SONARPY-2801 TLS cipher suite: Cover PyOpenSSL methods

thomas-serre-sonarsource · sonartech · commit f6cf98b564d4 · 2025-04-16T11:45:51.000Z
GitOrigin-RevId: 60bae9f06836f7341467edadd8b349fff03a2004
diff --git a/python-checks/src/main/java/org/sonar/python/checks/RobustCipherAlgorithmCheck.java b/python-checks/src/main/java/org/sonar/python/checks/RobustCipherAlgorithmCheck.java
@@ -69,7 +69,10 @@ public class RobustCipherAlgorithmCheck extends PythonSubscriptionCheck {
     "DEFAULT@SECLEVEL=1"
   );
 
-  public static final String SSL_SET_CIPHERS_FQN = "ssl.SSLContext.set_ciphers";
+  public static final Set<String> SSL_SET_CIPHERS_FQN = Set.of(
+    "ssl.SSLContext.set_ciphers",
+    "OpenSSL.SSL.Context.set_cipher_list"
+  );
 
   private static final Set<String> SENSITIVE_CALLEE_FQNS = Set.of(
     "Crypto.Cipher.ARC2.new",
@@ -110,7 +113,7 @@ private static void checkCallExpression(SubscriptionContext subscriptionContext)
       .ifPresent(fullyQualifiedName -> {
         if (SENSITIVE_CALLEE_FQNS.contains(fullyQualifiedName) || INSECURE_CIPHERS_PREFIXES.stream().anyMatch(fullyQualifiedName::startsWith)) {
           subscriptionContext.addIssue(callExpr.callee(), MESSAGE);
-        } else if (SSL_SET_CIPHERS_FQN.equals(fullyQualifiedName)) {
+        } else if (SSL_SET_CIPHERS_FQN.contains(fullyQualifiedName)) {
           checkForInsecureCiphers(subscriptionContext, callExpr);
         }
       });
diff --git a/python-checks/src/test/resources/checks/robustCipherAlgorithm.py b/python-checks/src/test/resources/checks/robustCipherAlgorithm.py
@@ -134,6 +134,19 @@ def pyssl_examples():
   ctx.set_ciphers(ciphers6)  # Noncompliant
 # ^^^^^^^^^^^^^^^
 
+def py_open_ssl_examples():
+    import socket
+    from OpenSSL import SSL
+
+    ctx = SSL.Context(SSL.TLS1_3_VERSION)
+    ctx.set_cipher_list(b"@SECLEVEL=0")  # Noncompliant
+#   ^^^^^^^^^^^^^^^^^^^
+
+    ciphers2 = b'ECDHE:RSA:AES256:LOW:ECDHE-RSA-AES256-SHA'
+#              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^> {{The following cipher strings are insecure: `LOW`, `SHA`}}
+    ctx.set_cipher_list(ciphers2)  # Noncompliant
+#   ^^^^^^^^^^^^^^^^^^^
+
 def pycryptodome_compliant():
   from Crypto.Cipher import AES
   key = b'Sixteen byte key'
diff --git a/python-frontend/typeshed_serializer/resources/custom/OpenSSL/SSL.pyi b/python-frontend/typeshed_serializer/resources/custom/OpenSSL/SSL.pyi
@@ -6,7 +6,7 @@ VERIFY_NONE: int
 
 class Context(CustomStubBase):
     def set_verify(self, *args, **kwargs) -> None: ...
-
+    def set_cipher_list(self, *args, **kwargs) -> None: ...
 
 class Connection(CustomStubBase):
     ...
