Simplify query

2025-12-20 10:46:30 +01:00 · 2021-04-06 15:42:56 +02:00
parent 9b430310b4
commit 1bcb9cd7c0
4 changed files with 9 additions and 48 deletions
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
@@ -14,11 +14,7 @@ import python
 import experimental.semmle.python.security.injection.LDAPInjection
 import DataFlow::PathGraph

-from
-  LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  LDAPInjectionSink castedSink
-where
-  config.hasFlowPath(source, sink) and
-  castedSink.getLDAPNode() = sink.getNode()
-select sink.getNode(), source, sink, "$@ LDAP query executes $@ as a $@.", castedSink, "This",
-  source.getNode(), "a user-provided value", castedSink.getLDAPNode(), castedSink.getLDAPPart()
+from LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ LDAP query parameter comes from $@.", sink.getNode(),
+  "This", source.getNode(), "a user-provided value"
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -13,13 +13,10 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
-private import semmle.python.ApiGraphs

 module LDAPQuery {
  abstract class Range extends DataFlow::Node {
    abstract DataFlow::Node getLDAPNode();
-
-    abstract string getLDAPPart();
  }
 }

@@ -29,8 +26,6 @@ class LDAPQuery extends DataFlow::Node {
  LDAPQuery() { this = range }

  DataFlow::Node getLDAPNode() { result = range.getLDAPNode() }
-
-  string getLDAPPart() { result = range.getLDAPPart() }
 }

 module LDAPEscape {
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -20,7 +20,6 @@ private module LDAP {

    private class LDAP2Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
      DataFlow::Node ldapNode;
-      string ldapPart;

      LDAP2Query() {
        exists(DataFlow::AttrRead searchMethod, DataFlow::CallCfgNode initCall |
@@ -29,21 +28,17 @@ private module LDAP {
          initCall = searchMethod.getObject().getALocalSource() and
          searchMethod.getAttributeName() instanceof LDAP2QueryMethods and
          (
-            ldapNode = this.getArg(0) and
-            ldapPart = "DN"
+            ldapNode = this.getArg(0)
            or
            (
              ldapNode = this.getArg(2) or
              ldapNode = this.getArgByName("filterstr")
-            ) and
-            ldapPart = "search_filter"
+            )
          )
        )
      }

      override DataFlow::Node getLDAPNode() { result = ldapNode }
-
-      override string getLDAPPart() { result = ldapPart }
    }

    private class LDAP2EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
@@ -71,7 +66,6 @@ private module LDAP {

    private class LDAP3Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
      DataFlow::Node ldapNode;
-      string ldapPart;

      LDAP3Query() {
        exists(DataFlow::AttrRead searchMethod, DataFlow::CallCfgNode connCall |
@@ -80,18 +74,13 @@ private module LDAP {
          connCall = searchMethod.getObject().getALocalSource() and
          searchMethod.getAttributeName() instanceof LDAP3QueryMethods and
          (
-            ldapNode = this.getArg(0) and
-            ldapPart = "DN"
+            ldapNode = this.getArg(0) or
+            ldapNode = this.getArg(1)
          )
-          or
-          ldapNode = this.getArg(1) and
-          ldapPart = "search_filter"
        )
      }

      override DataFlow::Node getLDAPNode() { result = ldapNode }
-
-      override string getLDAPPart() { result = ldapPart }
    }

    private class LDAP3EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
--- a/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
@@ -8,23 +8,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources

-class LDAPInjectionSink extends DataFlow::Node {
-  DataFlow::Node ldapNode;
-  string ldapPart;
-
-  LDAPInjectionSink() {
-    exists(LDAPQuery ldapQuery |
-      this = ldapQuery and
-      ldapNode = ldapQuery.getLDAPNode() and
-      ldapPart = ldapQuery.getLDAPPart()
-    )
-  }
-
-  DataFlow::Node getLDAPNode() { result = ldapNode }
-
-  string getLDAPPart() { result = ldapPart }
-}
-
 /**
 * A taint-tracking configuration for detecting regular expression injections.
 */
@@ -33,9 +16,7 @@ class LDAPInjectionFlowConfig extends TaintTracking::Configuration {

  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

-  override predicate isSink(DataFlow::Node sink) {
-    sink = any(LDAPInjectionSink ldapInjSink).getLDAPNode()
-  }
+  override predicate isSink(DataFlow::Node sink) { sink = any(LDAPQuery ldapQuery).getLDAPNode() }

  override predicate isSanitizer(DataFlow::Node sanitizer) {
    sanitizer = any(LDAPEscape ldapEsc).getEscapeNode()