-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
## Summary Adds S503 rule for the [flake8-bandit](https://github.com/tylerwince/flake8-bandit) plugin port. Checks for function defs argument defaults which have an insecure ssl_version value. See also https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_bad_defaults Some logic and the `const` can be shared with #9390. When one of the two is merged. ## Test Plan Fixture added ## Issue Link Refers: #1646
- Loading branch information
Showing
8 changed files
with
169 additions
and
0 deletions.
There are no files selected for viewing
23 changes: 23 additions & 0 deletions
23
crates/ruff_linter/resources/test/fixtures/flake8_bandit/S503.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
import ssl | ||
from OpenSSL import SSL | ||
from ssl import PROTOCOL_TLSv1 | ||
|
||
|
||
def func(version=ssl.PROTOCOL_SSLv2): # S503 | ||
pass | ||
|
||
|
||
def func(protocol=SSL.SSLv2_METHOD): # S503 | ||
pass | ||
|
||
|
||
def func(version=SSL.SSLv23_METHOD): # S503 | ||
pass | ||
|
||
|
||
def func(protocol=PROTOCOL_TLSv1): # S503 | ||
pass | ||
|
||
|
||
def func(version=SSL.TLSv1_2_METHOD): # OK | ||
pass |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
106 changes: 106 additions & 0 deletions
106
crates/ruff_linter/src/rules/flake8_bandit/rules/ssl_with_bad_defaults.rs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
use ruff_diagnostics::{Diagnostic, Violation}; | ||
use ruff_macros::{derive_message_formats, violation}; | ||
use ruff_python_ast::{self as ast, Expr, StmtFunctionDef}; | ||
|
||
use crate::checkers::ast::Checker; | ||
|
||
/// ## What it does | ||
/// Checks for function definitions with default arguments set to insecure SSL | ||
/// and TLS protocol versions. | ||
/// | ||
/// ## Why is this bad? | ||
/// Several highly publicized exploitable flaws have been discovered in all | ||
/// versions of SSL and early versions of TLS. The following versions are | ||
/// considered insecure, and should be avoided: | ||
/// - SSL v2 | ||
/// - SSL v3 | ||
/// - TLS v1 | ||
/// - TLS v1.1 | ||
/// | ||
/// ## Example | ||
/// ```python | ||
/// import ssl | ||
/// | ||
/// | ||
/// def func(version=ssl.PROTOCOL_TLSv1): | ||
/// ... | ||
/// ``` | ||
/// | ||
/// Use instead: | ||
/// ```python | ||
/// import ssl | ||
/// | ||
/// | ||
/// def func(version=ssl.PROTOCOL_TLSv1_2): | ||
/// ... | ||
/// ``` | ||
#[violation] | ||
pub struct SslWithBadDefaults { | ||
protocol: String, | ||
} | ||
|
||
impl Violation for SslWithBadDefaults { | ||
#[derive_message_formats] | ||
fn message(&self) -> String { | ||
let SslWithBadDefaults { protocol } = self; | ||
format!("Argument default set to insecure SSL protocol: `{protocol}`") | ||
} | ||
} | ||
|
||
/// S503 | ||
pub(crate) fn ssl_with_bad_defaults(checker: &mut Checker, function_def: &StmtFunctionDef) { | ||
function_def | ||
.parameters | ||
.posonlyargs | ||
.iter() | ||
.chain( | ||
function_def | ||
.parameters | ||
.args | ||
.iter() | ||
.chain(function_def.parameters.kwonlyargs.iter()), | ||
) | ||
.for_each(|param| { | ||
if let Some(default) = ¶m.default { | ||
match default.as_ref() { | ||
Expr::Name(ast::ExprName { id, range, .. }) => { | ||
if is_insecure_protocol(id.as_str()) { | ||
checker.diagnostics.push(Diagnostic::new( | ||
SslWithBadDefaults { | ||
protocol: id.to_string(), | ||
}, | ||
*range, | ||
)); | ||
} | ||
} | ||
Expr::Attribute(ast::ExprAttribute { attr, range, .. }) => { | ||
if is_insecure_protocol(attr.as_str()) { | ||
checker.diagnostics.push(Diagnostic::new( | ||
SslWithBadDefaults { | ||
protocol: attr.to_string(), | ||
}, | ||
*range, | ||
)); | ||
} | ||
} | ||
_ => {} | ||
} | ||
} | ||
}); | ||
} | ||
|
||
/// Returns `true` if the given protocol name is insecure. | ||
fn is_insecure_protocol(name: &str) -> bool { | ||
matches!( | ||
name, | ||
"PROTOCOL_SSLv2" | ||
| "PROTOCOL_SSLv3" | ||
| "PROTOCOL_TLSv1" | ||
| "PROTOCOL_TLSv1_1" | ||
| "SSLv2_METHOD" | ||
| "SSLv23_METHOD" | ||
| "SSLv3_METHOD" | ||
| "TLSv1_METHOD" | ||
| "TLSv1_1_METHOD" | ||
) | ||
} |
32 changes: 32 additions & 0 deletions
32
...rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S503_S503.py.snap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
--- | ||
source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs | ||
--- | ||
S503.py:6:18: S503 Argument default set to insecure SSL protocol: `PROTOCOL_SSLv2` | ||
| | ||
6 | def func(version=ssl.PROTOCOL_SSLv2): # S503 | ||
| ^^^^^^^^^^^^^^^^^^ S503 | ||
7 | pass | ||
| | ||
|
||
S503.py:10:19: S503 Argument default set to insecure SSL protocol: `SSLv2_METHOD` | ||
| | ||
10 | def func(protocol=SSL.SSLv2_METHOD): # S503 | ||
| ^^^^^^^^^^^^^^^^ S503 | ||
11 | pass | ||
| | ||
|
||
S503.py:14:18: S503 Argument default set to insecure SSL protocol: `SSLv23_METHOD` | ||
| | ||
14 | def func(version=SSL.SSLv23_METHOD): # S503 | ||
| ^^^^^^^^^^^^^^^^^ S503 | ||
15 | pass | ||
| | ||
|
||
S503.py:18:19: S503 Argument default set to insecure SSL protocol: `PROTOCOL_TLSv1` | ||
| | ||
18 | def func(protocol=PROTOCOL_TLSv1): # S503 | ||
| ^^^^^^^^^^^^^^ S503 | ||
19 | pass | ||
| | ||
|
||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.