/src/main/java/org/sonar/python/checks/cdk/ClearTextProtocolsCheckPart.java

@@ -201,14 +201,6 @@ private static void checkKeyValuePair(SubscriptionContext ctx, DictionaryLiteral
   // General expression utils
   // ---------------------------------------------------------------------------------------
 
-  private static Optional<String> getStringValue(Expression expression) {
-    try {
-      return Optional.of(((StringLiteral) expression).trimmedQuotesValue());
-    } catch (ClassCastException e) {
-      return Optional.empty();
-    }
-  }
-
   private static Optional<Integer> getIntValue(Expression expression) {
     try {
       return Optional.of((int)((NumericLiteral) expression).valueAsLong());
@@ -229,7 +221,7 @@ private static Optional<ListLiteral> getArgumentList(SubscriptionContext ctx, Ca
   // ---------------------------------------------------------------------------------------
 
   @CheckForNull
-  private static KeyValuePair getKeyValuePair(DictionaryLiteralElement element) {
+  public static KeyValuePair getKeyValuePair(DictionaryLiteralElement element) {
     return element.is(Tree.Kind.KEY_VALUE_PAIR) ? (KeyValuePair) element : null;
   }
 
@@ -251,13 +243,6 @@ private static List<ExpressionTrace> getListElements(SubscriptionContext ctx, Li
   // General predicates
   // ---------------------------------------------------------------------------------------
 
-  /**
-   * @return Predicate which tests if expression is a string and is equal the expected value
-   */
-  private static Predicate<Expression> isStringValue(String expectedValue) {
-    return expression -> getStringValue(expression).filter(expectedValue::equals).isPresent();
-  }
-
   /**
    * @return Predicate which tests if expression is empty list literal
    */

python-checks/src/main/java/org/sonar/python/checks/cdk/DisabledESDomainEncryptionCheck.java

@@ -74,6 +74,7 @@ private static String unencryptedMessage(String engine) {
     return String.format(UNENCRYPTED_MESSAGE, engine);
   }
 
+  // TODO : refactor to replace this method with new available method 'isSensitiveOption' in AbstractCdkResourceCheck
   private static Predicate<Expression> isSensitiveOptionObj(SubscriptionContext ctx, String argFqnMethod) {
     return expr -> {
       if (!isFqn(argFqnMethod).test(expr)) {
@@ -88,6 +89,7 @@ private static Predicate<Expression> isSensitiveOptionObj(SubscriptionContext ct
     };
   }
 
+  // TODO : refactor below to use new available method 'isDictionaryWithKeyValue' in AbstractCdkResourceCheck
   private static Predicate<Expression> isSensitiveOptionDict(SubscriptionContext ctx) {
     return expression -> expression.is(Tree.Kind.DICTIONARY_LITERAL)
       && asDictionaryKeyValuePairs(expression)

python-checks/src/main/java/org/sonar/python/checks/cdk/DisabledRDSEncryptionCheck.java

@@ -80,13 +80,7 @@ protected boolean isEngineAurora(SubscriptionContext ctx, CallExpression resourc
   }
 
   protected Predicate<Expression> startsWith(String expected) {
-    return e -> getStringValue(e).filter(str -> str.startsWith(expected)).isPresent();
-  }
-
-  protected Optional<String> getStringValue(Expression expression) {
-    return Optional.of(expression)
-      .filter(expr -> expr.is(Tree.Kind.STRING_LITERAL)).map(StringLiteral.class::cast)
-      .map(str -> str.trimmedQuotesValue().toLowerCase(Locale.ROOT));
+    return e -> getStringValue(e).filter(str -> str.toLowerCase(Locale.ROOT).startsWith(expected)).isPresent();
   }
 }
 

python-checks/src/main/java/org/sonar/python/checks/cdk/WeakSSLProtocolCheckPart.java

