hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactoring the InsecureLdapUrl constructor

Browse Source
This commit is contained in:
Ed Minnix
2023-03-07 17:42:14 -05:00
parent 938d953789
commit 9275b54e97
1 changed files with 26 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql
View File

@@ -36,33 +36,30 @@ class TypeHashtable extends Class {
TypeHashtable() { this.getSourceDeclaration().hasQualifiedName("java.util", "Hashtable") } TypeHashtable() { this.getSourceDeclaration().hasQualifiedName("java.util", "Hashtable") }
} }
string getHostname(Expr expr) {
result = expr.(CompileTimeConstantExpr).getStringValue() or
result =
expr.(VarAccess).getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getStringValue()
}
/** /**
* Holds if a non-private LDAP string is concatenated from both protocol and host. * Holds if a non-private LDAP string is concatenated from both protocol and host.
*/ */
predicate concatInsecureLdapString(Expr protocol, Expr host) { predicate concatInsecureLdapString(CompileTimeConstantExpr protocol, Expr host) {
protocol.(CompileTimeConstantExpr).getStringValue() = "ldap://" and protocol.getStringValue() = "ldap://" and
not exists(string hostString | not exists(string hostString | hostString = getHostname(host) |
hostString = host.(CompileTimeConstantExpr).getStringValue() or
hostString =
host.(VarAccess).getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getStringValue()
|
hostString.length() = 0 or // Empty host is loopback address hostString.length() = 0 or // Empty host is loopback address
hostString instanceof PrivateHostName hostString instanceof PrivateHostName
) )
} }
/** Gets the leftmost operand in a concatenated string */ // Expr getLeftmostConcatOperand(Expr expr) {
Expr getLeftmostConcatOperand(Expr expr) {
// if expr instanceof AddExpr // if expr instanceof AddExpr
// then result = getLeftmostConcatOperand(expr.(AddExpr).getLeftOperand()) // then
// result = expr.(AddExpr).getLeftOperand() and
// not result instanceof AddExpr
// else result = expr // else result = expr
if expr instanceof AddExpr // }
then
result = expr.(AddExpr).getLeftOperand*() and
not result instanceof AddExpr
else result = expr
}
/** /**
* String concatenated with `InsecureLdapUrlLiteral`. * String concatenated with `InsecureLdapUrlLiteral`.
*/ */
@@ -70,8 +67,16 @@ class InsecureLdapUrl extends Expr {
InsecureLdapUrl() { InsecureLdapUrl() {
this instanceof InsecureLdapUrlLiteral this instanceof InsecureLdapUrlLiteral
or or
concatInsecureLdapString(this.(AddExpr).getLeftOperand(), // protocol + host + ...
getLeftmostConcatOperand(this.(AddExpr).getRightOperand())) exists(AddExpr e, CompileTimeConstantExpr protocol, Expr rest, Expr host |
e = this and
protocol = e.getLeftOperand() and
rest = e.getRightOperand() and
if rest instanceof AddExpr then host = rest.(AddExpr).getLeftOperand() else host = rest
|
protocol.getStringValue() = "ldap://" and
concatInsecureLdapString(protocol, host)
)
} }
} }