Mercurial Repositories > eric / file comparison
comparison: src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureSslTls.py
src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureSslTls.py
- branch
- eric7
- changeset 9221
- bf71ee032bb4
- parent 9209
- b99e7fd55fd3
- child 9653
- e67609152c5e
equal
deleted
inserted
replaced
| 9220:e9e7eca7efee | 9221:bf71ee032bb4 |
|---|---|
| 19 | 19 |
| 20 | 20 |
| 21 def getChecks(): | 21 def getChecks(): |
| 22 """ | 22 """ |
| 23 Public method to get a dictionary with checks handled by this module. | 23 Public method to get a dictionary with checks handled by this module. |
| 24 | 24 |
| 25 @return dictionary containing checker lists containing checker function and | 25 @return dictionary containing checker lists containing checker function and |
| 26 list of codes | 26 list of codes |
| 27 @rtype dict | 27 @rtype dict |
| 28 """ | 28 """ |
| 29 return { | 29 return { |
| 38 | 38 |
| 39 | 39 |
| 40 def checkInsecureSslProtocolVersion(reportError, context, config): | 40 def checkInsecureSslProtocolVersion(reportError, context, config): |
| 41 """ | 41 """ |
| 42 Function to check for use of insecure SSL protocol version. | 42 Function to check for use of insecure SSL protocol version. |
| 43 | 43 |
| 44 @param reportError function to be used to report errors | 44 @param reportError function to be used to report errors |
| 45 @type func | 45 @type func |
| 46 @param context security context object | 46 @param context security context object |
| 47 @type SecurityContext | 47 @type SecurityContext |
| 48 @param config dictionary with configuration data | 48 @param config dictionary with configuration data |
| 49 @type dict | 49 @type dict |
| 50 """ | 50 """ |
| 51 insecureProtocolVersions = ( | 51 insecureProtocolVersions = ( |
| 52 config["insecure_ssl_protocol_versions"] | 52 config["insecure_ssl_protocol_versions"] |
| 53 if config and "insecure_ssl_protocol_versions" in config else | 53 if config and "insecure_ssl_protocol_versions" in config |
| 54 SecurityDefaults["insecure_ssl_protocol_versions"] | 54 else SecurityDefaults["insecure_ssl_protocol_versions"] |
| 55 ) | 55 ) |
| 56 | 56 |
| 57 if context.callFunctionNameQual == 'ssl.wrap_socket': | 57 if context.callFunctionNameQual == "ssl.wrap_socket": |
| 58 if context.checkCallArgValue('ssl_version', insecureProtocolVersions): | 58 if context.checkCallArgValue("ssl_version", insecureProtocolVersions): |
| 59 reportError( | 59 reportError( |
| 60 context.getLinenoForCallArg('ssl_version') - 1, | 60 context.getLinenoForCallArg("ssl_version") - 1, |
| 61 context.getOffsetForCallArg('ssl_version'), | 61 context.getOffsetForCallArg("ssl_version"), |
| 62 "S502.1", | 62 "S502.1", |
| 63 "H", | 63 "H", |
| 64 "H", | 64 "H", |
| 65 ) | 65 ) |
| 66 | 66 |
| 67 elif context.callFunctionNameQual == 'pyOpenSSL.SSL.Context': | 67 elif context.callFunctionNameQual == "pyOpenSSL.SSL.Context": |
| 68 if context.checkCallArgValue('method', insecureProtocolVersions): | 68 if context.checkCallArgValue("method", insecureProtocolVersions): |
| 69 reportError( | 69 reportError( |
| 70 context.getLinenoForCallArg('method') - 1, | 70 context.getLinenoForCallArg("method") - 1, |
| 71 context.getOffsetForCallArg('method'), | 71 context.getOffsetForCallArg("method"), |
| 72 "S502.2", | 72 "S502.2", |
| 73 "H", | 73 "H", |
| 74 "H", | 74 "H", |
| 75 ) | 75 ) |
| 76 | 76 |
| 77 elif ( | 77 elif ( |
| 78 context.callFunctionNameQual != 'ssl.wrap_socket' and | 78 context.callFunctionNameQual != "ssl.wrap_socket" |
| 79 context.callFunctionNameQual != 'pyOpenSSL.SSL.Context' | 79 and context.callFunctionNameQual != "pyOpenSSL.SSL.Context" |
| 80 ): | 80 ): |
| 81 if context.checkCallArgValue('method', insecureProtocolVersions): | 81 if context.checkCallArgValue("method", insecureProtocolVersions): |
| 82 reportError( | 82 reportError( |
| 83 context.getLinenoForCallArg('method') - 1, | 83 context.getLinenoForCallArg("method") - 1, |
