SONARPY-1683 S5547 TLS cipher suite: support urllib3 SSLContext (#204)

GitOrigin-RevId: 45f0086dd063a2e81d7ff517d7d3ead814a1b81f

Author: guillaume-dequenne

python-checks/src/main/java/org/sonar/python/checks/RobustCipherAlgorithmCheck.java

@@ -17,6 +17,7 @@
 package org.sonar.python.checks;
 
 import java.util.LinkedHashSet;
+import java.util.List;
 import java.util.Optional;
 import java.util.Set;
 import java.util.function.Predicate;
@@ -34,17 +35,20 @@
 import org.sonar.plugins.python.api.tree.RegularArgument;
 import org.sonar.plugins.python.api.tree.StringLiteral;
 import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.types.v2.PythonType;
+import org.sonar.plugins.python.api.types.v2.TriBool;
 import org.sonar.python.checks.utils.Expressions;
 import org.sonar.python.tree.StringLiteralImpl;
 import org.sonar.python.tree.TreeUtils;
+import org.sonar.python.types.v2.TypeCheckBuilder;
 
 // https://jira.sonarsource.com/browse/RSPEC-5547 (general)
 // https://jira.sonarsource.com/browse/RSPEC-5552 (python-specific)
 @Rule(key = "S5547")
 public class RobustCipherAlgorithmCheck extends PythonSubscriptionCheck {
 
   private static final String MESSAGE = "Use a strong cipher algorithm.";
-  private static final Set<String> INSECURE_CIPHERS_PREFIXES = Set.of("cryptography.hazmat.decrepit.ciphers.");
+  private static final String INSECURE_CIPHERS_PREFIX = "cryptography.hazmat.decrepit.ciphers.";
   private static final Set<String> INSECURE_CIPHERS = Set.of(
     "NULL",
     "aNULL",
@@ -98,25 +102,40 @@ public class RobustCipherAlgorithmCheck extends PythonSubscriptionCheck {
     "pyDes.triple_des"
   );
 
+  private List<TypeCheckBuilder> sensitiveCalleesTypeCheckers;
+  private List<TypeCheckBuilder> sslSetCipherTypeCheckers;
+  private TypeCheckBuilder urllibSslContextTypeChecker;
 
 
   @Override
   public void initialize(Context context) {
-    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, RobustCipherAlgorithmCheck::checkCallExpression);
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, ctx -> {
+      sslSetCipherTypeCheckers = SSL_SET_CIPHERS_FQN.stream()
+        .map(fqn -> ctx.typeChecker().typeCheckBuilder().isTypeWithFqn(fqn))
+        .toList();
+      sensitiveCalleesTypeCheckers = SENSITIVE_CALLEE_FQNS.stream()
+        .map(fqn -> ctx.typeChecker().typeCheckBuilder().isTypeWithFqn(fqn))
+        .toList();
+      urllibSslContextTypeChecker = ctx.typeChecker().typeCheckBuilder().isTypeWithFqn("urllib3.util.ssl_.create_urllib3_context");
+    });
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::checkCallExpression);
   }
 
