Python: New query to test for requests without validation.

markshannon · markshannon · commit 45e864a395b5 · 2018-11-23T14:42:45.000Z
diff --git a/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql b/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
@@ -0,0 +1,30 @@
+/**
+ * @name Request Without Certificate Validation
+ * @description Making a request without certificate validation can allow man-in-the-middle attacks.
+ * @kind problem
+ * @problem.severity error
+ * @precision medium
+ * @id py/request-without-cert-validation
+ * @tags security
+ *       external/cwe/cwe-295
+ */
+
+import python
+
+import semmle.python.web.Http
+
+
+FunctionObject requestFunction() {
+    exists(ModuleObject req |
+        req.getName() = "requests" and
+        result = req.getAttribute(httpVerbLower())
+    )
+}
+
+from CallNode call, FunctionObject func, ControlFlowNode false_
+where 
+func = requestFunction() and
+func.getACall() = call and
+call.getArgByName("verify").refersTo(theFalseObject(), false_)
+
+select call, "Call to $@ with verify=$@", func, "requests." + func.getName(), false_, "False"
diff --git a/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.expected b/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.expected
@@ -0,0 +1,4 @@
+| make_request.py:5:1:5:48 | ControlFlowNode for Attribute() | Call to $@ with verify=$@ | ../lib/requests.py:2:1:2:36 | Function get | requests.get | make_request.py:5:43:5:47 | ControlFlowNode for False | False |
+| make_request.py:7:1:7:49 | ControlFlowNode for Attribute() | Call to $@ with verify=$@ | ../lib/requests.py:11:1:11:46 | Function post | requests.post | make_request.py:7:44:7:48 | ControlFlowNode for False | False |
+| make_request.py:12:1:12:39 | ControlFlowNode for put() | Call to $@ with verify=$@ | ../lib/requests.py:14:1:14:34 | Function put | requests.put | make_request.py:12:34:12:38 | ControlFlowNode for False | False |
+| make_request.py:28:5:28:46 | ControlFlowNode for patch() | Call to $@ with verify=$@ | ../lib/requests.py:17:1:17:36 | Function patch | requests.patch | make_request.py:30:6:30:10 | ControlFlowNode for False | False |
diff --git a/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.qlref b/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.qlref
@@ -0,0 +1 @@
+Security/CWE-295/RequestWithoutValidation.ql
diff --git a/python/ql/test/query-tests/Security/CWE-295/options b/python/ql/test/query-tests/Security/CWE-295/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../lib/ --max-import-depth=3

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security/CWE-295/RequestWithoutValidation.ql`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+semmle-extractor-options: -p ../lib/ --max-import-depth=3`