Python: Add certificate disable test of urllib/urllib2

Author: RasmusWL

python/ql/lib/semmle/python/frameworks/Stdlib/Urllib.qll

@@ -42,7 +42,8 @@ private module Urllib {
       override predicate disablesCertificateValidation(
         DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
       ) {
-        // TODO: Look into disabling certificate validation
+        // cannot enable/disable certificate validation on this object, only when used
+        // with `urlopen`, which is modeled below
         none()
       }
     }
@@ -63,7 +64,8 @@ private module Urllib {
       override predicate disablesCertificateValidation(
         DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
       ) {
-        // TODO: Look into disabling certificate validation
+        // will validate certificate by default, see https://github.com/python/cpython/blob/243ed5439c32e8517aa745bc2ca9774d99c99d0f/Lib/http/client.py#L1420-L1421
+        // TODO: Handling of insecure SSLContext passed to context argument
         none()
       }
     }

python/ql/lib/semmle/python/frameworks/Stdlib/Urllib2.qll

@@ -30,7 +30,8 @@ private module Urllib2 {
     override predicate disablesCertificateValidation(
       DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
     ) {
-      // TODO: Look into disabling certificate validation
+      // cannot enable/disable certificate validation on this object, only when used
+      // with `urlopen`, which is modeled below
       none()
     }
   }
@@ -49,7 +50,8 @@ private module Urllib2 {
     override predicate disablesCertificateValidation(
       DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
     ) {
-      // TODO: Look into disabling certificate validation
+      // will validate certificate by default
+      // TODO: Handling of insecure SSLContext passed to context argument
       none()
     }
   }

python/ql/test/library-tests/frameworks/stdlib-py2/urllib2.py

@@ -1,7 +1,20 @@
 import urllib2
+import ssl
 
 resp = urllib2.Request("url") # $ clientRequestUrlPart="url"
 resp = urllib2.Request(url="url") # $ clientRequestUrlPart="url"
 
 resp = urllib2.urlopen("url") # $ clientRequestUrlPart="url"
-resp = urllib2.urlopen(url="url") # $ clientRequestUrlPart="url"
+resp = urllib2.urlopen(url="url") # $ clientRequestUrlPart="url"
+
+# ==============================================================================
+# Certificate validation disabled
+# ==============================================================================
+
+# A manually constructed SSLContext does not have safe defaults, so is effectively the
+# same as turning off SSL validation
+context = ssl.SSLContext()
+assert context.check_hostname == False
+assert context.verify_mode == ssl.VerifyMode.CERT_NONE
+
+urllib2.urlopen("url", context=context) # $ clientRequestUrlPart="url" MISSING: clientRequestCertValidationDisabled

python/ql/test/library-tests/frameworks/stdlib/urllib.py

@@ -1,7 +1,20 @@
+import ssl
 from urllib.request import Request, urlopen
 
 Request("url") # $ clientRequestUrlPart="url"
 Request(url="url") # $ clientRequestUrlPart="url"
 
 urlopen("url") # $ clientRequestUrlPart="url"
-urlopen(url="url") # $ clientRequestUrlPart="url"
+urlopen(url="url") # $ clientRequestUrlPart="url"
+
+# ==============================================================================
+# Certificate validation disabled
+# ==============================================================================
+
+# A manually constructed SSLContext does not have safe defaults, so is effectively the
+# same as turning off SSL validation
+context = ssl.SSLContext()
+assert context.check_hostname == False
+assert context.verify_mode == ssl.VerifyMode.CERT_NONE
+
+urlopen("url", context=context) # $ clientRequestUrlPart="url" MISSING: clientRequestCertValidationDisabled