astral-sh · charliermarsh · Jan 5, 2024 · Jan 4, 2024 · Jan 4, 2024 · Jan 4, 2024
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S502.py b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S502.py
@@ -0,0 +1,33 @@
+import ssl
+from ssl import wrap_socket
+from OpenSSL import SSL
+from OpenSSL.SSL import Context
+
+wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)  # S502
+ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)  # S502
+ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)  # S502
+SSL.Context(method=SSL.SSLv2_METHOD)  # S502
+SSL.Context(method=SSL.SSLv23_METHOD)  # S502
+Context(method=SSL.SSLv3_METHOD)  # S502
+Context(method=SSL.TLSv1_METHOD)  # S502
+
+
+def func():
+    pass
+
+
+func(ssl_version=ssl.PROTOCOL_SSLv2)  # S502
+func(ssl_version=ssl.PROTOCOL_SSLv3)  # S502
+func(ssl_version=ssl.PROTOCOL_TLSv1)  # S502
+func(method=SSL.SSLv2_METHOD)  # S502
+func(method=SSL.SSLv23_METHOD)  # S502
+func(method=SSL.SSLv3_METHOD)  # S502
+func(method=SSL.TLSv1_METHOD)  # S502
+
+wrap_socket(ssl_version=ssl.PROTOCOL_TLS_CLIENT)  # OK
+SSL.Context(method=SSL.TLS_SERVER_METHOD)  # OK
+func(ssl_version=ssl.PROTOCOL_TLSv1_2)  # OK
+
+
+
+
diff --git a/crates/ruff_linter/src/checkers/ast/analyze/expression.rs b/crates/ruff_linter/src/checkers/ast/analyze/expression.rs
@@ -968,6 +968,9 @@ pub(crate) fn expression(expr: &Expr, checker: &mut Checker) {
             if checker.enabled(Rule::SslWithNoVersion) {
                 flake8_bandit::rules::ssl_with_no_version(checker, call);
             }
+            if checker.enabled(Rule::SslInsecureVersion) {
+                flake8_bandit::rules::ssl_insecure_version(checker, call);
+            }
         }
         Expr::Dict(dict) => {
             if checker.any_enabled(&[

diff --git a/crates/ruff_linter/src/codes.rs b/crates/ruff_linter/src/codes.rs
@@ -642,6 +642,7 @@ pub fn code_to_rule(linter: Linter, code: &str) -> Option<(RuleGroup, Rule)> {
         (Flake8Bandit, "413") => (RuleGroup::Preview, rules::flake8_bandit::rules::SuspiciousPycryptoImport),
         (Flake8Bandit, "415") => (RuleGroup::Preview, rules::flake8_bandit::rules::SuspiciousPyghmiImport),
         (Flake8Bandit, "501") => (RuleGroup::Stable, rules::flake8_bandit::rules::RequestWithNoCertValidation),
+        (Flake8Bandit, "502") => (RuleGroup::Preview, rules::flake8_bandit::rules::SslInsecureVersion),
         (Flake8Bandit, "504") => (RuleGroup::Preview, rules::flake8_bandit::rules::SslWithNoVersion),
         (Flake8Bandit, "505") => (RuleGroup::Preview, rules::flake8_bandit::rules::WeakCryptographicKey),
         (Flake8Bandit, "506") => (RuleGroup::Stable, rules::flake8_bandit::rules::UnsafeYAMLLoad),

diff --git a/crates/ruff_linter/src/rules/flake8_bandit/mod.rs b/crates/ruff_linter/src/rules/flake8_bandit/mod.rs
@@ -36,6 +36,7 @@ mod tests {
     #[test_case(Rule::SSHNoHostKeyVerification, Path::new("S507.py"))]
     #[test_case(Rule::SnmpInsecureVersion, Path::new("S508.py"))]
     #[test_case(Rule::SnmpWeakCryptography, Path::new("S509.py"))]
+    #[test_case(Rule::SslInsecureVersion, Path::new("S502.py"))]
     #[test_case(Rule::SslWithNoVersion, Path::new("S504.py"))]
     #[test_case(Rule::StartProcessWithAShell, Path::new("S605.py"))]
     #[test_case(Rule::StartProcessWithNoShell, Path::new("S606.py"))]

diff --git a/crates/ruff_linter/src/rules/flake8_bandit/rules/mod.rs b/crates/ruff_linter/src/rules/flake8_bandit/rules/mod.rs
