-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathFluentApiModel.qll
More file actions
54 lines (42 loc) · 1.51 KB
/
FluentApiModel.qll
File metadata and controls
54 lines (42 loc) · 1.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
import python
import TlsLibraryModel
class InsecureContextConfiguration extends DataFlow::Configuration {
TlsLibrary library;
InsecureContextConfiguration() { this = library + ["AllowsTLSv1", "AllowsTLSv1_1"] }
override predicate isSource(DataFlow::Node source) {
source = library.unspecific_context_creation()
}
override predicate isSink(DataFlow::Node sink) {
sink = library.connection_creation().getContext()
}
abstract string flag();
override predicate isBarrierOut(DataFlow::Node node) {
exists(ProtocolRestriction r |
r = library.protocol_restriction() and
node = r.getContext() and
r.getRestriction() = flag()
)
}
}
class AllowsTLSv1 extends InsecureContextConfiguration {
AllowsTLSv1() { this = library + "AllowsTLSv1" }
override string flag() { result = "TLSv1" }
}
class AllowsTLSv1_1 extends InsecureContextConfiguration {
AllowsTLSv1_1() { this = library + "AllowsTLSv1_1" }
override string flag() { result = "TLSv1_1" }
}
predicate unsafe_connection_creation(DataFlow::Node node, ProtocolVersion insecure_version) {
exists(AllowsTLSv1 c | c.hasFlowTo(node)) and
insecure_version = "TLSv1"
or
exists(AllowsTLSv1_1 c | c.hasFlowTo(node)) and
insecure_version = "TLSv1_1"
or
exists(TlsLibrary l | l.insecure_connection_creation(insecure_version) = node)
}
predicate unsafe_context_creation(DataFlow::Node node, string insecure_version) {
exists(TlsLibrary l, ContextCreation cc | cc = l.insecure_context_creation(insecure_version) |
cc = node
)
}