-  private static void checkCallExpression(SubscriptionContext subscriptionContext) {
+  private void checkCallExpression(SubscriptionContext subscriptionContext) {
     CallExpression callExpr = (CallExpression) subscriptionContext.syntaxNode();
-    Optional.of(callExpr)
-      .map(CallExpression::calleeSymbol)
-      .map(Symbol::fullyQualifiedName)
-      .ifPresent(fullyQualifiedName -> {
-        if (SENSITIVE_CALLEE_FQNS.contains(fullyQualifiedName) || INSECURE_CIPHERS_PREFIXES.stream().anyMatch(fullyQualifiedName::startsWith)) {
-          subscriptionContext.addIssue(callExpr.callee(), MESSAGE);
-        } else if (SSL_SET_CIPHERS_FQN.contains(fullyQualifiedName)) {
-          checkForInsecureCiphers(subscriptionContext, callExpr);
-        }
-      });
+    PythonType calleeType = callExpr.callee().typeV2();
+    String fullyQualifiedName = Optional.ofNullable(callExpr.calleeSymbol()).map(Symbol::fullyQualifiedName).orElse("");
+    if (fullyQualifiedName.startsWith(INSECURE_CIPHERS_PREFIX)) {
+      subscriptionContext.addIssue(callExpr.callee(), MESSAGE);
+    } else if (sensitiveCalleesTypeCheckers.stream().anyMatch(checker -> checker.check(calleeType) == TriBool.TRUE)) {
+      subscriptionContext.addIssue(callExpr.callee(), MESSAGE);
+    } else if (sslSetCipherTypeCheckers.stream().anyMatch(checker -> checker.check(calleeType) == TriBool.TRUE)) {
+      checkForInsecureCiphers(subscriptionContext, callExpr);
+    } else if (urllibSslContextTypeChecker.check(calleeType) == TriBool.TRUE) {
+      Optional.ofNullable(TreeUtils.nthArgumentOrKeyword(4, "ciphers", callExpr.arguments()))
+        .map(RegularArgument::expression)
+        .ifPresent(expression -> processCiphersArgument(subscriptionContext, callExpr, expression));
+    }
   }
 
   private static void checkForInsecureCiphers(SubscriptionContext ctx, CallExpression callExpression) {
@@ -125,18 +144,22 @@ private static void checkForInsecureCiphers(SubscriptionContext ctx, CallExpress
       .map(list -> list.get(0))
       .flatMap(TreeUtils.toOptionalInstanceOfMapper(RegularArgument.class))
       .map(RegularArgument::expression)
-      .map(RobustCipherAlgorithmCheck::unpackArgument)
-      .ifPresent(stringLiteral -> Optional.of(stringLiteral.trimmedQuotesValue())
-        .map(RobustCipherAlgorithmCheck::findInsecureCiphers)
-        .filter(Predicate.not(Set::isEmpty))
-        .ifPresent(insecureCiphers -> {
-          var secondaryMessage = insecureCiphers.size() > 1 ? "The following cipher strings are insecure: " :
-            "The following cipher string is insecure: ";
-          secondaryMessage = insecureCiphers.stream().collect(Collectors.joining("`, `", secondaryMessage + "`", "`"));
+      .ifPresent(expression -> processCiphersArgument(ctx, callExpression, expression));
+  }
 
-          ctx.addIssue(callExpression.callee(), MESSAGE)
-            .secondary(stringLiteral, secondaryMessage);
-        }));
+  private static void processCiphersArgument(SubscriptionContext ctx, CallExpression callExpression, Expression expression) {
+    StringLiteral stringLiteral = unpackArgument(expression);
+    Optional.ofNullable(stringLiteral)
+      .map(StringLiteral::trimmedQuotesValue)
+      .map(RobustCipherAlgorithmCheck::findInsecureCiphers)
+      .filter(Predicate.not(Set::isEmpty))
+      .ifPresent(insecureCiphers -> {
+        var secondaryMessage = insecureCiphers.size() > 1 ? "The following cipher strings are insecure: " :
+          "The following cipher string is insecure: ";
+        secondaryMessage = insecureCiphers.stream().collect(Collectors.joining("`, `", secondaryMessage + "`", "`"));
+        ctx.addIssue(callExpression.callee(), MESSAGE)
+          .secondary(stringLiteral, secondaryMessage);
+      });
   }
 
   @CheckForNull

python-checks/src/test/resources/checks/robustCipherAlgorithm.py

@@ -134,6 +134,9 @@ def pyssl_examples():
   ctx.set_ciphers(ciphers6)  # Noncompliant
 # ^^^^^^^^^^^^^^^
 
+  context = ssl.create_default_context()
+  context.set_ciphers("ECDH+3DES:DH+3DES:RSA+HIGH:RSA+3DES")  # Noncompliant
+
 def py_open_ssl_examples():
     import socket
     from OpenSSL import SSL
@@ -147,6 +150,14 @@ def py_open_ssl_examples():
     ctx.set_cipher_list(ciphers2)  # Noncompliant
 #   ^^^^^^^^^^^^^^^^^^^
 
