Consider search methods with unsafe SearchControls

2026-04-30 11:15:13 +02:00 · 2021-05-21 15:21:04 +02:00
parent 2613e58916
commit 7dbdba28cc
3 changed files with 262 additions and 27 deletions
--- a/java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.java
+++ b/java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.java
@@ -11,6 +11,7 @@ import javax.naming.Context;
 import javax.naming.InitialContext;
 import javax.naming.Name;
 import javax.naming.NamingException;
+import javax.naming.directory.DirContext;
 import javax.naming.directory.InitialDirContext;
 import javax.naming.directory.SearchControls;
 import javax.naming.ldap.InitialLdapContext;
@@ -18,6 +19,7 @@ import javax.naming.ldap.InitialLdapContext;
 import org.springframework.jndi.JndiTemplate;
 import org.springframework.ldap.core.AttributesMapper;
 import org.springframework.ldap.core.ContextMapper;
+import org.springframework.ldap.core.DirContextProcessor;
 import org.springframework.ldap.core.LdapTemplate;
 import org.springframework.ldap.core.NameClassPairCallbackHandler;
 import org.springframework.stereotype.Controller;
@@ -47,9 +49,9 @@ public class JndiInjectionTest {
  }

  @RequestMapping
-  public void testInitialDirContextBad1(@RequestParam String nameStr) throws NamingException {
+  public void testDirContextBad1(@RequestParam String nameStr) throws NamingException {
    Name name = new CompoundName(nameStr, new Properties());
-    InitialDirContext ctx = new InitialDirContext();
+    DirContext ctx = new InitialDirContext();

    ctx.lookup(nameStr); // $hasJndiInjection
    ctx.lookupLink(nameStr); // $hasJndiInjection
@@ -62,6 +64,19 @@ public class JndiInjectionTest {
    ctx.rename(name, null); // $hasJndiInjection
    ctx.list(name); // $hasJndiInjection
    ctx.listBindings(name); // $hasJndiInjection
+
+    SearchControls searchControls = new SearchControls();
+    searchControls.setReturningObjFlag(true);
+    ctx.search(nameStr, "", searchControls); // $hasJndiInjection
+    ctx.search(nameStr, "", new Object[] {}, searchControls); // $hasJndiInjection
+
+    SearchControls searchControls2 = new SearchControls(1, 0, 0, null, true, false);
+    ctx.search(nameStr, "", searchControls2); // $hasJndiInjection
+    ctx.search(nameStr, "", new Object[] {}, searchControls2); // $hasJndiInjection
+
+    SearchControls searchControls3 = new SearchControls(1, 0, 0, null, false, false);
+    ctx.search(nameStr, "", searchControls3); // Safe
+    ctx.search(nameStr, "", new Object[] {}, searchControls3); // Safe
  }

  @RequestMapping
@@ -93,7 +108,7 @@ public class JndiInjectionTest {
  @RequestMapping
  public void testSpringLdapTemplateBad1(@RequestParam String nameStr) throws NamingException {
    LdapTemplate ctx = new LdapTemplate();
-    Name name = new CompositeName(nameStr);
+    Name name = new CompositeName().add(nameStr);

    ctx.lookup(nameStr); // $hasJndiInjection
    ctx.lookupContext(nameStr); // $hasJndiInjection
@@ -104,11 +119,45 @@ public class JndiInjectionTest {
    ctx.unbind(nameStr, true); // $hasJndiInjection

    ctx.search(nameStr, "", 0, true, null); // $hasJndiInjection
-    ctx.search(nameStr, "", 0, new String[] {}, (ContextMapper<Object>) new Object()); // $hasJndiInjection
-    ctx.search(nameStr, "", 0, (ContextMapper<Object>) new Object()); // $hasJndiInjection
-    ctx.search(nameStr, "", (ContextMapper) new Object()); // $hasJndiInjection
+    ctx.search(nameStr, "", 0, new String[] {}, (ContextMapper<Object>) null); // $hasJndiInjection
+    ctx.search(nameStr, "", 0, (ContextMapper<Object>) null); // $hasJndiInjection
+    ctx.search(nameStr, "", (ContextMapper<Object>) null); // $hasJndiInjection

