Mercurial Repositories > eric / file comparison
comparison: eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureSslTls.py
eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureSslTls.py
- changeset 7615
- ca2949b1a29a
- child 7923
- 91e843545d9a
equal
deleted
inserted
replaced
| 7614:646742c260bd | 7615:ca2949b1a29a |
|---|---|
| 1 # -*- coding: utf-8 -*- | |
| 2 | |
| 3 # Copyright (c) 2020 Detlev Offenbach <detlev@die-offenbachs.de> | |
| 4 # | |
| 5 | |
| 6 """ | |
| 7 Module implementing a check for use of SSL/TLS with insecure protocols. | |
| 8 """ | |
| 9 | |
| 10 # | |
| 11 # This is a modified version of the one found in the bandit package. | |
| 12 # | |
| 13 # Original Copyright 2014 Hewlett-Packard Development Company, L.P. | |
| 14 # | |
| 15 # SPDX-License-Identifier: Apache-2.0 | |
| 16 # | |
| 17 | |
| 18 from Security.SecurityDefaults import SecurityDefaults | |
| 19 | |
| 20 | |
| 21 def getChecks(): | |
| 22 """ | |
| 23 Public method to get a dictionary with checks handled by this module. | |
| 24 | |
| 25 @return dictionary containing checker lists containing checker function and | |
| 26 list of codes | |
| 27 @rtype dict | |
| 28 """ | |
| 29 return { | |
| 30 "Call": [ | |
| 31 (checkInsecureSslProtocolVersion, ("S502",)), | |
| 32 (checkSslWithoutVersion, ("S504",)), | |
| 33 ], | |
| 34 "FunctionDef": [ | |
| 35 (checkInsecureSslDefaults, ("S503",)), | |
| 36 ], | |
| 37 } | |
| 38 | |
| 39 | |
| 40 def checkInsecureSslProtocolVersion(reportError, context, config): | |
| 41 """ | |
| 42 Function to check for use of insecure SSL protocol version. | |
| 43 | |
| 44 @param reportError function to be used to report errors | |
| 45 @type func | |
| 46 @param context security context object | |
| 47 @type SecurityContext | |
| 48 @param config dictionary with configuration data | |
| 49 @type dict | |
| 50 """ | |
| 51 if config and "insecure_ssl_protocol_versions" in config: | |
| 52 insecureProtocolVersions = config["insecure_ssl_protocol_versions"] | |
| 53 else: | |
| 54 insecureProtocolVersions = SecurityDefaults[ | |
| 55 "insecure_ssl_protocol_versions"] | |
| 56 | |
| 57 if context.callFunctionNameQual == 'ssl.wrap_socket': | |
| 58 if context.checkCallArgValue('ssl_version', insecureProtocolVersions): | |
| 59 reportError( | |
| 60 context.getLinenoForCallArg('ssl_version') - 1, | |
| 61 context.getOffsetForCallArg('ssl_version'), | |
| 62 "S502.1", | |
| 63 "H", | |
| 64 "H", | |
| 65 ) | |
| 66 | |
| 67 elif context.callFunctionNameQual == 'pyOpenSSL.SSL.Context': | |
| 68 if context.checkCallArgValue('method', insecureProtocolVersions): | |
| 69 reportError( | |
| 70 context.getLinenoForCallArg('method') - 1, | |
| 71 context.getOffsetForCallArg('method'), | |
| 72 "S502.2", | |
| 73 "H", | |
| 74 "H", | |
| 75 ) | |
| 76 | |
| 77 elif ( | |
| 78 context.callFunctionNameQual != 'ssl.wrap_socket' and | |
| 79 context.callFunctionNameQual != 'pyOpenSSL.SSL.Context' | |
| 80 ): | |
| 81 if context.checkCallArgValue('method', insecureProtocolVersions): | |
| 82 reportError( | |
| 83 context.getLinenoForCallArg('method') - 1, | |
| 84 context.getOffsetForCallArg('method'), | |
| 85 "S502.3", | |
| 86 "H", | |
| 87 "H", | |
| 88 ) | |
| 89 | |
| 90 elif context.checkCallArgValue('ssl_version', | |
| 91 insecureProtocolVersions): | |
| 92 reportError( | |
| 93 context.getLinenoForCallArg('ssl_version') - 1, | |
| 94 context.getOffsetForCallArg('ssl_version'), | |
| 95 "S502.3", | |
| 96 "H", | |
| 97 "H", | |
| 98 ) | |
| 99 | |
| 100 | |
| 101 def checkInsecureSslDefaults(reportError, context, config): | |
| 102 """ | |
| 103 Function to check for SSL use with insecure defaults specified. | |
| 104 | |
| 105 @param reportError function to be used to report errors | |
| 106 @type func | |
| 107 @param context security context object | |
| 108 @type SecurityContext | |
| 109 @param config dictionary with configuration data | |
| 110 @type dict | |
| 111 """ | |
| 112 if config and "insecure_ssl_protocol_versions" in config: | |
| 113 insecureProtocolVersions = config["insecure_ssl_protocol_versions"] | |
| 114 else: | |
| 115 insecureProtocolVersions = SecurityDefaults[ | |
| 116 "insecure_ssl_protocol_versions"] | |
| 117 | |
| 118 for default in context.functionDefDefaultsQual: | |
| 119 val = default.split(".")[-1] | |
| 120 if val in insecureProtocolVersions: | |
| 121 reportError( | |
| 122 context.node.lineno - 1, | |
| 123 context.node.col_offset, | |
| 124 "S503", | |
| 125 "M", | |
| 126 "M", | |
| 127 ) | |
| 128 | |
| 129 | |
| 130 def checkSslWithoutVersion(reportError, context, config): | |
| 131 """ | |
| 132 Function to check for SSL use with no version specified. | |
| 133 | |
| 134 @param reportError function to be used to report errors | |
| 135 @type func | |
| 136 @param context security context object | |
| 137 @type SecurityContext | |
| 138 @param config dictionary with configuration data | |
| 139 @type dict | |
| 140 """ | |
| 141 if context.callFunctionNameQual == 'ssl.wrap_socket': | |
| 142 if context.checkCallArgValue('ssl_version') is None: | |
| 143 # checkCallArgValue() returns False if the argument is found | |
| 144 # but does not match the supplied value (or the default None). | |
| 145 # It returns None if the argument passed doesn't exist. This | |
| 146 # tests for that (ssl_version is not specified). | |
| 147 reportError( | |
| 148 context.node.lineno - 1, | |
| 149 context.node.col_offset, | |
| 150 "S504", | |
| 151 "L", | |
| 152 "M", | |
| 153 ) |