+
+def urllib3_ssl_context():
+  import urllib3
+  ctx = urllib3.util.ssl_.create_urllib3_context()
+  ctx.set_ciphers("ECDH+3DES:DH+3DES:RSA+HIGH:RSA+3DES")  # Noncompliant
+
+  urllib3.util.ssl_.create_urllib3_context(ciphers="ECDH+3DES:DH+3DES:RSA+HIGH:RSA+3DES")  # Noncompliant
+
 def pycryptodome_compliant():
   from Crypto.Cipher import AES
   key = b'Sixteen byte key'
@@ -184,4 +195,3 @@ def pyssl_compliant(unknown_cipher):
 
   ctx3 = ssl.create_default_context()
   ctx3.set_ciphers("DEFAULT:!eNULL:!aNULL:!MD5")  # Compliant
-

python-frontend/src/main/resources/org/sonar/python/types/custom_protobuf/urllib3.protobuf

@@ -18,4 +18,5 @@
 builtins.dict[builtins.str,Any]
 builtins.str"builtins.str
 Any"builtins.dict*$
-poolmanagerurllib3.poolmanager 

+poolmanagerurllib3.poolmanager 
*
+utilurllib3.util 

python-frontend/src/main/resources/org/sonar/python/types/custom_protobuf/urllib3.util.protobuf

@@ -0,0 +1,10 @@
+
+urllib3.util*m
+__path__urllib3.util.__path__J
+builtins.list[builtins.str]
+builtins.str"builtins.str"builtins.list*�

+__annotations__urllib3.util.__annotations__W
+builtins.dict[builtins.str,Any]
+builtins.str"builtins.str
+Any"builtins.dict*
+ssl_urllib3.util.ssl_ 

python-frontend/src/main/resources/org/sonar/python/types/custom_protobuf/urllib3.util.ssl_.protobuf

@@ -0,0 +1,8 @@
+
+urllib3.util.ssl_d
+create_urllib3_context(urllib3.util.ssl_.create_urllib3_context" 
+ssl.SSLContext"ssl.SSLContext*�

+__annotations__!urllib3.util.ssl_.__annotations__W
+builtins.dict[builtins.str,Any]
+builtins.str"builtins.str
+Any"builtins.dict

python-frontend/src/main/resources/org/sonar/python/types/third_party_protobuf/Xlib.ext.composite.protobuf

@@ -7,17 +7,17 @@
 UnredirectSubindows&Xlib.ext.composite.UnredirectSubindows"Xlib.protocol.rq.Requestj38j39j310j311j312j313�

 CreateRegionFromBorderClip-Xlib.ext.composite.CreateRegionFromBorderClip"Xlib.protocol.rq.Requestj38j39j310j311j312j313m
 NameWindowPixmap#Xlib.ext.composite.NameWindowPixmap"Xlib.protocol.rq.Requestj38j39j310j311j312j313r
-GetOverlayWindow#Xlib.ext.composite.GetOverlayWindow"Xlib.protocol.rq.ReplyRequestj38j39j310j311j312j313�
+GetOverlayWindow#Xlib.ext.composite.GetOverlayWindow"Xlib.protocol.rq.ReplyRequestj38j39j310j311j312j313�

 query_version Xlib.ext.composite.query_version"B
-Xlib.ext.composite.QueryVersion"Xlib.ext.composite.QueryVersion*�

-self
�

-:Union[Xlib.display.Display,Xlib.xobject.resource.Resource]
,
-Xlib.display.Display"Xlib.display.Display@
-Xlib.xobject.resource.Resource"Xlib.xobject.resource.Resourcez38z39z310z311z312z313�
+Xlib.ext.composite.QueryVersion"Xlib.ext.composite.QueryVersion*d
+self
Z
+Union[Xlib.display.Display,Any]
,
+Xlib.display.Display"Xlib.display.Display
+Anyz38z39z310z311z312z313�
 redirect_window"Xlib.ext.composite.redirect_window"
-None*F
-self
<
-Xlib.xobject.drawable.Window"Xlib.xobject.drawable.Window*�

