Skip to content

Python: Rewrite py/request-without-cert-validation #9463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Jun 15, 2022
Merged

Python: Rewrite py/request-without-cert-validation #9463

merged 11 commits into from
Jun 15, 2022

Conversation

RasmusWL
Copy link
Member

@RasmusWL RasmusWL commented Jun 8, 2022
edited
Loading

Also improves library modeling. I did not look into libtaxii or pycurl, it did not seem worth the time.

I left in a few TODO: Handling of insecure SSLContext ... for relevant libraries, I'll leave handling those as future work. We're going to be in a much better state with the changes in this PR 👍

RasmusWL added 10 commits June 8, 2022 15:39
@RasmusWL
Python: Add test we don't handle for `py/request-without-cert-validat…
9cb249f 
…ion`
@RasmusWL
Python: Use HTTP::Client::Request request for `py/request-without-c…
c21e05a 
…ert-validation`

This is very much like the Ruby query, except we also have the origin
that does the disabling.

https://github.com/github/codeql/blob/976daddd36a63bf46836d141d04172e90bb4b33c/ruby/ql/src/queries/security/cwe-295/RequestWithoutValidation.ql#L18-L20
@RasmusWL
Python: Improve requests tests
f37d177
@RasmusWL
Python: Add missing QLDoc for requests
4b07a7b 
Also fix links
@RasmusWL
Python: Model certificate disabling in aiohttp.client
f72a1d9
@RasmusWL
Python: Refactor httpx tests
1a2a423 
and improve QLDocs a bit
@RasmusWL
Python: Model certificate disabling in httpx
049e872
@RasmusWL
Python: Add certificate disable test of urllib/urllib2
0d02ca0
@RasmusWL
Python: Model certificate disabling in urllib3
5b2d799
@RasmusWL
Python: Add change-note
d91b925
@RasmusWL RasmusWL requested a review from a team as a code owner June 8, 2022 15:48
@RasmusWL RasmusWL mentioned this pull request Jun 8, 2022
Closed
@RasmusWL
Copy link
Member Author

RasmusWL commented Jun 8, 2022

We might also consider changing the precision to high.

@calumgrant calumgrant requested a review from yoff June 14, 2022 08:15
yoff
yoff requested changes Jun 14, 2022
View reviewed changes
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A single suggestion (that will hopefully pass the test), but LGTM.
I like how readable it all is using API::CallNode :-)

python/ql/lib/semmle/python/frameworks/Aiohttp.qll
argumentOrigin.asExpr().(ImmutableLiteral).booleanValue() = false and
not argumentOrigin.asExpr() instanceof None
)
// TODO: Handling of SSLContext passed as ssl/ssl_context arguments
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel this would need a treatment similar to the SecureProtocol queries, making it difficult to fit into a single predicate like this..

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll have to deal with that when we get there. I think having both disablingNode and argumentOrigin would allow us enough flexibility to get pretty far, but we'll see.

@RasmusWL @yoff
Python: Apply suggestions from code review
cfd640b 
Co-authored-by: yoff <lerchedahl@gmail.com>
@RasmusWL
Copy link
Member Author

For the record, performance looks fine, and so does the new results from the additional modeling.

@RasmusWL RasmusWL requested a review from yoff June 14, 2022 15:36
yoff
yoff approved these changes Jun 15, 2022
View reviewed changes
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I like how you made the alert have more information only in cases where that information adds value.

@yoff yoff merged commit 9dbb451 into github:main Jun 15, 2022
@RasmusWL RasmusWL deleted the req-wo-cert-validation branch August 1, 2022 09:38
@RasmusWL RasmusWL mentioned this pull request Aug 19, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yoff yoff yoff approved these changes

Assignees
No one assigned
Labels
documentation Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@RasmusWL @yoff