Update Sink

2025-12-20 10:46:30 +01:00 · 2021-03-30 16:58:02 +02:00
parent 3cda2e5207
commit 8faafb6961
3 changed files with 31 additions and 10 deletions
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
@@ -16,11 +16,10 @@ import DataFlow::PathGraph

 from
  LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  LDAPQuery castedSink
+  LDAPInjectionSink castedSink
 where
  config.hasFlowPath(source, sink) and
-  castedSink = sink.getNode() //and
+  castedSink.getLDAPNode() = sink.getNode() //and
 // if exists(castedSink.getAttrs()) then
-select sink.getNode(), source, sink, "$@ LDAP query executes $@ as a $@ probably leaking $@.",
-  sink.getNode(), "This", source.getNode(), "a user-provided value", castedSink.getLDAPNode(),
-  castedSink.getLDAPPart(), castedSink.getAttrs(), "this attribute(s)"
+select sink.getNode(), source, sink, "$@ LDAP query executes $@ as a $@.", castedSink, "This",
+  source.getNode(), "a user-provided value", castedSink.getLDAPNode(), castedSink.getLDAPPart() //, castedSink.getAttrs(), "probably leaking this attribute(s)"
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -95,10 +95,10 @@ private module LDAP {
          (
            ldapNode = this.getArg(0) and
            ldapPart = "DN"
-            or
-            ldapNode = this.getArg(1) and
-            ldapPart = "search_filter"
          )
+          or
+          ldapNode = this.getArg(1) and
+          ldapPart = "search_filter"
        )
      }

--- a/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
@@ -8,6 +8,26 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources

+class LDAPInjectionSink extends DataFlow::Node {
+  // DataFlow::Node attrs;
+  DataFlow::Node ldapNode;
+  string ldapPart;
+
+  LDAPInjectionSink() {
+    exists(LDAPQuery ldapQuery |
+      this = ldapQuery and
+      ldapNode = ldapQuery.getLDAPNode() and
+      ldapPart = ldapQuery.getLDAPPart() // and
+      // if exists(ldapQuery.getAttrs()) then attrs = ldapQuery.getAttrs()
+    )
+  }
+
+  DataFlow::Node getLDAPNode() { result = ldapNode }
+
+  string getLDAPPart() { result = ldapPart }
+  // DataFlow::Node getAttrs() { result = attrs }
+}
+
 /**
 * A taint-tracking configuration for detecting regular expression injections.
 */
@@ -16,9 +36,11 @@ class LDAPInjectionFlowConfig extends TaintTracking::Configuration {

  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

-  override predicate isSink(DataFlow::Node sink) { sink = any(LDAPQuery lQ).getLDAPNode() }
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(LDAPInjectionSink ldapInjSink).getLDAPNode()
+  }

  override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer = any(LDAPEscape lE).getEscapeNode()
+    sanitizer = any(LDAPEscape ldapEsc).getEscapeNode()
  }
 }