+None*
+self

+Any*�

 update
�

 *TypeAlias[CallableType[builtins.function]]K
 CallableType[builtins.function]&
@@ -27,11 +27,11 @@
 *TypeAlias[CallableType[builtins.function]]K
 CallableType[builtins.function]&
 builtins.function"builtins.function"Xlib._typing.ErrorHandler
-None 
z38z39z310z311z312z313�
+None 
z38z39z310z311z312z313�
 redirect_subwindows&Xlib.ext.composite.redirect_subwindows"
-None*F
-self
<
-Xlib.xobject.drawable.Window"Xlib.xobject.drawable.Window*�

+None*
+self

+Any*�

 update
�

 *TypeAlias[CallableType[builtins.function]]K
 CallableType[builtins.function]&
@@ -41,11 +41,11 @@
 *TypeAlias[CallableType[builtins.function]]K
 CallableType[builtins.function]&
 builtins.function"builtins.function"Xlib._typing.ErrorHandler
-None 
z38z39z310z311z312z313�
+None 
z38z39z310z311z312z313�
 unredirect_window$Xlib.ext.composite.unredirect_window"
-None*F
-self
<
-Xlib.xobject.drawable.Window"Xlib.xobject.drawable.Window*�

+None*
+self

+Any*�

 update
�

 *TypeAlias[CallableType[builtins.function]]K
 CallableType[builtins.function]&
@@ -55,11 +55,11 @@
 *TypeAlias[CallableType[builtins.function]]K
 CallableType[builtins.function]&
 builtins.function"builtins.function"Xlib._typing.ErrorHandler
-None 
z38z39z310z311z312z313�
+None 
z38z39z310z311z312z313�
 unredirect_subwindows(Xlib.ext.composite.unredirect_subwindows"
-None*F
-self
<
-Xlib.xobject.drawable.Window"Xlib.xobject.drawable.Window*�

+None*
+self

+Any*�

 update
�

 *TypeAlias[CallableType[builtins.function]]K
 CallableType[builtins.function]&
@@ -69,23 +69,23 @@
 *TypeAlias[CallableType[builtins.function]]K
 CallableType[builtins.function]&
 builtins.function"builtins.function"Xlib._typing.ErrorHandler
-None 
z38z39z310z311z312z313�
+None 
z38z39z310z311z312z313�
 create_region_from_border_clip1Xlib.ext.composite.create_region_from_border_clip"
-builtins.int"builtins.int*F
-self
<
-Xlib.xobject.drawable.Window"Xlib.xobject.drawable.Window*�

+builtins.int"builtins.int*
+self

+Any*�

 onerror
�

 6Union[TypeAlias[CallableType[builtins.function]],None]
�

 *TypeAlias[CallableType[builtins.function]]K
 CallableType[builtins.function]&
 builtins.function"builtins.function"Xlib._typing.ErrorHandler
-None 
z38z39z310z311z312z313�
-name_window_pixmap%Xlib.ext.composite.name_window_pixmap"<
-Xlib.xobject.drawable.Pixmap"Xlib.xobject.drawable.Pixmap*�

-self
�

-:Union[Xlib.display.Display,Xlib.xobject.resource.Resource]
,
-Xlib.display.Display"Xlib.display.Display@
-Xlib.xobject.resource.Resource"Xlib.xobject.resource.Resource*�

+None 
z38z39z310z311z312z313�
+name_window_pixmap%Xlib.ext.composite.name_window_pixmap"
+Any*d
+self
Z
+Union[Xlib.display.Display,Any]
,
+Xlib.display.Display"Xlib.display.Display
+Any*�

 onerror
�

 6Union[TypeAlias[CallableType[builtins.function]],None]
�

 *TypeAlias[CallableType[builtins.function]]K

python-frontend/src/main/resources/org/sonar/python/types/third_party_protobuf/Xlib.ext.damage.protobuf

