forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathImproperLdapAuthCustomizations.qll
More file actions
86 lines (74 loc) · 2.82 KB
/
ImproperLdapAuthCustomizations.qll
File metadata and controls
86 lines (74 loc) · 2.82 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
import go
import semmle.go.dataflow.barrierguardutil.RegexpCheck
module ImproperLdapAuth {
/**
* A sink that is vulnerable to improper LDAP Authentication vulnerabilities.
*/
abstract class LdapAuthSink extends DataFlow::Node { }
/**
* A sanitizer function that prevents improper LDAP Authentication attacks.
*/
abstract class LdapSanitizer extends DataFlow::Node { }
/**
* A vulnerable argument to `go-ldap` or `ldap`'s `bind` function (Only v2).
*/
private class GoLdapBindSink extends LdapAuthSink {
GoLdapBindSink() {
exists(Method meth |
meth.hasQualifiedName("gopkg.in/ldap.v2", "Conn", "Bind") and
this = meth.getACall().getArgument(1)
)
}
}
/**
* A call to a regexp match function, considered as a barrier guard for sanitizing untrusted URLs.
*
* This is overapproximate: we do not attempt to reason about the correctness of the regexp.
*/
class RegexpCheckAsBarrierGuard extends RegexpCheckBarrier, LdapSanitizer { }
/**
* An empty string.
*/
class EmptyString extends DataFlow::Node {
EmptyString() { this.asExpr().getStringValue() = "" }
}
private predicate equalityAsSanitizerGuard(DataFlow::Node g, Expr e, boolean outcome) {
exists(DataFlow::Node nonConstNode, DataFlow::Node constNode, DataFlow::EqualityTestNode eq |
g = eq and
nonConstNode = eq.getAnOperand() and
not nonConstNode.isConst() and
constNode = eq.getAnOperand() and
constNode.isConst() and
e = nonConstNode.asExpr() and
(
// If `constNode` is not an empty string a comparison is considered a sanitizer
not constNode instanceof EmptyString and outcome = eq.getPolarity()
or
// If `constNode` is an empty string a not comparison is considered a sanitizer
constNode instanceof EmptyString and outcome = eq.getPolarity().booleanNot()
)
)
}
/**
* An equality check comparing a data-flow node against a constant string, considered as
* a barrier guard for sanitizing untrusted user input.
*/
class EqualityAsSanitizerGuard extends LdapSanitizer {
EqualityAsSanitizerGuard() {
this = DataFlow::BarrierGuard<equalityAsSanitizerGuard/3>::getABarrierNode()
}
}
private module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof ActiveThreatModelSource or source instanceof EmptyString
}
predicate isSink(DataFlow::Node sink) { sink instanceof LdapAuthSink }
predicate isBarrier(DataFlow::Node node) { node instanceof LdapSanitizer }
predicate observeDiffInformedIncrementalMode() { any() }
}
/**
* Tracks taint flow for reasoning about improper ldap auth vulnerabilities
* with sinks which are not sanitized by string comparisons.
*/
module Flow = TaintTracking::Global<Config>;
}