Add Improper LDAP Authentication query (CWE-287)

ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected

@@ -0,0 +1,20 @@
+edges
+| ImproperLdapAuth.rb:5:5:5:8 | pass | ImproperLdapAuth.rb:15:23:15:26 | pass |
+| ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:5:12:5:24 | ...[...] |
+| ImproperLdapAuth.rb:5:12:5:24 | ...[...] | ImproperLdapAuth.rb:5:5:5:8 | pass |
+| ImproperLdapAuth.rb:24:5:24:8 | pass | ImproperLdapAuth.rb:31:24:31:27 | pass |
+| ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:24:12:24:24 | ...[...] |
+| ImproperLdapAuth.rb:24:12:24:24 | ...[...] | ImproperLdapAuth.rb:24:5:24:8 | pass |
+nodes
+| ImproperLdapAuth.rb:5:5:5:8 | pass | semmle.label | pass |
+| ImproperLdapAuth.rb:5:12:5:17 | call to params | semmle.label | call to params |
+| ImproperLdapAuth.rb:5:12:5:24 | ...[...] | semmle.label | ...[...] |
+| ImproperLdapAuth.rb:15:23:15:26 | pass | semmle.label | pass |
+| ImproperLdapAuth.rb:24:5:24:8 | pass | semmle.label | pass |
+| ImproperLdapAuth.rb:24:12:24:17 | call to params | semmle.label | call to params |
+| ImproperLdapAuth.rb:24:12:24:24 | ...[...] | semmle.label | ...[...] |
+| ImproperLdapAuth.rb:31:24:31:27 | pass | semmle.label | pass |
+subpaths
+#select
+| ImproperLdapAuth.rb:15:23:15:26 | pass | ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:15:23:15:26 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:5:12:5:17 | call to params | user-provided value |
+| ImproperLdapAuth.rb:31:24:31:27 | pass | ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:31:24:31:27 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:24:12:24:17 | call to params | user-provided value |

ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.qlref

@@ -0,0 +1 @@
+experimental/ldap-improper-auth/ImproperLdapAuth.ql

ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb

@@ -0,0 +1,59 @@
+class FooController < ActionController::Base
+  def some_request_handler
+    # A string tainted by user input is used directly as password
+    # (i.e a remote flow source)
+    pass = params[:pass]
+
+    # BAD: user input is not sanetized
+    ldap = Net::LDAP.new(
+        host: 'ldap.example.com',
+        port: 636,
+        encryption: :simple_tls,
+        auth: {
+            method: :simple,
+            username: 'uid=admin,dc=example,dc=com',
+            password: pass
+        }
+    )
+    ldap.bind
+  end
+
+  def some_request_handler
+    # A string tainted by user input is used directly as password
+    # (i.e a remote flow source)
+    pass = params[:pass]
+
+    # BAD: user input is not sanetized
+    ldap = Net::LDAP.new
+    ldap.host = your_server_ip_address
+    ldap.encryption(:method => :simple_tls)
+    ldap.port = 639
+    ldap.auth "admin", pass
+    ldap.bind
+  end
+end
+
+class BarController < ApplicationController
+  def safe_paths
+    pass = params[:pass]
+
+    # GOOD: barrier guard prevents taint flow
+    if password.nil? || password.empty?
+      # protect against passwordless auth from ldap server
+      pass = "$uper$secure123"
+    else
+      pass
+    end
+
+    ldap = Net::LDAP.new(
+        host: 'ldap.example.com',
+        port: 636,
+        encryption: :simple_tls,
+        auth: {
+            method: :simple,
+            username: 'uid=admin,dc=example,dc=com',
+            password: pass
+        }
+    )
+  end
+end