@@ -6,48 +6,48 @@
 DamageDestroyXlib.ext.damage.DamageDestroy"Xlib.protocol.rq.Requestj38j39j310j311j312j313f
 DamageSubtractXlib.ext.damage.DamageSubtract"Xlib.protocol.rq.Requestj38j39j310j311j312j313\
 	DamageAddXlib.ext.damage.DamageAdd"Xlib.protocol.rq.Requestj38j39j310j311j312j313`
-DamageNotifyXlib.ext.damage.DamageNotify"Xlib.protocol.rq.Eventj38j39j310j311j312j313�
+DamageNotifyXlib.ext.damage.DamageNotify"Xlib.protocol.rq.Eventj38j39j310j311j312j313�

 query_versionXlib.ext.damage.query_version"<
-Xlib.ext.damage.QueryVersion"Xlib.ext.damage.QueryVersion*�

-self
�

-:Union[Xlib.display.Display,Xlib.xobject.resource.Resource]
,
-Xlib.display.Display"Xlib.display.Display@
-Xlib.xobject.resource.Resource"Xlib.xobject.resource.Resourcez38z39z310z311z312z313�
+Xlib.ext.damage.QueryVersion"Xlib.ext.damage.QueryVersion*d
+self
Z
+Union[Xlib.display.Display,Any]
,
+Xlib.display.Display"Xlib.display.Display
+Anyz38z39z310z311z312z313�

 damage_createXlib.ext.damage.damage_create"
-builtins.int"builtins.int*�

-self
�

-:Union[Xlib.display.Display,Xlib.xobject.resource.Resource]
,
-Xlib.display.Display"Xlib.display.Display@
-Xlib.xobject.resource.Resource"Xlib.xobject.resource.Resource*'
+builtins.int"builtins.int*d
+self
Z
+Union[Xlib.display.Display,Any]
,
+Xlib.display.Display"Xlib.display.Display
+Any*'
 level

-builtins.int"builtins.intz38z39z310z311z312z313�
+builtins.int"builtins.intz38z39z310z311z312z313�

 damage_destroyXlib.ext.damage.damage_destroy"
-None*�

-self
�

-:Union[Xlib.display.Display,Xlib.xobject.resource.Resource]
,
-Xlib.display.Display"Xlib.display.Display@
-Xlib.xobject.resource.Resource"Xlib.xobject.resource.Resource*(
+None*d
+self
Z
+Union[Xlib.display.Display,Any]
,
+Xlib.display.Display"Xlib.display.Display
+Any*(
 damage

-builtins.int"builtins.intz38z39z310z311z312z313�
+builtins.int"builtins.intz38z39z310z311z312z313�
 damage_subtractXlib.ext.damage.damage_subtract"
-None*�

-self
�

-:Union[Xlib.display.Display,Xlib.xobject.resource.Resource]
,
-Xlib.display.Display"Xlib.display.Display@
-Xlib.xobject.resource.Resource"Xlib.xobject.resource.Resource*(
+None*d
+self
Z
+Union[Xlib.display.Display,Any]
,
+Xlib.display.Display"Xlib.display.Display
+Any*(
 damage

 builtins.int"builtins.int**
 repair

 builtins.int"builtins.int 
*)
 parts

-builtins.int"builtins.int 
z38z39z310z311z312z313�
+builtins.int"builtins.int 
z38z39z310z311z312z313�
 
 damage_addXlib.ext.damage.damage_add"
-None*�

-self
�

-:Union[Xlib.display.Display,Xlib.xobject.resource.Resource]
,
-Xlib.display.Display"Xlib.display.Display@
-Xlib.xobject.resource.Resource"Xlib.xobject.resource.Resource*(
+None*d
+self
Z
+Union[Xlib.display.Display,Any]
,
+Xlib.display.Display"Xlib.display.Display
+Any*(
 repair

 builtins.int"builtins.int*'
 parts