From 4d9ce498164a81865ce0cb071025e12f1cd290ee Mon Sep 17 00:00:00 2001 From: pupiles Date: Wed, 10 Nov 2021 14:12:45 +0800 Subject: [PATCH] use stubs libs && add heuristic sanitizers --- .../CWE-090/LDAPInjectction.expected | 53 +++++++---- .../experimental/CWE-090/LDAPInjectction.go | 90 +++++++++++++++---- ql/test/experimental/CWE-090/go.mod | 11 +++ .../vendor/github.com/go-ldap/ldap/stub.go | 38 ++++++++ .../vendor/github.com/go-ldap/ldap/v3/stub.go | 38 ++++++++ .../github.com/jtblin/go-ldap-client/stub.go | 43 +++++++++ .../depstubber_reflect_635541987/go.mod | 11 +++ .../depstubber_reflect_635541987/prog.go | 79 ++++++++++++++++ .../CWE-090/vendor/gopkg.in/ldap.v2/stub.go | 38 ++++++++ .../experimental/CWE-090/vendor/modules.txt | 15 ++++ 10 files changed, 382 insertions(+), 34 deletions(-) create mode 100644 ql/test/experimental/CWE-090/go.mod create mode 100644 ql/test/experimental/CWE-090/vendor/github.com/go-ldap/ldap/stub.go create mode 100644 ql/test/experimental/CWE-090/vendor/github.com/go-ldap/ldap/v3/stub.go create mode 100644 ql/test/experimental/CWE-090/vendor/github.com/jtblin/go-ldap-client/stub.go create mode 100644 ql/test/experimental/CWE-090/vendor/gopkg.in/ldap.v2/depstubber_reflect_635541987/go.mod create mode 100644 ql/test/experimental/CWE-090/vendor/gopkg.in/ldap.v2/depstubber_reflect_635541987/prog.go create mode 100644 ql/test/experimental/CWE-090/vendor/gopkg.in/ldap.v2/stub.go create mode 100644 ql/test/experimental/CWE-090/vendor/modules.txt diff --git a/ql/test/experimental/CWE-090/LDAPInjectction.expected b/ql/test/experimental/CWE-090/LDAPInjectction.expected index 76f46835b2c..8cc69b835dc 100644 --- a/ql/test/experimental/CWE-090/LDAPInjectction.expected +++ b/ql/test/experimental/CWE-090/LDAPInjectction.expected @@ -1,22 +1,37 @@ edges -| LDAPInjectction.go:17:15:17:29 | call to UserAgent : string | LDAPInjectction.go:21:3:21:51 | ...+... | -| LDAPInjectction.go:17:15:17:29 | call to UserAgent : string | LDAPInjectction.go:22:3:22:33 | slice literal | -| LDAPInjectction.go:17:15:17:29 | call to UserAgent : string | LDAPInjectction.go:28:3:28:51 | ...+... | -| LDAPInjectction.go:17:15:17:29 | call to UserAgent : string | LDAPInjectction.go:29:3:29:33 | slice literal | -| LDAPInjectction.go:17:15:17:29 | call to UserAgent : string | LDAPInjectction.go:35:3:35:51 | ...+... | -| LDAPInjectction.go:17:15:17:29 | call to UserAgent : string | LDAPInjectction.go:36:3:36:33 | slice literal | +| LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:59:3:59:11 | untrusted | +| LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:61:3:61:51 | ...+... | +| LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:62:3:62:33 | slice literal | +| LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:66:3:66:11 | untrusted | +| LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:68:3:68:51 | ...+... | +| LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:69:3:69:33 | slice literal | +| LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:73:3:73:11 | untrusted | +| LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:75:3:75:51 | ...+... | +| LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:76:3:76:33 | slice literal | +| LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:80:22:80:30 | untrusted | +| LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:81:25:81:33 | untrusted | nodes -| LDAPInjectction.go:17:15:17:29 | call to UserAgent : string | semmle.label | call to UserAgent : string | -| LDAPInjectction.go:21:3:21:51 | ...+... | semmle.label | ...+... | -| LDAPInjectction.go:22:3:22:33 | slice literal | semmle.label | slice literal | -| LDAPInjectction.go:28:3:28:51 | ...+... | semmle.label | ...+... | -| LDAPInjectction.go:29:3:29:33 | slice literal | semmle.label | slice literal | -| LDAPInjectction.go:35:3:35:51 | ...+... | semmle.label | ...