Python: Model certificate disabling in aiohttp.client

RasmusWL · RasmusWL · commit f72a1d98bb28 · 2022-06-08T17:41:45.000+02:00
diff --git a/python/ql/lib/semmle/python/frameworks/Aiohttp.qll b/python/ql/lib/semmle/python/frameworks/Aiohttp.qll
@@ -662,7 +662,7 @@ private module AiohttpClientModel {
     private API::Node instance() { result = classRef().getReturn() }
 
     /** A method call on a ClientSession that sends off a request */
-    private class OutgoingRequestCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
+    private class OutgoingRequestCall extends HTTP::Client::Request::Range, API::CallNode {
       string methodName;
 
       OutgoingRequestCall() {
@@ -685,8 +685,14 @@ private module AiohttpClientModel {
       override predicate disablesCertificateValidation(
         DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
       ) {
-        // TODO: Look into disabling certificate validation
-        none()
+        exists(API::Node param | param = this.getKeywordParameter(["ssl", "verify_ssl"]) |
+          disablingNode = param.getARhs() and
+          argumentOrigin = param.getAValueReachingRhs() and
+          // aiohttp.client treats `None` as the default and all other "falsey" values as `False`.
+          argumentOrigin.asExpr().(ImmutableLiteral).booleanValue() = false and
+          not argumentOrigin.asExpr() instanceof None
+        )
+        // TODO: Handling of SSLContext passed as ssl/ssl_context arguments
       }
     }
   }
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/client_request.py b/python/ql/test/library-tests/frameworks/aiohttp/client_request.py
@@ -1,5 +1,6 @@
 import aiohttp
 import asyncio
+import ssl
 
 s = aiohttp.ClientSession()
 resp = s.request("method", "url") # $ clientRequestUrlPart="url"
@@ -13,4 +14,20 @@
 s = aiohttp.ClientSession()
 resp = s.post("url") # $ clientRequestUrlPart="url"
 resp = s.patch("url") # $ clientRequestUrlPart="url"
-resp = s.options("url") # $ clientRequestUrlPart="url"
+resp = s.options("url") # $ clientRequestUrlPart="url"
+
+# disabling of SSL validation
+# see https://docs.aiohttp.org/en/stable/client_reference.html#aiohttp.ClientSession.request
+s.get("url", ssl=False) # $ clientRequestUrlPart="url" clientRequestCertValidationDisabled
+s.get("url", ssl=0) # $ clientRequestUrlPart="url" clientRequestCertValidationDisabled
+
+# deprecated since 3.0, but still supported
+s.get("url", verify_ssl=False) # $ clientRequestUrlPart="url" clientRequestCertValidationDisabled
+
+# A manually constructed SSLContext does not have safe defaults, so is effectively the
+# same as turning off SSL validation
+context = ssl.SSLContext()
+assert context.check_hostname == False
+assert context.verify_mode == ssl.VerifyMode.CERT_NONE
+
+s.get("url", ssl=context) # $ clientRequestUrlPart="url" MISSING: clientRequestCertValidationDisabled
