Python: Port insecure default protocol

[yoff]

The world has moved on, so this query is out of date in that its premise (that default constructors are insecure) has been invalidated (by the addition of fluent APIs to change defaults after construction). Therefor the QL help has been updated and the query has been limited to flag problems only when the version is older than the introduction of the fluent API.

Hence, this PR does the following:

• use API graphs
• update .qlhelp-file
• limit to versions below 3.4
• move tests to its own directory to only test on old version

[felicitymay]

Thanks for including a change note and for updating the query help file 😄

I've made a few text suggestions, but wasn't able to see the output of the Qhelp preview check run as this no longer seems to generate an artifact. I've flagged this to the CodeQL core team in case they have any suggestions.

[felicitymay]

Unfortunately, I can't add a suggestion here - GitHub complains about "deleted lines" which seems like a bug (in the tooltip if not in the functionality).

This is getting a little overlong and complex. I'd suggest breaking out into bullets for clarity and readability.

Note that <code>ssl.wrap_socket</code> has been deprecated in
Python 3.7. The recommended alternatives are:</p>
<ul>
  <li><code>ssl.SSLContext</code> - supported in Python 2.7.9,
         3.2, and later versions</li>
  <li><code>ssl.create_default_context</code> - a convenience function,
         is supported in Python 3.4 and later versions.</li>
</ul>

[yoff]

Thanks, I hope we will be able to see the result of my attempt at adapting this :-)

[RasmusWL]

I had a look at our discussion from last time you looked at this query (#3580). Our conclusion back then was that even though TLS 1.2 can be used in an insecure manner, we should only alert on version < TLS 1.2.

So TLS 1.1 should also be alerted on, and from my reading of https://docs.python.org/3.9/library/ssl.html#ssl.SSLContext, TLSv1.1 and TLSv1 are allowed with the default ssl.SSLContext() call.

However, it seems like newer versions of the API expects bit-fiddling with the options field -- is that maybe what you've referred to as fluent API? and maybe that was the change that happened in Python 3.4? In any circumstance, I would really like you to add a comment to the QL code explaining what happened in Python 3.4 😊

ctx = ssl.SSLContext()
ctx.options |= ssl.OP_NO_TLSv1
ctx.options |= ssl.OP_NO_TLSv1_1

Is the plan that we will handle such cases with the py/insecure-protocol query? and therefore, that this query should only alert on old code that doesn't support this bit-fiddling of the options field? (since clearly, just spotting the context creation with ssl.SSLContext() is not enough information to tell if that context is going to be secure or not)

I think it's all starting to come together for me, but I would have really liked for you to explain this stuff (in comment in the code, so we can see it in the future), instead of me doing detective work to figure it out 😄

---

It took me a long time to understand that the test-file InsecureProtocol was a direct copy of the old test-file. I added a few comments for cleaning up the test-file, since I thought this was something new you just wrote. I think this might be a great time to clean up the test-file anyway, but now you know why I have been so nit-picky.

[RasmusWL]

nitpick:
What are these? If they're just your own verification that API graphs actually work, I don't think they should be in the query, but in some tests of API graphs 😉

[RasmusWL]

To my understanding, with Python 2.7.16 this is the same as using SSLContext(), which is the same as SSLContext(ssl.PROTOCOL_TLS). So I think those cases should by under the # possibly insecure default heading, and it should be explained they actually do the same thing.

[RasmusWL]

Hmm, probably the heading should be something else... but grouping things together that does the same thing seems reasonable 😊

[RasmusWL]

I don't see any mention of pyOpenSSL in the insecure default protocol... does that means that default values of pyOpenSSL is always safe?

[yoff]

Yes, in that SSL.SSLContext requires a protocol argument; there is no default.

[yoff]

I think it's all starting to come together for me, but I would have really liked for you to explain this stuff (in comment in the code, so we can see it in the future), instead of me doing detective work to figure it out 😄

I guess my hope that it would be explained by this comment was a bit naive. I will add a comment at the top of the query explaining that it only makes sense for older version of Python.

[RasmusWL]

I will add a comment at the top of the query explaining that it only makes sense for older version of Python.

👍 This, and the interplay with py/insecure-protocol should also be highlighted in the qhelp file. Possibly along with an example of how the new Python 3.4+ API allows secure usage of default values (I guess that's a matter of how the qhelp file writing turns out)

[yoff]

I explained the interplay in the .ql-file rather than in the help as it felt more natural. I did add an example of recommended use, though, that felt natural too.

[yoff]

@RasmusWL, thanks for digging into this, I have now revised the PR based on your insights. For the record, this is basically that for this query attention should be restricted to the call ssl.wrap_socket, which is the only way to create a socket with a default that cannot subsequently be modified.

