codeql/python/ql/src/Security/CWE-327/FluentApiModel.qll at 7d7cbc49db35d0b05f12594984ac36ef529699a1 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
import python
import TlsLibraryModel

/**
 * Configuration to track flow from the creation of a context to
 * that context being used to create a connection.
 * Flow is broken if the insecure protocol of interest is being restricted.
 */
class InsecureContextConfiguration extends DataFlow::Configuration {
  TlsLibrary library;
  ProtocolVersion tracked_version;

  InsecureContextConfiguration() {
    this = library + "Allows" + tracked_version and
    tracked_version.isInsecure()
  }

  ProtocolVersion getTrackedVersion() { result = tracked_version }

  override predicate isSource(DataFlow::Node source) {
    // source = library.unspecific_context_creation()
    exists(ProtocolUnrestriction pu |
      pu = library.protocol_unrestriction() and
      pu.getUnrestriction() = tracked_version
    |
      source = pu.getContext()
    )
  }

  override predicate isSink(DataFlow::Node sink) {
    sink = library.connection_creation().getContext()
  }

  override predicate isBarrierOut(DataFlow::Node node) {
    exists(ProtocolRestriction r |
      r = library.protocol_restriction() and
      node = r.getContext() and
      r.getRestriction() = tracked_version
    )
  }

  override predicate isBarrierIn(DataFlow::Node node) { this.isSource(node) }
}

/**
 * Holds if `conectionCreation` marks the creation of a connetion based on the contex
 * found at `contextOrigin` and allowing `insecure_version`.
 * `specific` is true iff the context if configured for a specific protocol version rather
 * than for a family of protocols.
 */
predicate unsafe_connection_creation_with_context(
  DataFlow::Node connectionCreation, ProtocolVersion insecure_version, DataFlow::Node contextOrigin,
  boolean specific
) {
  // Connection created from a context allowing `insecure_version`.
  exists(InsecureContextConfiguration c, ProtocolUnrestriction co |
    c.hasFlow(co, connectionCreation)
  |
    insecure_version = c.getTrackedVersion() and
    contextOrigin = co and
    specific = false
  )
  or
  // Connection created from a context specifying `insecure_version`.
  exists(TlsLibrary l, DataFlow::CfgNode cc |
    cc = l.insecure_connection_creation(insecure_version)
  |
    connectionCreation = cc and
    contextOrigin = cc and
    specific = true
  )
}

/**
 * Holds if `conectionCreation` marks the creation of a connetion witout reference to a context
 * and allowing `insecure_version`.
 * `specific` is true iff the context if configured for a specific protocol version rather
 * than for a family of protocols.
 */
predicate unsafe_connection_creation_without_context(
  DataFlow::CallCfgNode connectionCreation, string insecure_version
) {
  exists(TlsLibrary l | connectionCreation = l.insecure_connection_creation(insecure_version))
}

/** Holds if `contextCreation` is creating a context ties to a specific insecure version. */
predicate unsafe_context_creation(DataFlow::CallCfgNode contextCreation, string insecure_version) {
  exists(TlsLibrary l, ContextCreation cc | cc = l.insecure_context_creation(insecure_version) |
    contextCreation = cc
  )
}