@@ -20,6 +20,7 @@ pub(crate) use shell_injection::*;
 pub(crate) use snmp_insecure_version::*;
 pub(crate) use snmp_weak_cryptography::*;
 pub(crate) use ssh_no_host_key_verification::*;
+pub(crate) use ssl_insecure_version::*;
 pub(crate) use ssl_with_no_version::*;
 pub(crate) use suspicious_function_call::*;
 pub(crate) use suspicious_imports::*;
@@ -51,6 +52,7 @@ mod shell_injection;
 mod snmp_insecure_version;
 mod snmp_weak_cryptography;
 mod ssh_no_host_key_verification;
+mod ssl_insecure_version;
 mod ssl_with_no_version;
 mod suspicious_function_call;
 mod suspicious_imports;

diff --git a/crates/ruff_linter/src/rules/flake8_bandit/rules/ssl_insecure_version.rs b/crates/ruff_linter/src/rules/flake8_bandit/rules/ssl_insecure_version.rs
@@ -0,0 +1,119 @@
+use ruff_diagnostics::{Diagnostic, Violation};
+use ruff_macros::{derive_message_formats, violation};
+use ruff_python_ast::{self as ast, Expr, ExprCall};
+use ruff_python_semantic::analyze::typing::find_assigned_value;
+
+use crate::checkers::ast::Checker;
+
+/// ## What it does
+/// Checks for calls to Python methods with parameters that indicate the used broken SSL/TLS
+/// protocol versions.
+///
+/// ## Why is this bad?
+/// Several highly publicized exploitable flaws have been discovered in all versions of SSL and
+/// early versions of TLS. It is strongly recommended that use of the following known broken
+/// protocol versions be avoided:
+///     - SSL v2
+///     - SSL v3
+///     - TLS v1
+///     - TLS v1.1
+///
+/// ## Example
+/// ```python
+/// import ssl
+///
+/// ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)
+/// ```
+///
+/// Use instead:
+/// ```python
+/// import ssl
+///
+/// ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_2)
+/// ```
+#[violation]
+pub struct SslInsecureVersion {
+    protocol: String,
+}
+
+impl Violation for SslInsecureVersion {
+    #[derive_message_formats]
+    fn message(&self) -> String {
+        format!("Call made with insecure SSL protocol: {}", self.protocol)
+    }
+}
+
+const INSECURE_SSL_PROTOCOLS: &[&str] = &[
+    "PROTOCOL_SSLv2",
+    "PROTOCOL_SSLv3",
+    "PROTOCOL_TLSv1",
+    "PROTOCOL_TLSv1_1",
+    "SSLv2_METHOD",
+    "SSLv23_METHOD",
+    "SSLv3_METHOD",
+    "TLSv1_METHOD",
+    "TLSv1_1_METHOD",
+];
+
+/// S502
+pub(crate) fn ssl_insecure_version(checker: &mut Checker, call: &ExprCall) {
+    let keywords = match checker.semantic().resolve_call_path(call.func.as_ref()) {
+        Some(call_path) => match *call_path.as_slice() {
+            ["ssl", "wrap_socket"] => vec!["ssl_version"],
+            ["OpenSSL", "SSL", "Context"] => vec!["method"],
+            _ => vec!["ssl_version", "method"],
+        },
+        None => vec!["ssl_version", "method"],
+    };
+
+    for arg in keywords {
+        let Some(keyword) = call.arguments.find_keyword(arg) else {
+            continue;
+        };
+        match &keyword.value {
+            Expr::Name(ast::ExprName { id, .. }) => {
+                let Some(val) = find_assigned_value(id, checker.semantic()) else {
+                    continue;
+                };
+                match val {
+                    Expr::Name(ast::ExprName { id, .. }) => {
+                        if INSECURE_SSL_PROTOCOLS.contains(&id.as_str()) {
+                            checker.diagnostics.push(Diagnostic::new(
