insecure-ssl-protocols

Try in Playground
python-securitySecurityCritical

0

No tags

CVE-757

The following security protocols should never be used in Python: SSLv3, SSLv2, TLSv1. For more details, read the SSL module page of the official documentation.

The issue addresses the CWE-757 - selection of less-secure algorithm during negotiation.

Ast Rule: function call


insecure-ssl-protocols

How to write a rule
function checkProtocol(node, protocol) {
  if (!node.arguments || !node.context){
    return;
  }
  if (!(node.functionName.value === "wrap_socket" && node.moduleOrObject.value === "ssl")) {
    return;
  }

  const useOutdatedProtocol = node.arguments.values.filter(a => a.value && a.value.str == `ssl.${protocol}`).length > 0;

  const allPackages = node.context.imports.filter(i => i.packages).flatMap(i => i.packages.map(p => p.name.str));
  const useSslPackage = allPackages.filter(i => i === "ssl").length > 0;

  if(useOutdatedProtocol && useSslPackage){
    const error = buildError(node.start.line, node.start.col, node.end.line, node.end.col, `Use of insecure protocol ${protocol}`, "CRITICAL", "SECURITY");
    addError(error);
  } 
}

function visit(node) {
  if (!node.arguments){
    return;
  }
  if (!(node.functionName.value === "wrap_socket" && node.moduleOrObject.value === "ssl")) {
    return;
  }
  const protocols = ["PROTOCOL_SSLv3", "PROTOCOL_SSLv2", "SSLv2_METHOD", "SSLv23_METHOD", "PROTOCOL_TLSv1", "SSLv3_METHOD", "TLSv1_METHOD"];
  protocols.forEach(protocol => {
    checkProtocol(node, protocol);
  });

}

insecure-protocol.py

Expected test result: has error

Use of the SSLv3 protocol

import ssl

def newconnect(self):
  try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    remote = ssl.wrap_socket(s,
                             ca_certs= CA,
                             cert_reqs=ssl.CERT_REQUIRED,
                             ssl_version = ssl.PROTOCOL_SSLv3)
    remote.connect(self.server.seradd)
    if not self.server.seradd[0] == remote.getpeercert()['subjectAltName'][0][1]:
      logging.error('Server crt error !! Server Name don\'t mach !!')
      logging.error(remote.getpeercert()['subjectAltName'][0][1])
      return
    if not self.send_PW(remote):
      logging.warn('PW error !')
      return
    except socket.error, e:
      logging.warn(e)
      return
Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Explore
  • Cookbooks
  • Playground
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.