Fix tests and add global option

2026-04-30 11:15:13 +02:00 · 2021-09-12 20:35:57 +02:00
parent 54012eba23
commit 18b05bc56e
5 changed files with 35 additions and 4 deletions
--- a/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
@@ -88,6 +88,11 @@ private module LDAP {
      result.(DataFlow::AttrRead).getAttributeName() instanceof LDAP2BindMethods
    }

+    /**List of SSL-demanding options */
+    private class LDAPSSLOptions extends DataFlow::Node {
+      LDAPSSLOptions() { this = ldap().getMember("OPT_X_TLS_" + ["DEMAND", "HARD"]).getAUse() }
+    }
+
    /**
     * A class to find `ldap` methods binding a connection.
     *
@@ -111,6 +116,8 @@ private module LDAP {
      override predicate useSSL() {
        // use initialize to correlate `this` and so avoid FP in several instances
        exists(DataFlow::CallCfgNode initialize |
+          ldap().getMember("set_option").getACall().getArg(_) instanceof LDAPSSLOptions
+          or
          this.getFunction().(DataFlow::AttrRead).getObject().getALocalSource() = initialize and
          initialize = ldapInitialize().getACall() and
          (
@@ -126,7 +133,7 @@ private module LDAP {
              setOption.getFunction().(DataFlow::AttrRead).getObject().getALocalSource() =
                initialize and
              setOption.getFunction().(DataFlow::AttrRead).getAttributeName() = "set_option" and
-              setOption.getArg(0) = ldap().getMember("OPT_X_TLS_" + ["DEMAND", "HARD"]).getAUse() and
+              setOption.getArg(0) instanceof LDAPSSLOptions and
              not DataFlow::exprNode(any(False falseExpr))
                  .(DataFlow::LocalSourceNode)
                  .flowsTo(setOption.getArg(1))
--- a/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_global.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_global.py
@@ -0,0 +1,24 @@
+import ldap
+from flask import request, Flask
+
+app = Flask(__name__)
+
+# GOOD
+
+# SSL through ldap global variable option
+
+ldap.set_option(ldap.OPT_X_TLS_DEMAND)
+
+
+@app.route("/one")
+def one():
+    ldap_connection_5 = ldap.initialize("ldap://somethingon.theinternet.com")
+    ldap_connection_5.simple_bind_s('', '')
+    user = ldap_connection_5.search_s(
+        "dn", ldap.SCOPE_SUBTREE, "search_filter")
+
+    return user
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_private.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_private.py
@@ -54,7 +54,7 @@ def one_bad():
@app.route("/one_bad_2")
 def one_bad_2():
    ldap_connection_4 = ldap.initialize(schema + remote_host)
-    ldap_connection_4.set_option(ldap.OPT_X_TLS_NEVER)
+    ldap_connection_4.set_option(ldap.OPT_X_TLS_NEVER, True)
    ldap_connection_4.simple_bind_s('', '')
    user = ldap_connection_4.search_s(
        "dn", ldap.SCOPE_SUBTREE, "search_filter")
--- a/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_remote.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_remote.py
@@ -54,7 +54,7 @@ def one_bad():
@app.route("/one_bad_2")
 def one_bad_2():
    ldap_connection_8 = ldap.initialize(schema + remote_host)
-    ldap_connection_8.set_option(ldap.OPT_X_TLS_NEVER)
+    ldap_connection_8.set_option(ldap.OPT_X_TLS_NEVER, True)
    ldap_connection_8.simple_bind_s('', '')
    user = ldap_connection_8.search_s(
        "dn", ldap.SCOPE_SUBTREE, "search_filter")
--- a/python/ql/test/experimental/query-tests/Security/CWE-522/ldap3_remote.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-522/ldap3_remote.py
@@ -13,7 +13,7 @@ full_host = "ldap://somethingon.theinternet.com"

@app.route("/one")
 def one():
-    srv = Server("ldap://somethingon.theinternet.com", port=1337, True)
+    srv = Server("ldap://somethingon.theinternet.com", 1337, True)
    conn = Connection(srv, "dn", "password")
    conn.search("dn", "search_filter")
    return conn.response