+                                SslInsecureVersion {
+                                    protocol: id.to_string(),
+                                },
+                                keyword.range,
+                            ));
+                        }
+                    }
+                    Expr::Attribute(ast::ExprAttribute { attr, .. }) => {
+                        if INSECURE_SSL_PROTOCOLS.contains(&attr.as_str()) {
+                            checker.diagnostics.push(Diagnostic::new(
+                                SslInsecureVersion {
+                                    protocol: attr.to_string(),
+                                },
+                                keyword.range,
+                            ));
+                        }
+                    }
+                    _ => {
+                        continue;
+                    }
+                }
+            }
+            Expr::Attribute(ast::ExprAttribute { attr, .. }) => {
+                if INSECURE_SSL_PROTOCOLS.contains(&attr.as_str()) {
+                    checker.diagnostics.push(Diagnostic::new(
+                        SslInsecureVersion {
+                            protocol: attr.to_string(),
+                        },
+                        keyword.range,
+                    ));
+                }
+            }
+            _ => {
+                continue;
+            }
+        }
+    }
+}
diff --git a/...rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S502_S502.py.snap b/...rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S502_S502.py.snap
@@ -0,0 +1,136 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+---
+S502.py:6:13: S502 Call made with insecure SSL protocol: PROTOCOL_SSLv3
+  |
+4 | from OpenSSL.SSL import Context
+5 | 
+6 | wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)  # S502
+  |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S502
+7 | ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)  # S502
+8 | ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)  # S502
+  |
+
+S502.py:7:17: S502 Call made with insecure SSL protocol: PROTOCOL_TLSv1
+  |
+6 | wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)  # S502
+7 | ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)  # S502
+  |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S502
+8 | ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)  # S502
+9 | SSL.Context(method=SSL.SSLv2_METHOD)  # S502
+  |
+
+S502.py:8:17: S502 Call made with insecure SSL protocol: PROTOCOL_SSLv2
+   |
+ 6 | wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)  # S502
+ 7 | ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)  # S502
+ 8 | ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)  # S502
+   |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S502
+ 9 | SSL.Context(method=SSL.SSLv2_METHOD)  # S502
+10 | SSL.Context(method=SSL.SSLv23_METHOD)  # S502
+   |
+
+S502.py:9:13: S502 Call made with insecure SSL protocol: SSLv2_METHOD
+   |
+ 7 | ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)  # S502
+ 8 | ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)  # S502
+ 9 | SSL.Context(method=SSL.SSLv2_METHOD)  # S502
+   |             ^^^^^^^^^^^^^^^^^^^^^^^ S502
+10 | SSL.Context(method=SSL.SSLv23_METHOD)  # S502
+11 | Context(method=SSL.SSLv3_METHOD)  # S502
+   |
+
+S502.py:10:13: S502 Call made with insecure SSL protocol: SSLv23_METHOD
