Copy-edit query:

* Regular comments to qldoc * Improve naming * Update out-of-date documentation from earlier versions of the query
2026-05-03 12:45:27 +02:00 · 2021-11-09 10:31:30 +00:00
parent dda425ca8d
commit c18b11a470
2 changed files with 35 additions and 57 deletions
--- a/ql/src/experimental/CWE-090/LDAPinjection.ql
+++ b/ql/src/experimental/CWE-090/LDAPinjection.ql
@@ -13,6 +13,7 @@ import go
 import LDAPinjection
 import DataFlow::PathGraph

-from LdapVul config, DataFlow::PathNode source, DataFlow::PathNode sink
+from LdapInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "LDAP query parameter is derived from $@.", source.getNode(), "a user-provided value"
+select sink.getNode(), source, sink, "LDAP query parameter is derived from $@.", source.getNode(),
+  "a user-provided value"
--- a/ql/src/experimental/CWE-090/LDAPinjection.qll
+++ b/ql/src/experimental/CWE-090/LDAPinjection.qll
@@ -6,10 +6,9 @@ import DataFlow::PathGraph
 */
 abstract class LdapSanitizer extends DataFlow::Node { }

-/*
- * Some common sanitizer func
+/**
+ * A common sanitizer function. These are name-based heuristics only.
 */
-
 private class CommonLdapEscape extends LdapSanitizer {
  CommonLdapEscape() {
    exists(DataFlow::MethodCallNode m |
@@ -22,28 +21,16 @@ private class CommonLdapEscape extends LdapSanitizer {
  }
 }

-/*
- * The sanitizer func from `github.com/go-ldap/ldap` or `github.com/go-ldap/ldap/v3`
+/**
+ * An `EscapeFilter` function from the `go-ldap` or `ldap` packages.
 */
-
-private class GoLdapEscape extends LdapSanitizer {
-  GoLdapEscape() {
+private class EscapeFilterCall extends LdapSanitizer {
+  EscapeFilterCall() {
    exists(Function f |
-      f.hasQualifiedName(["github.com/go-ldap/ldap", "github.com/go-ldap/ldap/v3"], "EscapeFilter")
-    |
-      this = f.getACall()
-    )
-  }
-}
-
-/*
- * The Sanitizer func from gopkg.in/ldap.v2 or gopkg.in/ldap.v3
- */
-
-private class GopkgLdapEscape extends LdapSanitizer {
-  GopkgLdapEscape() {
-    exists(Function f |
-      f.hasQualifiedName(["gopkg.in/ldap.v2", "gopkg.in/ldap.v3"], "EscapeFilter")
+      f.hasQualifiedName([
+          "github.com/go-ldap/ldap", "github.com/go-ldap/ldap/v3", "gopkg.in/ldap.v2",
+          "gopkg.in/ldap.v3"
+        ], "EscapeFilter")
    |
      this = f.getACall()
    )
@@ -51,39 +38,29 @@ private class GopkgLdapEscape extends LdapSanitizer {
 }

 /**
- * The data flow sink of ldap inject.
+ * A sink that is vulnerable to LDAP injection vulnerabilities.
 */
 abstract class LdapSink extends DataFlow::Node { }

-/*
- * Ldap sink from github.com/go-ldap/ldap or github.com/go-ldap/ldap/v3 NewSearchRequest
+/**
+ * A vulnerable argument to `go-ldap` or `ldap`'s `NewSearchRequest` function.
 */
-
 private class GoLdapSink extends LdapSink {
  GoLdapSink() {
    exists(Function f |
-      f.hasQualifiedName(["github.com/go-ldap/ldap", "github.com/go-ldap/ldap/v3"],
-        "NewSearchRequest")
+      f.hasQualifiedName([
+          "github.com/go-ldap/ldap", "github.com/go-ldap/ldap/v3", "gopkg.in/ldap.v2",
+          "gopkg.in/ldap.v3"
+        ], "NewSearchRequest")
    |
      this = f.getACall().getArgument([0, 6, 7])
    )
  }
 }

-/*
- * Ldap sink from gopkg.in/ldap.v2 or gopkg.in/ldap.v3 NewSearchRequest
+/**
+ * A value written to the `ldap` package's `SearchRequest.BaseDN` field.
 */
-
-private class GopkgLdapSink extends LdapSink {
-  GopkgLdapSink() {
-    exists(Function f |
-      f.hasQualifiedName(["gopkg.in/ldap.v2", "gopkg.in/ldap.v3"], "NewSearchRequest")
-    |
-      this = f.getACall().getArgument([0, 6, 7])
-    )
-  }
-}
-
 private class LdapV2DNSink extends LdapSink {
  LdapV2DNSink() {
    exists(Field f, Write w |
@@ -93,22 +70,23 @@ private class LdapV2DNSink extends LdapSink {
  }
 }

-/*
- * Ldap sink from github.com/jtblin/go-ldap-client or github.com/jtblin/go-ldap-client Authenticate or GetGroupsOfUser
+/**
+ * An argument to `go-ldap-client`'s `LDAPClient.Authenticate` or `.GetGroupsOfUser` function.
 */
-
 private class LdapClientSink extends LdapSink {
  LdapClientSink() {
    exists(Method m |
-      m.hasQualifiedName("github.com/jtblin/go-ldap-client", "LDAPClient", "Authenticate")
-      or
-      m.hasQualifiedName("github.com/jtblin/go-ldap-client", "LDAPClient", "GetGroupsOfUser")
+      m.hasQualifiedName("github.com/jtblin/go-ldap-client", "LDAPClient",
+        ["Authenticate", "GetGroupsOfUser"])
    |
      this = m.getACall().getArgument(0)
    )
  }
 }

+/**
+ * A value written to `go-ldap-client`'s `LDAPClient.Base` field.
+ */
 private class LdapClientDNSink extends LdapSink {
  LdapClientDNSink() {
    exists(Field f, Write w |
@@ -118,17 +96,16 @@ private class LdapClientDNSink extends LdapSink {
  }
 }

-/*
- * A taint-tracking configuration for reasoning about when an UntrustedFlowSource
- * flows into a github.com/go-ldap/ldap newsearchrequest call.
+/**
+ * A taint-tracking configuration for reasoning about when an `UntrustedFlowSource`
+ * flows into an argument or field that is vulnerable to LDAP injection.
 */
-
-class LdapVul extends TaintTracking::Configuration {
-  LdapVul() { this = "Ldap inject" }
+class LdapInjectionConfiguration extends TaintTracking::Configuration {
+  LdapInjectionConfiguration() { this = "Ldap injection" }

  override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }

  override predicate isSink(DataFlow::Node sink) { sink instanceof LdapSink }

  override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof LdapSanitizer }
-}
+}