-    ctx.searchForObject(nameStr, "", (ContextMapper) new Object()); // $hasJndiInjection
+    SearchControls searchControls = new SearchControls();
+    searchControls.setReturningObjFlag(true);
+    ctx.search(nameStr, "", searchControls, (AttributesMapper<Object>) null); // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls, (AttributesMapper<Object>) null, // $hasJndiInjection
+        (DirContextProcessor) null);
+    ctx.search(nameStr, "", searchControls, (ContextMapper<Object>) null); // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls, (ContextMapper<Object>) null, // $hasJndiInjection
+        (DirContextProcessor) null);
+    ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null); // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null, // $hasJndiInjection
+        (DirContextProcessor) null);
+
+    SearchControls searchControls2 = new SearchControls(1, 0, 0, null, true, false);
+    ctx.search(nameStr, "", searchControls2, (AttributesMapper<Object>) null); // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls2, (AttributesMapper<Object>) null, // $hasJndiInjection
+        (DirContextProcessor) null);
+    ctx.search(nameStr, "", searchControls2, (ContextMapper<Object>) null); // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls2, (ContextMapper<Object>) null, // $hasJndiInjection
+        (DirContextProcessor) null);
+    ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null); // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null, // $hasJndiInjection
+        (DirContextProcessor) null);
+
+    SearchControls searchControls3 = new SearchControls(1, 0, 0, null, false, false);
+    ctx.search(nameStr, "", searchControls3, (AttributesMapper<Object>) null); // Safe
+    ctx.search(nameStr, "", searchControls3, (AttributesMapper<Object>) null, // Safe
+        (DirContextProcessor) null);
+    ctx.search(nameStr, "", searchControls3, (ContextMapper<Object>) null); // Safe
+    ctx.search(nameStr, "", searchControls3, (ContextMapper<Object>) null, // Safe
+        (DirContextProcessor) null);
+    ctx.search(nameStr, "", searchControls3, (NameClassPairCallbackHandler) null); // Safe
+    ctx.search(nameStr, "", searchControls3, (NameClassPairCallbackHandler) null, // Safe
+        (DirContextProcessor) null);
+
+    ctx.searchForObject(nameStr, "", (ContextMapper<Object>) null); // $hasJndiInjection
  }

  @RequestMapping
--- a/java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/core/LdapOperations.java
+++ b/java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/core/LdapOperations.java
@@ -1,3 +1,84 @@
 package org.springframework.ldap.core;

-public interface LdapOperations {}
+import java.util.*;
+
+import javax.naming.Name;
+import javax.naming.directory.SearchControls;
+
+import org.springframework.ldap.filter.Filter;
+
+import org.springframework.ldap.query.LdapQuery;
+
+public interface LdapOperations {
+    void authenticate(LdapQuery query, String password);
+
+    boolean authenticate(Name base, String filter, String password);
+
+    <T> List<T> find(Name base, Filter filter, SearchControls searchControls, final Class<T> clazz);
+
+    <T> List<T> find(LdapQuery query, Class<T> clazz);
+
+    <T> T findOne(LdapQuery query, Class<T> clazz);
+
+    void search(String base, String filter, int searchScope, boolean returningObjFlag,
+            NameClassPairCallbackHandler handler);
+
+    void search(final String base, final String filter, final SearchControls controls,
+            NameClassPairCallbackHandler handler);
+
+    void search(final String base, final String filter, final SearchControls controls,
+            NameClassPairCallbackHandler handler, DirContextProcessor processor);
+
+    void search(String base, String filter, NameClassPairCallbackHandler handler);
+
+    <T> List<T> search(String base, String filter, int searchScope, String[] attrs,
+            AttributesMapper<T> mapper);
+
+    <T> List<T> search(String base, String filter, int searchScope, AttributesMapper<T> mapper);
+
+    <T> List<T> search(String base, String filter, AttributesMapper<T> mapper);
+
+    <T> List<T> search(String base, String filter, int searchScope, String[] attrs,
+            ContextMapper<T> mapper);
+
+    <T> List<T> search(String base, String filter, int searchScope, ContextMapper<T> mapper);
+
+    <T> List<T> search(String base, String filter, ContextMapper<T> mapper);
+
+    <T> List<T> search(String base, String filter, SearchControls controls,
+            ContextMapper<T> mapper);
+
+    <T> List<T> search(String base, String filter, SearchControls controls,
+            AttributesMapper<T> mapper);
+
+    <T> List<T> search(String base, String filter, SearchControls controls,
+            AttributesMapper<T> mapper, DirContextProcessor processor);
+
+    <T> List<T> search(String base, String filter, SearchControls controls, ContextMapper<T> mapper,
+            DirContextProcessor processor);
+
+    DirContextOperations searchForContext(LdapQuery query);
+
+    <T> T searchForObject(Name base, String filter, ContextMapper<T> mapper);
+
+    <T> T searchForObject(String base, String filter, ContextMapper<T> mapper);
+
+    <T> T searchForObject(String base, String filter, SearchControls searchControls,
+            ContextMapper<T> mapper);
+
+    Object lookup(final String dn);
+
+    DirContextOperations lookupContext(String dn);
+
+    <T> T findByDn(Name dn, final Class<T> clazz);
+
+    void rename(final Name oldDn, final Name newDn);
+
+    List<String> list(final Name base);
+
+    List<String> listBindings(final Name base);
+
+    void unbind(final String dn);
+
+    void unbind(final String dn, boolean recursive);
+}