Add test file and .expected

2026-04-25 16:55:19 +02:00 · 2023-05-28 17:29:34 +02:00
parent d8bc818d5a
commit d45d046fa7
3 changed files with 95 additions and 0 deletions
--- a/ruby/ql/test/query-tests/experimental/LdapInjection/LdapInjection.rb
+++ b/ruby/ql/test/query-tests/experimental/LdapInjection/LdapInjection.rb
@@ -0,0 +1,66 @@
+class FooController < ActionController::Base
+  def some_request_handler
+    # A string tainted by user input is used directly as DN
+    # (i.e a remote flow source)
+    dc = params[:dc]
+
+    # A string tainted by user input is used directly as search filter or attribute
+    # (i.e a remote flow source)
+    name = params[:user_name]
+
+    # LDAP Connection
+    ldap = Net::LDAP.new(
+        host: 'ldap.example.com',
+        port: 636,
+        encryption: :simple_tls,
+        auth: {
+            method: :simple,
+            username: 'uid=admin,dc=example,dc=com',
+            password: 'adminpassword'
+        }
+    )
+
+    # BAD: user input is used as DN 
+    # where dc is unsanitized
+    ldap.search(base: "ou=people,dc=#{dc},dc=com", filter: "cn=George", attributes: [""])
+
+    # BAD: user input is used as search filter
+    # where name is unsanitized
+    ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=#{name}", attributes: [""])
+
+    # BAD: user input is used as attribute
+    # where name is unsanitized
+    ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=George", attributes: [name])
+
+    # BAD: user input is used as search filter
+    # where name is unsanitized
+    filter = Net::LDAP::Filter.eq('cn', name)
+    ldap.search(base: "ou=people,dc=example,dc=com", filter: filter, attributes: [""])
+
+    # GOOD: user input is not used in the LDAP query
+    result = ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=George", attributes: [""])
+  end
+end
+
+class BarController < ApplicationController
+  def safe_paths
+    dc = params[:dc]
+    # GOOD: barrier guard prevents taint flow
+    if dc == "example"
+      base = "ou=people,dc=#{dc},dc=com"
+    else
+      base = "ou=people,dc=default,dc=com"
+    end
+    ldap.search(base: base, filter: "cn=George", attributes: [""])
+
+
+    name = params[:user_name]
+    # GOOD: barrier guard prevents taint flow
+    name = if ["George", "Nicolas"].include? name
+      name
+    else 
+      name = "Guest"
+    end
+    result = ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=#{name}", attributes: [""])
+  end
+end
--- a/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.expected
+++ b/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.expected
@@ -0,0 +1,28 @@
+edges
+| LdapInjection.rb:5:5:5:6 | dc | LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" |
+| LdapInjection.rb:5:10:5:15 | call to params | LdapInjection.rb:5:10:5:20 | ...[...] |
+| LdapInjection.rb:5:10:5:20 | ...[...] | LdapInjection.rb:5:5:5:6 | dc |
+| LdapInjection.rb:9:5:9:8 | name | LdapInjection.rb:29:62:29:73 | "cn=#{...}" |
+| LdapInjection.rb:9:5:9:8 | name | LdapInjection.rb:33:87:33:92 | call to [] |
+| LdapInjection.rb:9:5:9:8 | name | LdapInjection.rb:37:5:37:10 | filter |
+| LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:9:12:9:29 | ...[...] |
+| LdapInjection.rb:9:12:9:29 | ...[...] | LdapInjection.rb:9:5:9:8 | name |
+| LdapInjection.rb:37:5:37:10 | filter | LdapInjection.rb:38:62:38:67 | filter |
+nodes
+| LdapInjection.rb:5:5:5:6 | dc | semmle.label | dc |
+| LdapInjection.rb:5:10:5:15 | call to params | semmle.label | call to params |
+| LdapInjection.rb:5:10:5:20 | ...[...] | semmle.label | ...[...] |
+| LdapInjection.rb:9:5:9:8 | name | semmle.label | name |
+| LdapInjection.rb:9:12:9:17 | call to params | semmle.label | call to params |
+| LdapInjection.rb:9:12:9:29 | ...[...] | semmle.label | ...[...] |
+| LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | semmle.label | "ou=people,dc=#{...},dc=com" |
+| LdapInjection.rb:29:62:29:73 | "cn=#{...}" | semmle.label | "cn=#{...}" |
+| LdapInjection.rb:33:87:33:92 | call to [] | semmle.label | call to [] |
+| LdapInjection.rb:37:5:37:10 | filter | semmle.label | filter |
+| LdapInjection.rb:38:62:38:67 | filter | semmle.label | filter |
+subpaths
+#select
+| LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | LdapInjection.rb:5:10:5:15 | call to params | LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | This LDAP query depends on a $@. | LdapInjection.rb:5:10:5:15 | call to params | user-provided value |
+| LdapInjection.rb:29:62:29:73 | "cn=#{...}" | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:29:62:29:73 | "cn=#{...}" | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value |
+| LdapInjection.rb:33:87:33:92 | call to [] | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:33:87:33:92 | call to [] | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value |
+| LdapInjection.rb:38:62:38:67 | filter | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:38:62:38:67 | filter | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value |
--- a/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.qlref
+++ b/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.qlref
@@ -0,0 +1 @@
+experimental/ldap-injection/LdapInjection.ql
				`@@ -0,0 +1 @@`
				`experimental/ldap-injection/LdapInjection.ql`