+   |
+ 8 | ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)  # S502
+ 9 | SSL.Context(method=SSL.SSLv2_METHOD)  # S502
+10 | SSL.Context(method=SSL.SSLv23_METHOD)  # S502
+   |             ^^^^^^^^^^^^^^^^^^^^^^^^ S502
+11 | Context(method=SSL.SSLv3_METHOD)  # S502
+12 | Context(method=SSL.TLSv1_METHOD)  # S502
+   |
+
+S502.py:11:9: S502 Call made with insecure SSL protocol: SSLv3_METHOD
+   |
+ 9 | SSL.Context(method=SSL.SSLv2_METHOD)  # S502
+10 | SSL.Context(method=SSL.SSLv23_METHOD)  # S502
+11 | Context(method=SSL.SSLv3_METHOD)  # S502
+   |         ^^^^^^^^^^^^^^^^^^^^^^^ S502
+12 | Context(method=SSL.TLSv1_METHOD)  # S502
+   |
+
+S502.py:12:9: S502 Call made with insecure SSL protocol: TLSv1_METHOD
+   |
+10 | SSL.Context(method=SSL.SSLv23_METHOD)  # S502
+11 | Context(method=SSL.SSLv3_METHOD)  # S502
+12 | Context(method=SSL.TLSv1_METHOD)  # S502
+   |         ^^^^^^^^^^^^^^^^^^^^^^^ S502
+   |
+
+S502.py:19:6: S502 Call made with insecure SSL protocol: PROTOCOL_SSLv2
+   |
+19 | func(ssl_version=ssl.PROTOCOL_SSLv2)  # S502
+   |      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S502
+20 | func(ssl_version=ssl.PROTOCOL_SSLv3)  # S502
+21 | func(ssl_version=ssl.PROTOCOL_TLSv1)  # S502
+   |
+
+S502.py:20:6: S502 Call made with insecure SSL protocol: PROTOCOL_SSLv3
+   |
+19 | func(ssl_version=ssl.PROTOCOL_SSLv2)  # S502
+20 | func(ssl_version=ssl.PROTOCOL_SSLv3)  # S502
+   |      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S502
+21 | func(ssl_version=ssl.PROTOCOL_TLSv1)  # S502
+22 | func(method=SSL.SSLv2_METHOD)  # S502
+   |
+
+S502.py:21:6: S502 Call made with insecure SSL protocol: PROTOCOL_TLSv1
+   |
+19 | func(ssl_version=ssl.PROTOCOL_SSLv2)  # S502
+20 | func(ssl_version=ssl.PROTOCOL_SSLv3)  # S502
+21 | func(ssl_version=ssl.PROTOCOL_TLSv1)  # S502
+   |      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S502
+22 | func(method=SSL.SSLv2_METHOD)  # S502
+23 | func(method=SSL.SSLv23_METHOD)  # S502
+   |
+
+S502.py:22:6: S502 Call made with insecure SSL protocol: SSLv2_METHOD
+   |
+20 | func(ssl_version=ssl.PROTOCOL_SSLv3)  # S502
+21 | func(ssl_version=ssl.PROTOCOL_TLSv1)  # S502
+22 | func(method=SSL.SSLv2_METHOD)  # S502
+   |      ^^^^^^^^^^^^^^^^^^^^^^^ S502
+23 | func(method=SSL.SSLv23_METHOD)  # S502
+24 | func(method=SSL.SSLv3_METHOD)  # S502
+   |
+
+S502.py:23:6: S502 Call made with insecure SSL protocol: SSLv23_METHOD
+   |
+21 | func(ssl_version=ssl.PROTOCOL_TLSv1)  # S502
+22 | func(method=SSL.SSLv2_METHOD)  # S502
+23 | func(method=SSL.SSLv23_METHOD)  # S502
+   |      ^^^^^^^^^^^^^^^^^^^^^^^^ S502
+24 | func(method=SSL.SSLv3_METHOD)  # S502
+25 | func(method=SSL.TLSv1_METHOD)  # S502
+   |
+
+S502.py:24:6: S502 Call made with insecure SSL protocol: SSLv3_METHOD
+   |
+22 | func(method=SSL.SSLv2_METHOD)  # S502
+23 | func(method=SSL.SSLv23_METHOD)  # S502
+24 | func(method=SSL.SSLv3_METHOD)  # S502
+   |      ^^^^^^^^^^^^^^^^^^^^^^^ S502
+25 | func(method=SSL.TLSv1_METHOD)  # S502
+   |
+
+S502.py:25:6: S502 Call made with insecure SSL protocol: TLSv1_METHOD
+   |
+23 | func(method=SSL.SSLv23_METHOD)  # S502
+24 | func(method=SSL.SSLv3_METHOD)  # S502
+25 | func(method=SSL.TLSv1_METHOD)  # S502
+   |      ^^^^^^^^^^^^^^^^^^^^^^^ S502
+26 | 
+27 | wrap_socket(ssl_version=ssl.PROTOCOL_TLS_CLIENT)  # OK
+   |
+
+
diff --git a/ruff.schema.json b/ruff.schema.json