+... | -| LDAPInjectction.go:36:3:36:33 | slice literal | semmle.label | slice literal | +| LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | semmle.label | call to UserAgent : string | +| LDAPInjectction.go:59:3:59:11 | untrusted | semmle.label | untrusted | +| LDAPInjectction.go:61:3:61:51 | ...+... | semmle.label | ...+... | +| LDAPInjectction.go:62:3:62:33 | slice literal | semmle.label | slice literal | +| LDAPInjectction.go:66:3:66:11 | untrusted | semmle.label | untrusted | +| LDAPInjectction.go:68:3:68:51 | ...+... | semmle.label | ...+... | +| LDAPInjectction.go:69:3:69:33 | slice literal | semmle.label | slice literal | +| LDAPInjectction.go:73:3:73:11 | untrusted | semmle.label | untrusted | +| LDAPInjectction.go:75:3:75:51 | ...+... | semmle.label | ...+... | +| LDAPInjectction.go:76:3:76:33 | slice literal | semmle.label | slice literal | +| LDAPInjectction.go:80:22:80:30 | untrusted | semmle.label | untrusted | +| LDAPInjectction.go:81:25:81:33 | untrusted | semmle.label | untrusted | #select -| LDAPInjectction.go:21:3:21:51 | ...+... | LDAPInjectction.go:17:15:17:29 | call to UserAgent : string | LDAPInjectction.go:21:3:21:51 | ...+... | LDAP query parameter is derived from $@. | LDAPInjectction.go:17:15:17:29 | call to UserAgent | a user-provided value | -| LDAPInjectction.go:22:3:22:33 | slice literal | LDAPInjectction.go:17:15:17:29 | call to UserAgent : string | LDAPInjectction.go:22:3:22:33 | slice literal | LDAP query parameter is derived from $@. | LDAPInjectction.go:17:15:17:29 | call to UserAgent | a user-provided value | -| LDAPInjectction.go:28:3:28:51 | ...+... | LDAPInjectction.go:17:15:17:29 | call to UserAgent : string | LDAPInjectction.go:28:3:28:51 | ...+... | LDAP query parameter is derived from $@. | LDAPInjectction.go:17:15:17:29 | call to UserAgent | a user-provided value | -| LDAPInjectction.go:29:3:29:33 | slice literal | LDAPInjectction.go:17:15:17:29 | call to UserAgent : string | LDAPInjectction.go:29:3:29:33 | slice literal | LDAP query parameter is derived from $@. | LDAPInjectction.go:17:15:17:29 | call to UserAgent | a user-provided value | -| LDAPInjectction.go:35:3:35:51 | ...+... | LDAPInjectction.go:17:15:17:29 | call to UserAgent : string | LDAPInjectction.go:35:3:35:51 | ...+... | LDAP query parameter is derived from $@. | LDAPInjectction.go:17:15:17:29 | call to UserAgent | a user-provided value | -| LDAPInjectction.go:36:3:36:33 | slice literal | LDAPInjectction.go:17:15:17:29 | call to UserAgent : string | LDAPInjectction.go:36:3:36:33 | slice literal | LDAP query parameter is derived from $@. | LDAPInjectction.go:17:15:17:29 | call to UserAgent | a user-provided value | +| LDAPInjectction.go:59:3:59:11 | untrusted | LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:59:3:59:11 | untrusted | LDAP query parameter is derived from $@. | LDAPInjectction.go:57:15:57:29 | call to UserAgent | a user-provided value | +| LDAPInjectction.go:61:3:61:51 | ...+... | LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:61:3:61:51 | ...+... | LDAP query parameter is derived from $@. | LDAPInjectction.go:57:15:57:29 | call to UserAgent | a user-provided value | +| LDAPInjectction.go:62:3:62:33 | slice literal | LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:62:3:62:33 | slice literal | LDAP query parameter is derived from $@. | LDAPInjectction.go:57:15:57:29 | call to UserAgent | a user-provided value | +| LDAPInjectction.go:66:3:66:11 | untrusted | LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:66:3:66:11 | untrusted | LDAP query parameter is derived from $@. | LDAPInjectction.go:57:15:57:29 | call to UserAgent | a user-provided value | +| LDAPInjectction.go:68:3:68:51 | ...+... | LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:68:3:68:51 | ...