| 84 context.getOffsetForCallArg('method'), | 84 context.getOffsetForCallArg("method"), |
| 85 "S502.3", | 85 "S502.3", |
| 86 "H", | 86 "H", |
| 87 "H", | 87 "H", |
| 88 ) | 88 ) |
| 89 | 89 |
| 90 elif context.checkCallArgValue('ssl_version', | 90 elif context.checkCallArgValue("ssl_version", insecureProtocolVersions): |
| 91 insecureProtocolVersions): | |
| 92 reportError( | 91 reportError( |
| 93 context.getLinenoForCallArg('ssl_version') - 1, | 92 context.getLinenoForCallArg("ssl_version") - 1, |
| 94 context.getOffsetForCallArg('ssl_version'), | 93 context.getOffsetForCallArg("ssl_version"), |
| 95 "S502.3", | 94 "S502.3", |
| 96 "H", | 95 "H", |
| 97 "H", | 96 "H", |
| 98 ) | 97 ) |
| 99 | 98 |
| 100 | 99 |
| 101 def checkInsecureSslDefaults(reportError, context, config): | 100 def checkInsecureSslDefaults(reportError, context, config): |
| 102 """ | 101 """ |
| 103 Function to check for SSL use with insecure defaults specified. | 102 Function to check for SSL use with insecure defaults specified. |
| 104 | 103 |
| 105 @param reportError function to be used to report errors | 104 @param reportError function to be used to report errors |
| 106 @type func | 105 @type func |
| 107 @param context security context object | 106 @param context security context object |
| 108 @type SecurityContext | 107 @type SecurityContext |
| 109 @param config dictionary with configuration data | 108 @param config dictionary with configuration data |
| 110 @type dict | 109 @type dict |
| 111 """ | 110 """ |
| 112 insecureProtocolVersions = ( | 111 insecureProtocolVersions = ( |
| 113 config["insecure_ssl_protocol_versions"] | 112 config["insecure_ssl_protocol_versions"] |
| 114 if config and "insecure_ssl_protocol_versions" in config else | 113 if config and "insecure_ssl_protocol_versions" in config |
| 115 SecurityDefaults["insecure_ssl_protocol_versions"] | 114 else SecurityDefaults["insecure_ssl_protocol_versions"] |
| 116 ) | 115 ) |
| 117 | 116 |
| 118 for default in context.functionDefDefaultsQual: | 117 for default in context.functionDefDefaultsQual: |
| 119 val = default.split(".")[-1] | 118 val = default.split(".")[-1] |
| 120 if val in insecureProtocolVersions: | 119 if val in insecureProtocolVersions: |
| 121 reportError( | 120 reportError( |
| 122 context.node.lineno - 1, | 121 context.node.lineno - 1, |
| 128 | 127 |
| 129 | 128 |
| 130 def checkSslWithoutVersion(reportError, context, config): | 129 def checkSslWithoutVersion(reportError, context, config): |
| 131 """ | 130 """ |
| 132 Function to check for SSL use with no version specified. | 131 Function to check for SSL use with no version specified. |
| 133 | 132 |
| 134 @param reportError function to be used to report errors | 133 @param reportError function to be used to report errors |
| 135 @type func | 134 @type func |
| 136 @param context security context object | 135 @param context security context object |
| 137 @type SecurityContext | 136 @type SecurityContext |
| 138 @param config dictionary with configuration data | 137 @param config dictionary with configuration data |
| 139 @type dict | 138 @type dict |
| 140 """ | 139 """ |
| 141 if ( | 140 if ( |
| 142 context.callFunctionNameQual == 'ssl.wrap_socket' and | 141 context.callFunctionNameQual == "ssl.wrap_socket" |
| 143 context.checkCallArgValue('ssl_version') is None | 142 and context.checkCallArgValue("ssl_version") is None |
| 144 ): | 143 ): |
| 145 # checkCallArgValue() returns False if the argument is found | 144 # checkCallArgValue() returns False if the argument is found |
| 146 # but does not match the supplied value (or the default None). | 145 # but does not match the supplied value (or the default None). |
| 147 # It returns None if the argument passed doesn't exist. This | 146 # It returns None if the argument passed doesn't exist. This |
| 148 # tests for that (ssl_version is not specified). | 147 # tests for that (ssl_version is not specified). |
