Merge pull request github#12858 from RasmusWL/paramiko-modeling

Python: Expand modeling of `paramiko`

Author: yoff

python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql

@@ -16,11 +16,17 @@ import semmle.python.ApiGraphs
 
 private API::Node unsafe_paramiko_policy(string name) {
   name in ["AutoAddPolicy", "WarningPolicy"] and
-  result = API::moduleImport("paramiko").getMember("client").getMember(name)
+  (
+    result = API::moduleImport("paramiko").getMember("client").getMember(name)
+    or
+    result = API::moduleImport("paramiko").getMember(name)
+  )
 }
 
 private API::Node paramikoSshClientInstance() {
   result = API::moduleImport("paramiko").getMember("client").getMember("SSHClient").getReturn()
+  or
+  result = API::moduleImport("paramiko").getMember("SSHClient").getReturn()
 }
 
 from DataFlow::CallCfgNode call, DataFlow::Node arg, string name

python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/MissingHostKeyValidation.expected

@@ -2,3 +2,4 @@
 | paramiko_host_key.py:7:1:7:49 | ControlFlowNode for Attribute() | Setting missing host key policy to WarningPolicy may be unsafe. |
 | paramiko_host_key.py:11:1:11:51 | ControlFlowNode for Attribute() | Setting missing host key policy to AutoAddPolicy may be unsafe. |
 | paramiko_host_key.py:13:1:13:51 | ControlFlowNode for Attribute() | Setting missing host key policy to WarningPolicy may be unsafe. |
+| paramiko_host_key.py:20:1:20:58 | ControlFlowNode for Attribute() | Setting missing host key policy to AutoAddPolicy may be unsafe. |

python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/paramiko_host_key.py

@@ -11,3 +11,10 @@
 client.set_missing_host_key_policy(AutoAddPolicy()) # bad
 client.set_missing_host_key_policy(RejectPolicy())  # good
 client.set_missing_host_key_policy(WarningPolicy()) # bad
+
+# different import
+
+import paramiko
+
+client = paramiko.SSHClient()
+client.set_missing_host_key_policy(paramiko.AutoAddPolicy) # bad