@@ -0,0 +1,94 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.cdk;
+
+import java.util.Objects;
+import java.util.Optional;
+import java.util.function.BiConsumer;
+import java.util.function.Predicate;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.DictionaryLiteral;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.Tree;
+
+public class WeakSSLProtocolCheckPart extends AbstractCdkResourceCheck {
+  private static final String ENFORCE_MESSAGE = "Change this code to enforce TLS 1.2 or above.";
+  private static final String OMITTING_MESSAGE = "Omitting \"tls_security_policy\" enables a deprecated version of TLS. Set it to enforce TLS 1.2 or above.";
+
+  // api gateway
+  private static final String APIGATEWAY_FQN = "aws_cdk.aws_apigateway.";
+  private static final String APIGATEWAYV2_FQN = "aws_cdk.aws_apigatewayv2.";
+
+  // OpenSearch & ElasticSearch
+  private static final String OPENSEARCH_FQN = "aws_cdk.aws_opensearchservice.";
+  private static final String ELASTICSEARCH_FQN = "aws_cdk.aws_elasticsearch.";
+  private static final String TLS_SECURITY_POLICY = "tls_security_policy";
+  private static final String SENSITIVE_TLS_SECURITY_POLICY = "Policy-Min-TLS-1-0-2019-07";
+
+  @Override
+  protected void registerFqnConsumer() {
+    // Api gateway
+    checkFqn(APIGATEWAY_FQN + "DomainName", checkDomainName(isFqn(APIGATEWAY_FQN + "SecurityPolicy.TLS_1_0")));
+    checkFqn(APIGATEWAYV2_FQN + "DomainName", checkDomainName(isFqn(APIGATEWAYV2_FQN + "SecurityPolicy.TLS_1_0")));
+    checkFqn(APIGATEWAY_FQN + "CfnDomainName", checkDomainName(isStringValue("TLS_1_0")));
+
+    // OpenSearch & ElasticSearch
+    checkFqn(OPENSEARCH_FQN + "Domain", checkDomain(isFqn(OPENSEARCH_FQN + "TLSSecurityPolicy.TLS_1_0")));
+    checkFqn(ELASTICSEARCH_FQN + "Domain", checkDomain(isFqn(ELASTICSEARCH_FQN + "TLSSecurityPolicy.TLS_1_0")));
+    checkFqn(OPENSEARCH_FQN + "CfnDomain", checkCfnDomain(OPENSEARCH_FQN + "CfnDomain.DomainEndpointOptionsProperty"));
+    checkFqn(ELASTICSEARCH_FQN + "CfnDomain", checkCfnDomain(ELASTICSEARCH_FQN + "CfnDomain.DomainEndpointOptionsProperty"));
+  }
+
+  private static BiConsumer<SubscriptionContext, CallExpression> checkDomainName(Predicate<Expression> predicateIssue) {
+    return (ctx, callExpression) -> getArgument(ctx, callExpression, "security_policy").ifPresent(
+      argTrace -> argTrace.addIssueIf(predicateIssue, ENFORCE_MESSAGE)
+    );
+  }
+
+  private static BiConsumer<SubscriptionContext, CallExpression> checkDomain(Predicate<Expression> predicateIssue) {
+    return (ctx, callExpression) -> getArgument(ctx, callExpression, TLS_SECURITY_POLICY).ifPresentOrElse(
+      argTrace -> argTrace.addIssueIf(predicateIssue, ENFORCE_MESSAGE),
+      () -> ctx.addIssue(callExpression.callee(), OMITTING_MESSAGE)
+    );
+  }
+
+  private static BiConsumer<SubscriptionContext, CallExpression> checkCfnDomain(String domainOptionName) {
+    return (ctx, callExpression) -> getArgument(ctx, callExpression, "domain_endpoint_options").ifPresentOrElse(
+      argTrace -> argTrace.addIssueIf(isSensitiveMethod(ctx, domainOptionName, TLS_SECURITY_POLICY, isStringValue(SENSITIVE_TLS_SECURITY_POLICY))
+        .or(isSensitiveDictionaryTls(ctx)), ENFORCE_MESSAGE),
+      () -> ctx.addIssue(callExpression.callee(), OMITTING_MESSAGE)
+    );
+  }
+
+  private static Predicate<Expression> isSensitiveDictionaryTls(SubscriptionContext ctx) {
+    return expression -> Optional.of(expression)
+      .filter(expr -> expr.is(Tree.Kind.DICTIONARY_LITERAL)).map(DictionaryLiteral.class::cast)
+      .filter(hasDictionaryKeyValue(ctx, TLS_SECURITY_POLICY, isStringValue(SENSITIVE_TLS_SECURITY_POLICY)))
+      .isPresent();
+  }
+
+  private static Predicate<DictionaryLiteral> hasDictionaryKeyValue(SubscriptionContext ctx, String key, Predicate<Expression> expected) {
+    return dict -> dict.elements().stream().map(ClearTextProtocolsCheckPart::getKeyValuePair).filter(Objects::nonNull)
+      .map(pair -> ClearTextProtocolsCheckPart.ResolvedKeyValuePair.build(ctx, pair))
+      .filter(pair -> pair.key.hasExpression(isStringValue(key)))
+      .allMatch(pair -> pair.value.hasExpression(expected));
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4423.html

@@ -1,11 +1,8 @@
-<p>Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure.</p>
-<p>This rule raises an issue when an SSL/TLS context is created with an insecure protocol version, i.e. when one of the following constants is
-detected in the code:</p>
-<ul>
-  <li> <code>OpenSSL.SSL.SSLv3_METHOD</code> (Use instead <code>OpenSSL.SSL.TLSv1_2_METHOD</code>) </li>
-  <li> <code>ssl.PROTOCOL_SSLv3</code> (Use instead <code>ssl.PROTOCOL_TLSv1_2</code>) </li>
-</ul>
-<p>Protocol versions different from TLSv1.2 and TLSv1.3 are considered insecure.</p>
+<p>This rule raises an issue when an insecure TLS protocol version (i.e. a protocol different from "TLSv1.2", "TLSv1.3", "DTLSv1.2", or "DTLSv1.3") is
+used or allowed.</p>
+<p>It is recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0. Failure to do so could open the
+door to downgrade attacks: a malicious actor who is able to intercept the connection could modify the requested protocol version and downgrade it to a
+less secure version.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
 from OpenSSL import SSL
@@ -17,16 +14,65 @@ <h2>Noncompliant Code Example</h2>
 
