Add empty string as source

go/ql/src/experimental/CWE-287/ImproperLdapAuth.qll

@@ -66,6 +66,12 @@ class EqualityAsSanitizerGuard extends LdapSanitizer {
   }
 }
 
+/**
+ */
+class EmptyString extends DataFlow::Node {
+  EmptyString() { this.asExpr().getStringValue() = "" }
+}
+
 /**
  * A taint-tracking configuration for reasoning about when an `UntrustedFlowSource`
  * flows into an argument or field that is vulnerable to Improper LDAP Authentication.
@@ -73,7 +79,9 @@ class EqualityAsSanitizerGuard extends LdapSanitizer {
 class ImproperLdapAuthConfiguration extends TaintTracking::Configuration {
   ImproperLdapAuthConfiguration() { this = "Improper LDAP Auth" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof UntrustedFlowSource or source instanceof EmptyString
+  }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof LdapAuthSink }
 

go/ql/test/experimental/CWE-287/ImproperLdapAuth.go

@@ -69,8 +69,31 @@ func good2(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	}
 }
 
+func bad2(req *http.Request) {
+	// LDAP server details
+	ldapServer := "ldap.example.com"
+	ldapPort := 389
+	bindDN := "cn=admin,dc=example,dc=com"
+	// BAD : empty password
+	bindPassword := ""
+
+	// Connect to the LDAP server
+	l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort))
+	if err != nil {
+		log.Fatalf("Failed to connect to LDAP server: %v", err)
+	}
+	defer l.Close()
+
+	// BAD : bindPassword is empty
+	err = l.Bind(bindDN, bindPassword)
+	if err != nil {
+		log.Fatalf("LDAP bind failed: %v", err)
+	}
+}
+
 func main() {
 	bad(nil, nil)
 	good1(nil, nil)
 	good2(nil, nil)
+	bad2(nil, nil)
 }