[RasmusWL]

I think all the files this PR touches upon (especially the qhelp file, and the example) needs to have all references to SSLContext removed, maybe except for an example of how to use its' wrap_socket method in a safe manner. This query doesn't report on it anymore, so let's keep make our documentation match that as well 😉

Also just FYI, the example you added should have this change

-context.minimum_version(ssl.TLSVersion.TLSv1_2)
+context.minimum_version = ssl.TLSVersion.TLSv1_2

[yoff]

@felicitymay Thank you for your comments, unfortunately much of the material has now been rewritten. I would be grateful for another look :-)

Ah, I just noted the new procedure for requesting this :-)

[github-actions]

Hello @github/docs-content-codeql : this PR is ready for docs review.

[RasmusWL]

This part of the qhelp file still needs to be changed so it doesn't talk about how default params of ssl.SSLContext are bad:

codeql/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.qhelp

Lines 27 to 66 in 3dd34c9

	<p>
	The following code shows two different ways of setting up a connection
	using SSL or TLS. They are both potentially insecure because the
	default version is used.
	</p>
	<sample src="examples/insecure_default_protocol.py" />
	<p>
	Both of the cases above should be updated to use a secure protocol
	instead, for instance by specifying
	<code>ssl_version=PROTOCOL_TLSv1_2</code> as a keyword argument.
	</p>
	<p>
	The latter example can also be made secure by modifying the created
	context before it is used to create a connection and so will not be
	flagged by this query. However, if a connection is created before
	the context has been secured (e.g. by setting the value of <code>minimum_version</code>),
	then the code should be flagged by the query <code>py/insecure-protocol</code>.
	</p>
	<p>
	Note that <code>ssl.wrap_socket</code> has been deprecated in
	Python 3.7. The recommended alternatives are:
	</p>
	<ul>
	<li><code>ssl.SSLContext</code> - supported in Python 2.7.9,
	3.2, and later versions</li>
	<li><code>ssl.create_default_context</code> - a convenience function,
	supported in Python 3.4 and later versions.</li>
	</ul>
	<p>
	Note also that, even using these alternatives, it is recommended to
	ensure that a safe protocol is being used. The following code illustrates
	how to use either flags (available since Python 3.2) or the `minimum_version`
	field (favored since Python 3.7) to restrict the protocols accepted when
	creating a connection.
	</p>
	<sample src="examples/secure_default_protocol.py" />
	</example>

☝️ is basically what I tried to say in the non-example part of #5246 (review)

I'm not sure whether any of the references are no longer needed?

[yoff]

I think both examples are still valid and I like how this enabled a natural link to py/insecure-protocol after all.

[felicitymay]

@adityasharad - somehow this comment: #5246 (comment) wasn't picked up by our workflow. I'm not sure what the problem is but can see that the team name doesn't show up in bold as it would in a normal comment. (Update: Shati pointed out that this might be because the author of the comment is not a member of the github organization.)

[felicitymay]

A couple of small text suggestions, a question, and a possible bug in the qhelp -> markdown conversion. Otherwise, the text looks generally clear.

[felicitymay]

It's not clear to me from this text whether we mean the second example is never flagged by the query because it might be used in a secure way, or the second example is not flagged by the query if it is used in a secure way.

[yoff]

It is the first option. This query does not use data flow, so it now only flags cases that are immediately insecure. The other query referred to in the next sentence, py/insecure-protocol, uses data flow to detect if a context is made secure before it is used.

[yoff]

I have attempted a clarification now.

[felicitymay]

There is a bug in the markdown generated by the Qhelp test here. Note the missing blank line after the bullet list that means that this paragraph is run into the second bullet. I don't think this is an error in the qhelp file.

Note that `ssl.wrap_socket` has been deprecated in Python 3.7. The recommended alternatives are:

* `ssl.SSLContext` - supported in Python 2.7.9, 3.2, and later versions
* `ssl.create_default_context` - a convenience function, supported in Python 3.4 and later versions.
Note also that, even using these alternatives, it is recommended to ensure that a safe protocol is being used. The following code illustrates how to use either flags (available since Python 3.2) or the \`minimum_version\` field (favored since Python 3.7) to restrict the protocols accepted when creating a connection.

[yoff]

I can try inserting a blank line in the help file and see what happens..

[felicitymay]

Thanks. That doesn't appear to have made any difference 😞

I'm not sure where we should report this bug in the CodeQL CLI, but it doesn't look as if it should block this PR.

[adityasharad]

@adityasharad - somehow this comment: #5246 (comment) wasn't picked up by our workflow. I'm not sure what the problem is but can see that the team name doesn't show up in bold as it would in a normal comment. (Update: Shati pointed out that this might be because the author of the comment is not a member of the github organization.)

@felicitymay it was the colon immediately after the team name. Adding a space seems to fix it, will update the workflow.

[felicitymay]

Thanks for all the changes. I spotted one more small thing in the text but otherwise it looks okay to me 😄

[tausbn]

One minor comment on the query itself, otherwise LGTM.

[RasmusWL]

I think both examples are still valid and I like how this enabled a natural link to py/insecure-protocol after all.

Reading over the text and examples again, it does look ok 👍

[RasmusWL]

🤔 removing the request for review from Taus didn't allow me to merge this PR still 😂

Out of date