Query to detect LDAP injections in Java

Cleanup

java/ql/src/Security/CWE/CWE-90/LdapInjectionLib.qll

@@ -6,7 +6,6 @@ import semmle.code.java.frameworks.UnboundId
 import semmle.code.java.frameworks.SpringLdap
 import semmle.code.java.frameworks.ApacheLdap
 
-
 /** Holds if the parameter of `c` at index `paramIndex` is varargs. */
 bindingset[paramIndex]
 predicate isVarargs(Callable c, int paramIndex) {
@@ -20,8 +19,8 @@ abstract class LdapInjectionSource extends DataFlow::Node { }
 abstract class LdapInjectionSink extends DataFlow::ExprNode { }
 
 /**
-* A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries.
+ * A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries.
-*/
+ */
 class LdapInjectionFlowConfig extends TaintTracking::Configuration {
   LdapInjectionFlowConfig() { this = "LdapInjectionFlowConfig" }
 
@@ -79,7 +78,7 @@ class JndiLdapInjectionSink extends LdapInjectionSink {
     |
       m.getDeclaringType().getAnAncestor() instanceof TypeDirContext and
       m.hasName("search") and
-      index in [0..1]
+      index in [0 .. 1]
     )
   }
 }
@@ -129,16 +128,13 @@ class SpringLdapInjectionSink extends LdapInjectionSink {
       ) and
       (
         // Parameter index is 1 (DN or query) or 2 (filter) if method is not authenticate
-        (
+        index in [0 .. 1] and
-          index in [0..1] and
+        not m instanceof MethodSpringLdapTemplateAuthenticate
-          not m instanceof MethodSpringLdapTemplateAuthenticate
+        or
-        ) or
         // But it's not the last parameter in case of authenticate method (last param is password)
-        (
+        index in [0 .. 1] and
-          index in [0..1] and
+        index < m.getNumberOfParameters() - 1 and
-          index < m.getNumberOfParameters() - 1 and
+        m instanceof MethodSpringLdapTemplateAuthenticate
-          m instanceof MethodSpringLdapTemplateAuthenticate
-        )
       )
     )
   }
@@ -442,4 +438,4 @@ predicate apacheLdapDnGetStep(ExprNode n1, ExprNode n2) {
     m.getDeclaringType().getAnAncestor() instanceof TypeApacheDn and
     (m.hasName("getName") or m.hasName("getNormName") or m.hasName("toString"))
   )
-}
+}

java/ql/src/semmle/code/java/frameworks/ApacheLdap.qll

@@ -23,7 +23,5 @@ class TypeApacheSearchRequest extends Interface {
 
 /** The class `org.apache.directory.api.ldap.model.name.Dn`. */
 class TypeApacheDn extends Class {
-  TypeApacheDn() {
+  TypeApacheDn() { this.hasQualifiedName("org.apache.directory.api.ldap.model.name", "Dn") }
-    this.hasQualifiedName("org.apache.directory.api.ldap.model.name", "Dn")
+}
-  }
-}

java/ql/src/semmle/code/java/frameworks/Jndi.qll

@@ -56,4 +56,4 @@ class MethodLdapNameToString extends Method {
     getDeclaringType() instanceof TypeLdapName and
     hasName("toString")
   }
-}
+}

java/ql/src/semmle/code/java/frameworks/SpringLdap.qll

@@ -9,7 +9,9 @@ import semmle.code.java.Member
 /*--- Types ---*/
 /** The class `org.springframework.ldap.core.LdapTemplate`. */
 class TypeSpringLdapTemplate extends Class {
-  TypeSpringLdapTemplate() { this.hasQualifiedName("org.springframework.ldap.core", "LdapTemplate") }
+  TypeSpringLdapTemplate() {
+    this.hasQualifiedName("org.springframework.ldap.core", "LdapTemplate")
+  }
 }
 
 /** The class `org.springframework.ldap.query.LdapQueryBuilder`. */
@@ -188,4 +190,4 @@ class MethodSpringLdapUtilsNewLdapName extends Method {
     getDeclaringType() instanceof TypeSpringLdapUtils and
     hasName("newLdapName")
   }
-}
+}

java/ql/src/semmle/code/java/frameworks/UnboundId.qll

@@ -110,4 +110,4 @@ class MethodUnboundIdLDAPConnectionSearchForEntry extends Method {
     getDeclaringType() instanceof TypeUnboundIdLDAPConnection and
     hasName("searchForEntry")
   }
-}
+}