File tree Expand file tree Collapse file tree 4 files changed +64
-0
lines changed
python/ql/test/query-tests/Security/CWE-327-InsecureProtocol Expand file tree Collapse file tree 4 files changed +64
-0
lines changed Original file line number Diff line number Diff line change 1010| InsecureProtocol.py:19:1:19:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:19:1:19:19 | ControlFlowNode for Attribute() | call to SSL.Context |
1111| InsecureProtocol.py:23:1:23:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:23:1:23:43 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
1212| InsecureProtocol.py:24:1:24:35 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:24:1:24:35 | ControlFlowNode for SSLContext() | call to SSLContext |
13+ | import_all_one_file.py:25:14:25:45 | ControlFlowNode for copy_completely_insecure_context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | import_all_one_file.py:9:36:9:67 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
14+ | import_all_one_file.py:25:14:25:45 | ControlFlowNode for copy_completely_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_all_one_file.py:9:36:9:67 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
15+ | import_all_one_file.py:29:14:29:39 | ControlFlowNode for copy_also_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_all_one_file.py:12:30:12:61 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
16+ | import_use.py:13:14:13:40 | ControlFlowNode for completely_insecure_context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | import_def.py:7:31:7:62 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
17+ | import_use.py:13:14:13:40 | ControlFlowNode for completely_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_def.py:7:31:7:62 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
1318| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv2 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
1419| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
1520| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
Original file line number Diff line number Diff line change 1+ # use to compare alerts without import
2+
3+ import ssl
4+
5+ copy_secure_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
6+ copy_secure_context .options |= ssl .OP_NO_TLSv1 | ssl .OP_NO_TLSv1_1
7+
8+ # this is just to allow us to see how un-altered exports work
9+ copy_completely_insecure_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
10+
11+ # and an insecure export that is refined
12+ copy_also_insecure_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
13+ copy_also_insecure_context .options |= ssl .OP_NO_TLSv1
14+
15+
16+
17+ import socket
18+ hostname = 'www.python.org'
19+
20+ with socket .create_connection ((hostname , 443 )) as sock :
21+ with copy_secure_context .wrap_socket (sock , server_hostname = hostname ) as ssock :
22+ print (ssock .version ())
23+
24+ with socket .create_connection ((hostname , 443 )) as sock :
25+ with copy_completely_insecure_context .wrap_socket (sock , server_hostname = hostname ) as ssock :
26+ print (ssock .version ())
27+
28+ with socket .create_connection ((hostname , 443 )) as sock :
29+ with copy_also_insecure_context .wrap_socket (sock , server_hostname = hostname ) as ssock :
30+ print (ssock .version ())
Original file line number Diff line number Diff line change 1+ import ssl
2+
3+ secure_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
4+ secure_context .options |= ssl .OP_NO_TLSv1 | ssl .OP_NO_TLSv1_1
5+
6+ # this is just to allow us to see how un-altered exports work
7+ completely_insecure_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
8+
9+ # and an insecure export that is refined
10+ also_insecure_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
11+ also_insecure_context .options |= ssl .OP_NO_TLSv1
Original file line number Diff line number Diff line change 1+ # check that query works properly with imports
2+
3+ import socket
4+ from import_def import secure_context , completely_insecure_context , also_insecure_context
5+
6+ hostname = 'www.python.org'
7+
8+ with socket .create_connection ((hostname , 443 )) as sock :
9+ with secure_context .wrap_socket (sock , server_hostname = hostname ) as ssock :
10+ print (ssock .version ())
11+
12+ with socket .create_connection ((hostname , 443 )) as sock :
13+ with completely_insecure_context .wrap_socket (sock , server_hostname = hostname ) as ssock :
14+ print (ssock .version ())
15+
16+ with socket .create_connection ((hostname , 443 )) as sock :
17+ with also_insecure_context .wrap_socket (sock , server_hostname = hostname ) as ssock :
18+ print (ssock .version ())
You can’t perform that action at this time.
0 commit comments