+... | LDAP query parameter is derived from $@. | LDAPInjectction.go:57:15:57:29 | call to UserAgent | a user-provided value | +| LDAPInjectction.go:69:3:69:33 | slice literal | LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:69:3:69:33 | slice literal | LDAP query parameter is derived from $@. | LDAPInjectction.go:57:15:57:29 | call to UserAgent | a user-provided value | +| LDAPInjectction.go:73:3:73:11 | untrusted | LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:73:3:73:11 | untrusted | LDAP query parameter is derived from $@. | LDAPInjectction.go:57:15:57:29 | call to UserAgent | a user-provided value | +| LDAPInjectction.go:75:3:75:51 | ...+... | LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:75:3:75:51 | ...+... | LDAP query parameter is derived from $@. | LDAPInjectction.go:57:15:57:29 | call to UserAgent | a user-provided value | +| LDAPInjectction.go:76:3:76:33 | slice literal | LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:76:3:76:33 | slice literal | LDAP query parameter is derived from $@. | LDAPInjectction.go:57:15:57:29 | call to UserAgent | a user-provided value | +| LDAPInjectction.go:80:22:80:30 | untrusted | LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:80:22:80:30 | untrusted | LDAP query parameter is derived from $@. | LDAPInjectction.go:57:15:57:29 | call to UserAgent | a user-provided value | +| LDAPInjectction.go:81:25:81:33 | untrusted | LDAPInjectction.go:57:15:57:29 | call to UserAgent : string | LDAPInjectction.go:81:25:81:33 | untrusted | LDAP query parameter is derived from $@. | LDAPInjectction.go:57:15:57:29 | call to UserAgent | a user-provided value | diff --git a/ql/test/experimental/CWE-090/LDAPInjectction.go b/ql/test/experimental/CWE-090/LDAPInjectction.go index cc03b348d45..87741a08d28 100644 --- a/ql/test/experimental/CWE-090/LDAPInjectction.go +++ b/ql/test/experimental/CWE-090/LDAPInjectction.go @@ -1,7 +1,13 @@ package main +//go:generate depstubber -vendor github.com/go-ldap/ldap "" ScopeWholeSubtree,NeverDerefAliases,NewSearchRequest,EscapeFilter +//go:generate depstubber -vendor github.com/go-ldap/ldap/v3 "" ScopeWholeSubtree,NeverDerefAliases,NewSearchRequest,EscapeFilter +//go:generate depstubber -vendor github.com/jtblin/go-ldap-client LDAPClient +//go:generate depstubber -vendor gopkg.in/ldap.v2 "" ScopeWholeSubtree,NeverDerefAliases,NewSearchRequest,EscapeFilter + import ( "net/http" + "strings" goldap "github.com/go-ldap/ldap" goldapv3 "github.com/go-ldap/ldap/v3" @@ -9,67 +15,121 @@ import ( gopkgldapv2 "gopkg.in/ldap.v2" ) +type Ldap struct{} + +func (*Ldap) sanitizedUserQuery(username string) (string, bool) { + badCharacters := "\x00()*\\" + if strings.ContainsAny(username, badCharacters) { + return "", false + } + return username, true +} + +func (*Ldap) sanitizedUserDN(username string) (string, bool) { + badCharacters := "\x00()*\\" + if strings.ContainsAny(username, badCharacters) { + return "", false + } + return username, true +} + +func (*Ldap) sanitizedGroupFilter(username string) (string, bool) { + badCharacters := "\x00()*\\" + if strings.ContainsAny(username, badCharacters) { + return "", false + } + return username, true +} + +func (*Ldap) sanitizedGroupDN(username string) (string, bool) { + badCharacters := "\x00()*\\" + if strings.ContainsAny(username, badCharacters) { + return "", false + } + return username, true +} + func main() {} // bad is an example of a bad implementation -func bad(req *http.Request) { +func (ld *Ldap) bad(req *http.Request) { // ... untrusted := req.UserAgent() goldap.NewSearchRequest( - "dc=example,dc=com", // The base dn to search + untrusted, // BAD: untrusted dn goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false, "(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter []string{"dn", "cn", untrusted}, // BAD: untrusted attribute nil, ) goldapv3.NewSearchRequest( - "dc=example,dc=com", // The base dn to search + untrusted, // BAD: untrusted dn goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false, "(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter []string{"dn", "cn", untrusted}, // BAD: untrusted attribute