 ssl.SSLContext(ssl.PROTOCOL_SSLv3) # Noncompliant
 </pre>
+<p>For <a href="https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_apigateway/DomainName.html">aws_cdk.aws_apigateway.DomainName</a>:</p>
+<pre>
+from aws_cdk.aws_apigateway import DomainName, SecurityPolicy
+class ExampleStack(Stack):
+    def __init__(self, scope: Construct, construct_id: str, **kwargs) -&gt; None:
+        super().__init__(scope, construct_id, **kwargs)
+        DomainName(self, "example",
+            domain_name="example.com",
+            certificate=certificate,
+            security_policy=SecurityPolicy.TLS_1_0 # Noncompliant
+        )
+</pre>
+<p>For <a
+href="https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html">aws_cdk.aws_opensearchservice.CfnDomain</a>:</p>
+<pre>
+from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion
+class ExampleStack(Stack):
+    def __init__(self, scope: Construct, construct_id: str, **kwargs) -&gt; None:
+        super().__init__(scope, construct_id, **kwargs)
+        CfnDomain(self, "example",
+            version=EngineVersion.OPENSEARCH_1_3
+        ) # Noncompliant: enables TLS 1.0 which is a deprecated version of the protocol
+</pre>
 <h2>Compliant Solution</h2>
 <pre>
 from OpenSSL import SSL
 
-SSL.Context(SSL.TLSv1_2_METHOD)  # Compliant
+SSL.Context(SSL.TLSv1_2_METHOD)
 </pre>
 <pre>
 import ssl
 
-ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) # Compliant
+ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+</pre>
+<p>For <a href="https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_apigateway/DomainName.html">aws_cdk.aws_apigateway.DomainName</a>:</p>
+<pre>
+from aws_cdk.aws_apigateway import DomainName, SecurityPolicy
+class ExampleStack(Stack):
+    def __init__(self, scope: Construct, construct_id: str, **kwargs) -&gt; None:
+        super().__init__(scope, construct_id, **kwargs)
+        DomainName(self, "example",
+            domain_name="example.com",
+            certificate=certificate,
+            security_policy=SecurityPolicy.TLS_1_2
+        )
+</pre>
+<p>For <a
+href="https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html">aws_cdk.aws_opensearchservice.CfnDomain</a>:</p>
+<pre>
+from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion
+class ExampleStack(Stack):
+    def __init__(self, scope: Construct, construct_id: str, **kwargs) -&gt; None:
+        super().__init__(scope, construct_id, **kwargs)
+        CfnDomain(self, "example",
+            version=EngineVersion.OPENSEARCH_1_3
+            domain_endpoint_options=CfnDomain.DomainEndpointOptionsProperty(
+                tls_security_policy="Policy-Min-TLS-1-2-2019-07" # Compliant
+            )
+        )
 </pre>
 <h2>See</h2>
 <ul>
@@ -46,5 +92,7 @@ <h2>See</h2>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
   <li> <a href="https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#22-use-secure-protocols">SSL and TLS Deployment Best
   Practices - Use secure protocols</a> </li>
+  <li> <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html">Amazon API Gateway</a> -
+  Choosing a minimum TLS version </li>
 </ul>
 

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4423.json

@@ -47,19 +47,9 @@
       "6.2.4"
     ],
     "ASVS 4.0": [
-      "1.9.2",
-      "2.8.3",
-      "2.9.3",
-      "6.2.2",
-      "6.2.3",
-      "6.2.4",
-      "6.2.5",
-      "6.2.6",
-      "6.2.7",
       "8.3.7",
       "9.1.2",
-      "9.1.3",
-      "9.2.1"
+      "9.1.3"
     ]
   },
   "quickfix": "unknown"

python-checks/src/test/java/org/sonar/python/checks/WeakSSLProtocolCheckTest.java

@@ -33,4 +33,14 @@ public void test() {
   public void test_fallback_import() {
     PythonCheckVerifier.verify("src/test/resources/checks/weakSSLProtocol_fallback_import.py", new WeakSSLProtocolCheck());
   }
+
+  @Test
+  public void test_apigateway() {
+    PythonCheckVerifier.verify("src/test/resources/checks/weakSSLProtocol_apigateway.py", new WeakSSLProtocolCheck());
+  }
+
+  @Test
+  public void test_elasticopensearch() {
+    PythonCheckVerifier.verify("src/test/resources/checks/weakSSLProtocol_elastic_and_open_search.py", new WeakSSLProtocolCheck());
+  }
 }