Polish tests

2025-12-20 18:56:32 +01:00 · 2021-04-08 23:11:20 +02:00
parent 8661cb0719
commit 7296879bc9
4 changed files with 47 additions and 74 deletions
--- a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_bad.py
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_bad.py
@@ -6,17 +6,10 @@ app = Flask(__name__)

@app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    """
+    A RemoteFlowSource is used directly as DN and search filter
+    """

-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
-    conn.search(unsafe_dn, unsafe_filter, attributes=[
-                "testAttr1", "testAttr2"])
-
-
-@app.route("/normal_noAttrs")
-def normal_noAttrs():
    unsafe_dn = "dc=%s" % request.args['dc']
    unsafe_filter = "(user=%s)" % request.args['username']

@@ -27,12 +20,16 @@ def normal_noAttrs():

@app.route("/direct")
 def direct():
+    """
+    A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search
+    """
+
    unsafe_dn = "dc=%s" % request.args['dc']
    unsafe_filter = "(user=%s)" % request.args['username']

    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True).search(unsafe_dn, unsafe_filter, attributes=[
-        "testAttr1", "testAttr2"])
+    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True).search(
+        unsafe_dn, unsafe_filter)

 # if __name__ == "__main__":
 #     app.run(debug=True)
--- a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_good.py
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_good.py
@@ -8,6 +8,10 @@ app = Flask(__name__)

@app.route("/normal")
 def normal():
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter
+    """
+
    unsafe_dn = "dc=%s" % request.args['dc']
    unsafe_filter = "(user=%s)" % request.args['username']

@@ -15,26 +19,16 @@ def normal():
    safe_filter = escape_filter_chars(unsafe_filter)

    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
-    conn.search(safe_dn, safe_filter, attributes=[
-                "testAttr1", "testAttr2"])
-
-
-@app.route("/normal_noAttrs")
-def normal_noAttrs():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    safe_dn = escape_rdn(unsafe_dn)
-    safe_filter = escape_filter_chars(unsafe_filter)
-
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
+    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True)
    conn.search(safe_dn, safe_filter)


@app.route("/direct")
 def direct():
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search
+    """
+
    unsafe_dn = "dc=%s" % request.args['dc']
    unsafe_filter = "(user=%s)" % request.args['username']

@@ -42,8 +36,8 @@ def direct():
    safe_filter = escape_filter_chars(unsafe_filter)

    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True).search(safe_dn, safe_filter, attributes=[
-        "testAttr1", "testAttr2"])
+    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True).search(
+        safe_dn, safe_filter)

 # if __name__ == "__main__":
 #     app.run(debug=True)
--- a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py
@@ -6,16 +6,10 @@ app = Flask(__name__)

@app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    """
+    A RemoteFlowSource is used directly as DN and search filter
+    """

-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter, ["testAttr1", "testAttr2"])
-
-
-@app.route("/normal_noAttrs")
-def normal_noAttrs():
    unsafe_dn = "dc=%s" % request.args['dc']
    unsafe_filter = "(user=%s)" % request.args['username']

@@ -26,30 +20,30 @@ def normal_noAttrs():

@app.route("/direct")
 def direct():
+    """
+    A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search_s
+    """
+
    unsafe_dn = "dc=%s" % request.args['dc']
    unsafe_filter = "(user=%s)" % request.args['username']

    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter, ["testAttr1", "testAttr2"])
+        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter)


@app.route("/normal_argbyname")
 def normal_argbyname():
+    """
+    A RemoteFlowSource is used directly as DN and search filter, while the search filter is specified as
+    an argument by name
+    """
+
    unsafe_dn = "dc=%s" % request.args['dc']
    unsafe_filter = "(user=%s)" % request.args['username']

    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
    user = ldap_connection.search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, attrlist=["testAttr1", "testAttr2"], filterstr=unsafe_filter)
-
-
-@app.route("/direct_argbyname")
-def direct_argbyname():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, attrlist=["testAttr1", "testAttr2"], filterstr=unsafe_filter)
+        unsafe_dn, ldap.SCOPE_SUBTREE, filterstr=unsafe_filter)


 # if __name__ == "__main__":
--- a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py
@@ -8,19 +8,10 @@ app = Flask(__name__)

@app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter
+    """

-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
-    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
-
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, safe_filter, ["testAttr1", "testAttr2"])
-
-
-@app.route("/normal_noAttrs")
-def normal_noAttrs():
    unsafe_dn = "dc=%s" % request.args['dc']
    unsafe_filter = "(user=%s)" % request.args['username']

@@ -34,6 +25,10 @@ def normal_noAttrs():

@app.route("/direct")
 def direct():
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search_s
+    """
+
    unsafe_dn = "dc=%s" % request.args['dc']
    unsafe_filter = "(user=%s)" % request.args['username']

@@ -46,6 +41,11 @@ def direct():

@app.route("/normal_argbyname")
 def normal_argbyname():
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter, while the search filter is specified as
+    an argument by name
+    """
+
    unsafe_dn = "dc=%s" % request.args['dc']
    unsafe_filter = "(user=%s)" % request.args['username']

@@ -54,19 +54,7 @@ def normal_argbyname():

    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
    user = ldap_connection.search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, attrlist=["testAttr1", "testAttr2"], filterstr=safe_filter)
-
-
-@app.route("/direct_argbyname")
-def direct_argbyname():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
-    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
-
-    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, attrlist=["testAttr1", "testAttr2"], filterstr=safe_filter)
+        safe_dn, ldap.SCOPE_SUBTREE, filterstr=safe_filter)


 # if __name__ == "__main__":