nil, ) gopkgldapv2.NewSearchRequest( - "dc=example,dc=com", // The base dn to search + untrusted, // BAD: untrusted dn goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false, "(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter []string{"dn", "cn", untrusted}, // BAD: untrusted attribute nil, ) - ldapclient.Authenticate(untrusted, "123456") // BAD: untrusted filter - ldapclient.GetGroupsOfUser(untrusted) // BAD: untrusted filter + client := &ldapclient.LDAPClient{} + client.Authenticate(untrusted, "123456") // BAD: untrusted filter + client.GetGroupsOfUser(untrusted) // BAD: untrusted filter // ... } // good is an example of a good implementation -func good(req *http.Request) { +func (ld *Ldap) good(req *http.Request) { // ... untrusted := req.UserAgent() - escapegoldap := goldap.EscapedFilter(untrusted) + escapegoldap := goldap.EscapeFilter(untrusted) goldap.NewSearchRequest( - "dc=example,dc=com", // The base dn to search + escapegoldap, // GOOD: sanitized dn goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false, "(&(objectClass=organizationalPerson))"+escapegoldap, // GOOD: sanitized filter []string{"dn", "cn", escapegoldap}, // GOOD: sanitized attribute nil, ) - escapegoldapv3 := goldapv3.EscapedFilter(untrusted) + escapegoldapv3 := goldapv3.EscapeFilter(untrusted) goldapv3.NewSearchRequest( - "dc=example,dc=com", // The base dn to search + escapegoldapv3, // GOOD: sanitized dn goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false, "(&(objectClass=organizationalPerson))"+escapegoldapv3, // GOOD: sanitized filter []string{"dn", "cn", escapegoldapv3}, // GOOD: sanitized attribute nil, ) - escapegopkgv2 := gopkgldapv2.EscapedFilter(untrusted) + escapegopkgv2 := gopkgldapv2.EscapeFilter(untrusted) gopkgldapv2.NewSearchRequest( - "dc=example,dc=com", // The base dn to search + escapegopkgv2, // GOOD: sanitized dn goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false, "(&(objectClass=organizationalPerson))"+escapegopkgv2, // GOOD: sanitized filter []string{"dn", "cn", escapegopkgv2}, // GOOD: sanitized attribute nil, ) - ldapclient.Authenticate(escapegoldapv3, "123456") // GOOD: sanitized filter - ldapclient.GetGroupsOfUser(escapegoldapv3) // GOOD: sanitized filter + escapedusercustom, _ := ld.sanitizedUserQuery(untrusted) // GOOD: custom sanitized filter + escapedgroupcustom, _ := ld.sanitizedGroupFilter(untrusted) // GOOD: custom sanitized filter + escapeduserdncustom, _ := ld.sanitizedUserDN(untrusted) // GOOD: custom sanitized filter + escapedgroupdncustom, _ := ld.sanitizedGroupDN(untrusted) // GOOD: custom sanitized filter + client := &ldapclient.LDAPClient{} + client.Authenticate(escapedusercustom, "123456") // GOOD: sanitized filter + client.GetGroupsOfUser(escapedgroupcustom) // GOOD: sanitized filter + gopkgldapv2.NewSearchRequest( + escapeduserdncustom, // GOOD: sanitized dn + goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false, + "(&(objectClass=organizationalPerson))"+"(uid=1)", + []string{"dn", "cn"}, + nil, + ) + gopkgldapv2.NewSearchRequest( + escapedgroupdncustom, // GOOD: sanitized dn + goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false, + "(&(objectClass=organizationalPerson))"+"(uid=1)", + []string{"dn", "cn"}, + nil, + ) // ... } diff --git a/ql/test/experimental/CWE-090/go.mod b/ql/test/experimental/CWE-090/go.mod new file mode 100644 index 00000000000..22c9038d70e --- /dev/null +++ b/ql/test/experimental/CWE-090/go.mod @@ -0,0 +1,11 @@ +module example.com/ldap + +go 1.16 + +require ( + github.com/go-ldap/ldap v3.0.3+incompatible + github.com/go-ldap/ldap/v3 v3.4.1 + github.com/jtblin/go-ldap-client v0.0.0-20170223121919-b73f66626b33 + gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect + gopkg.in/ldap.v2 v2.5.1 +) diff --git a/ql/test/experimental/CWE-090/vendor/github.com/go-ldap/ldap/stub.go b/ql/test/experimental/CWE-090/vendor/github.com/go-ldap/ldap/stub.go new file mode 100644 index 00000000000..6850681fe17 --- /dev/null +++ b/ql/test/experimental/CWE-090/vendor/github.com/go-ldap/ldap/stub.go @@ -0,0 +1,38 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/go-ldap/ldap, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/go-ldap/ldap (exports: ; functions: ScopeWholeSubtree,NeverDerefAliases,NewSearchRequest,EscapeFilter) + +// Package ldap is a stub of github.com/go-ldap/ldap, generated by depstubber. +package ldap + +type Control interface { + Encode() interface{} + GetControlType() string + String() string +} + +func EscapeFilter(_ string) string { + return "" +} + +var NeverDerefAliases int = 0 + +func NewSearchRequest(_ string, _ int, _ int, _ int, _ int, _ bool, _ string, _ []string, _ []Control) *SearchRequest { + return nil +} + +var ScopeWholeSubtree int = 0 + +type SearchRequest struct { + BaseDN string + Scope int + DerefAliases int + SizeLimit int + TimeLimit int + TypesOnly bool + Filter string + Attributes []string + Controls []Control +} diff --git a/ql/test/experimental/CWE-090/vendor/github.com/go-ldap/ldap/v3/stub.go b/ql/test/experimental/CWE-090/vendor/github.com/go-ldap/ldap/v3/stub.go new file mode 100644 index 00000000000..c11e00de0e6 --- /dev/null +++ b/ql/test/experimental/CWE-090/vendor/github.com/go-ldap/ldap/v3/stub.go @@ -0,0 +1,38 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/go-ldap/ldap/v3, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/go-ldap/ldap/v3 (exports: ; functions: ScopeWholeSubtree,NeverDerefAliases,NewSearchRequest,EscapeFilter) + +// Package ldap is a stub of github.com/go-ldap/ldap/v3, generated by depstubber. +package ldap + +type Control interface { + Encode() interface{} + GetControlType() string + String() string +} + +func EscapeFilter(_ string) string { + return "" +} + +var NeverDerefAliases int = 0 + +func NewSearchRequest(_ string, _ int, _ int, _ int, _ int, _ bool, _ string, _ []string, _ []Control) *SearchRequest { + return nil +} + +var ScopeWholeSubtree int = 0 + +type SearchRequest struct { + BaseDN string + Scope int + DerefAliases int + SizeLimit int + TimeLimit int + TypesOnly bool + Filter string + Attributes []string + Controls []Control +} diff --git a/ql/test/experimental/CWE-090/vendor/github.com/jtblin/go-ldap-client/stub.go b/ql/test/experimental/CWE-090/vendor/github.com/jtblin/go-ldap-client/stub.go new file mode 100644 index 00000000000..2a3c26fd41d --- /dev/null +++ b/ql/test/experimental/CWE-090/vendor/github.com/jtblin/go-ldap-client/stub.go @@ -0,0 +1,43 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/jtblin/go-ldap-client, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/jtblin/go-ldap-client (exports: LDAPClient; functions: ) + +// Package go_pkg is a stub of github.com/jtblin/go-ldap-client, generated by depstubber. +package go_pkg + +import ( + tls "crypto/tls" +) + +type LDAPClient struct { + Attributes []string + Base string + BindDN string + BindPassword string + GroupFilter string + Host string + ServerName string + UserFilter string + Conn interface{} + Port int + InsecureSkipVerify bool + UseSSL bool + SkipTLS bool + ClientCertificates []tls.Certificate +} + +func (_ *LDAPClient) Authenticate(_ string, _ string) (bool, map[string]string, error) { + return false, nil, nil +} + +func (_ *LDAPClient) Close() {} + +func (_ *LDAPClient) Connect() error { + return nil +} + +func (_ *LDAPClient) GetGroupsOfUser(_ string) ([]string, error) { + return nil, nil +} diff --git a/ql/test/experimental/CWE-090/vendor/gopkg.in/ldap.v2/depstubber_reflect_635541987/go.mod b/ql/test/experimental/CWE-090/vendor/gopkg.in/ldap.v2/depstubber_reflect_635541987/go.mod new file mode 100644 index 00000000000..22c9038d70e --- /dev/null +++ b/ql/test/experimental/CWE-090/vendor/gopkg.in/ldap.v2/depstubber_reflect_635541987/go.mod @@ -0,0 +1,11 @@ +module example.com/ldap + +go 1.16 + +require ( + github.com/go-ldap/ldap v3.0.3+incompatible + github.com/go-ldap/ldap/v3 v3.4.1 + github.com/jtblin/go-ldap-client v0.0.0-20170223121919-b73f66626b33 + gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect + gopkg.in/ldap.v2 v2.5.1 +) diff --git a/ql/test/experimental/CWE-090/vendor/gopkg.in/ldap.v2/depstubber_reflect_635541987/prog.go b/ql/test/experimental/CWE-090/vendor/gopkg.in/ldap.v2/depstubber_reflect_635541987/prog.go new file mode 100644 index 00000000000..cf64c012361 --- /dev/null +++ b/ql/test/experimental/CWE-090/vendor/gopkg.in/ldap.v2/depstubber_reflect_635541987/prog.go @@ -0,0 +1,79 @@ + +package main + +import ( + "encoding/gob" + "flag" + "fmt" + "os" + "reflect" + + "github.com/github/depstubber/model" + + pkg_ "gopkg.in/ldap.v2" +) + +var output = flag.String("output", "", "The output file name, or empty to use stdout.") + +func main() { + flag.Parse() + + types := []struct{ + sym string + typ reflect.Type + }{ + + } + + values := []struct{ + sym string + val reflect.Value + }{ + + { "Authenticate", reflect.ValueOf(pkg_.Authenticate) }, + + { "GetGroupsOfUser", reflect.ValueOf(pkg_.GetGroupsOfUser) }, + + } + + // NOTE: This behaves contrary to documented behaviour if the + // package name is not the final component of the import path. + // The reflect package doesn't expose the package name, though. + pkg := model.NewPackage("gopkg.in/ldap.v2", false) + + for _, t := range types { + err := pkg.AddType(t.sym, t.typ) + if err != nil { + fmt.Fprintf(os.Stderr, "Reflection: %v\n", err) + os.Exit(1) + } + } + + for _, v := range values { + err := pkg.AddValue(v.sym, v.val) + if err != nil { + fmt.Fprintf(os.Stderr, "Reflection: %v\n", err) + os.Exit(1) + } + } + + outfile := os.Stdout + if len(*output) != 0 { + var err error + outfile, err = os.Create(*output) + if err != nil { + fmt.Fprintf(os.Stderr, "failed to open output file %q", *output) + } + defer func() { + if err := outfile.Close(); err != nil { + fmt.Fprintf(os.Stderr, "failed to close output file %q", *output) + os.Exit(1) + } + }() + } + + if err := gob.NewEncoder(outfile).Encode(model.PackPkg(pkg)); err != nil { + fmt.Fprintf(os.Stderr, "gob encode: %v\n", err) + os.Exit(1) + } +} diff --git a/ql/test/experimental/CWE-090/vendor/gopkg.in/ldap.v2/stub.go b/ql/test/experimental/CWE-090/vendor/gopkg.in/ldap.v2/stub.go new file mode 100644 index 00000000000..e34b9381c7f --- /dev/null +++ b/ql/test/experimental/CWE-090/vendor/gopkg.in/ldap.v2/stub.go @@ -0,0 +1,38 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for gopkg.in/ldap.v2, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: gopkg.in/ldap.v2 (exports: ; functions: ScopeWholeSubtree,NeverDerefAliases,NewSearchRequest,EscapeFilter) + +// Package ldap is a stub of gopkg.in/ldap.v2, generated by depstubber. +package ldap + +type Control interface { + Encode() interface{} + GetControlType() string + String() string +} + +func EscapeFilter(_ string) string { + return "" +} + +var NeverDerefAliases int = 0 + +func NewSearchRequest(_ string, _ int, _ int, _ int, _ int, _ bool, _ string, _ []string, _ []Control) *SearchRequest { + return nil +} + +var ScopeWholeSubtree int = 0 + +type SearchRequest struct { + BaseDN string + Scope int + DerefAliases int + SizeLimit int + TimeLimit int + TypesOnly bool + Filter string + Attributes []string + Controls []Control +} diff --git a/ql/test/experimental/CWE-090/vendor/modules.txt b/ql/test/experimental/CWE-090/vendor/modules.txt new file mode 100644 index 00000000000..3186081d6bf --- /dev/null +++ b/ql/test/experimental/CWE-090/vendor/modules.txt @@ -0,0 +1,15 @@ +# github.com/go-ldap/ldap v3.0.3+incompatible +## explicit +github.com/go-ldap/ldap +# github.com/go-ldap/ldap/v3 v3.4.1 +## explicit +github.com/go-ldap/ldap/v3 +# github.com/jtblin/go-ldap-client v0.0.0-20170223121919-b73f66626b33 +## explicit +github.com/jtblin/go-ldap-client +# gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d +## explicit +gopkg.in/asn1-ber.v1 +# gopkg.in/ldap.v2 v2.5.1 +## explicit +gopkg.in/ldap.v2