Python: avoid missing cryptography uses due to unhandled encryption modes

alexrford · RasmusWL · web-flow · commit f8576fb05b01 · 2022-05-19T15:22:49.000+01:00
Co-authored-by: Rasmus Wriedt Larsen &lt;rasmuswriedtlarsen@gmail.com&gt;
diff --git a/python/ql/lib/semmle/python/frameworks/Cryptography.qll b/python/ql/lib/semmle/python/frameworks/Cryptography.qll
@@ -195,9 +195,9 @@ private module CryptographyModel {
             call.getArg(0), call.getArgByName("algorithm")
           ] and
         exists(DataFlow::Node modeArg | modeArg in [call.getArg(1), call.getArgByName("mode")] |
-          modeArg = modeClassRef(modeName).getReturn().getAUse()
-          or
-          modeArg.asExpr() instanceof None and modeName = "<none>"
+          if modeArg = modeClassRef(modeName).getReturn().getAUse()
+          then any()
+          else modeName = "<None or unknown>"
         )
       )
     }

Original file line number	Diff line number	Diff line change
`@@ -195,9 +195,9 @@ private module CryptographyModel {`
`195`	`195`	`call.getArg(0), call.getArgByName("algorithm")`
`196`	`196`	`] and`
`197`	`197`	`exists(DataFlow::Node modeArg \| modeArg in [call.getArg(1), call.getArgByName("mode")] \|`
`198`		`- modeArg = modeClassRef(modeName).getReturn().getAUse()`
`199`		`- or`
`200`		`- modeArg.asExpr() instanceof None and modeName = "<none>"`
	`198`	`+ if modeArg = modeClassRef(modeName).getReturn().getAUse()`
	`199`	`+ then any()`
	`200`	`+ else modeName = "<None or unknown>"`
`201`	`201`	`)`
`202`	`202`	`)`
`203`	`203`	`}`