Merge pull request #7783 from yoff/python/promote-ldap-injection

Python: promote LDAP injection query
2025-12-21 19:26:31 +01:00 · 2022-02-15 10:24:18 +01:00
parent 8f8621f82c 86786d3368
commit 5a90214ece
23 changed files with 441 additions and 67 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/LdapInjection.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LdapInjection.qll
@@ -0,0 +1,60 @@
+/**
+ * Provides taint-tracking configurations for detecting LDAP injection vulnerabilities
+ *
+ * Note, for performance reasons: only import this file if
+ * `LdapInjection::Configuration` is needed, otherwise
+ * `LdapInjectionCustomizations` should be imported instead.
+ */
+
+import python
+import semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * Provides aint-tracking configurations for detecting LDAP injection vulnerabilities.class
+ *
+ * Two configurations are provided. One is for detecting LDAP injection
+ * via the distinguished name (DN). The other is for detecting LDAP injection
+ * via the filter. These require different escapings.
+ */
+module LdapInjection {
+  import LdapInjectionCustomizations::LdapInjection
+
+  /**
+   * A taint-tracking configuration for detecting LDAP injection vulnerabilities
+   * via the distinguished name (DN) parameter of an LDAP search.
+   */
+  class DnConfiguration extends TaintTracking::Configuration {
+    DnConfiguration() { this = "LdapDnInjection" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof DnSanitizer }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof DnSanitizerGuard
+    }
+  }
+
+  /**
+   * A taint-tracking configuration for detecting LDAP injection vulnerabilities
+   * via the filter parameter of an LDAP search.
+   */
+  class FilterConfiguration extends TaintTracking::Configuration {
+    FilterConfiguration() { this = "LdapFilterInjection" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof FilterSanitizer }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof FilterSanitizerGuard
+    }
+  }
+}
--- a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionCustomizations.qll
@@ -0,0 +1,97 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "ldap injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "ldap injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module LdapInjection {
+  /**
+   * A data flow source for "ldap injection" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "ldap injection" vulnerabilities.
+   */
+  abstract class DnSink extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "ldap injection" vulnerabilities.
+   */
+  abstract class FilterSink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "ldap injection" vulnerabilities.
+   */
+  abstract class DnSanitizer extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "ldap injection" vulnerabilities.
+   */
+  abstract class FilterSanitizer extends DataFlow::Node { }
+
+  /**
+   * A sanitizer guard for "ldap injection" vulnerabilities.
+   */
+  abstract class DnSanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * A sanitizer guard for "ldap injection" vulnerabilities.
+   */
+  abstract class FilterSanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A logging operation, considered as a flow sink.
+   */
+  class LdapExecutionAsDnSink extends DnSink {
+    LdapExecutionAsDnSink() { this = any(LDAP::LdapExecution ldap).getBaseDn() }
+  }
+
+  /**
+   * A logging operation, considered as a flow sink.
+   */
+  class LdapExecutionAsFilterSink extends FilterSink {
+    LdapExecutionAsFilterSink() { this = any(LDAP::LdapExecution ldap).getFilter() }
+  }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  class StringConstCompareAsDnSanitizerGuard extends DnSanitizerGuard, StringConstCompare { }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  class StringConstCompareAsFilterSanitizerGuard extends FilterSanitizerGuard, StringConstCompare {
+  }
+
+  /**
+   * A call to replace line breaks functions as a sanitizer.
+   */
+  class LdapDnEscapingSanitizer extends DnSanitizer, DataFlow::CallCfgNode {
+    LdapDnEscapingSanitizer() { this = any(LdapDnEscaping ldapDnEsc).getOutput() }
+  }
+
+  /**
+   * A call to replace line breaks functions as a sanitizer.
+   */
+  class LdapFilterEscapingSanitizer extends FilterSanitizer, DataFlow::CallCfgNode {
+    LdapFilterEscapingSanitizer() { this = any(LdapFilterEscaping ldapDnEsc).getOutput() }
+  }
+}