Add Tests

go/ql/test/experimental/CWE-287/ImproperLdapAuth.expected

@@ -0,0 +1,14 @@
+edges
+| ImproperLdapAuth.go:18:18:18:24 | selection of URL | ImproperLdapAuth.go:18:18:18:32 | call to Query |
+| ImproperLdapAuth.go:18:18:18:32 | call to Query | ImproperLdapAuth.go:28:23:28:34 | bindPassword |
+| ImproperLdapAuth.go:80:18:80:19 | "" | ImproperLdapAuth.go:90:23:90:34 | bindPassword |
+nodes
+| ImproperLdapAuth.go:18:18:18:24 | selection of URL | semmle.label | selection of URL |
+| ImproperLdapAuth.go:18:18:18:32 | call to Query | semmle.label | call to Query |
+| ImproperLdapAuth.go:28:23:28:34 | bindPassword | semmle.label | bindPassword |
+| ImproperLdapAuth.go:80:18:80:19 | "" | semmle.label | "" |
+| ImproperLdapAuth.go:90:23:90:34 | bindPassword | semmle.label | bindPassword |
+subpaths
+#select
+| ImproperLdapAuth.go:28:23:28:34 | bindPassword | ImproperLdapAuth.go:18:18:18:24 | selection of URL | ImproperLdapAuth.go:28:23:28:34 | bindPassword | LDAP binding password depends on a $@. | ImproperLdapAuth.go:18:18:18:24 | selection of URL | user-provided value |
+| ImproperLdapAuth.go:90:23:90:34 | bindPassword | ImproperLdapAuth.go:80:18:80:19 | "" | ImproperLdapAuth.go:90:23:90:34 | bindPassword | LDAP binding password depends on a $@. | ImproperLdapAuth.go:80:18:80:19 | "" | user-provided value |

go/ql/test/experimental/CWE-287/ImproperLdapAuth.go

@@ -1,5 +1,7 @@
 package main
 
+//go:generate depstubber -vendor gopkg.in/ldap.v2 Conn Dial
+
 import (
 	"fmt"
 	"log"

go/ql/test/experimental/CWE-287/go.mod

@@ -1,3 +0,0 @@
-module github.com/go-ldap/ldap/v3
-
-go 1.19

go/ql/test/experimental/CWE-287/vendor/gopkg.in/ldap.v2/stub.go

@@ -0,0 +1,185 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for gopkg.in/ldap.v2, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: gopkg.in/ldap.v2 (exports: Conn; functions: Dial)
+
+// Package ldap is a stub of gopkg.in/ldap.v2, generated by depstubber.
+package ldap
+
+import (
+	tls "crypto/tls"
+	time "time"
+)
+
+type AddRequest struct {
+	DN         string
+	Attributes []Attribute
+}
+
+func (_ *AddRequest) Attribute(_ string, _ []string) {}
+
+type Attribute struct {
+	Type string
+	Vals []string
+}
+
+type Conn struct {
+	Debug interface{}
+}
+
+func (_ *Conn) Add(_ *AddRequest) error {
+	return nil
+}
+
+func (_ *Conn) Bind(_ string, _ string) error {
+	return nil
+}
+
+func (_ *Conn) Close() {}
+
+func (_ *Conn) Compare(_ string, _ string, _ string) (bool, error) {
+	return false, nil
+}
+
+func (_ *Conn) Del(_ *DelRequest) error {
+	return nil
+}
+
+func (_ *Conn) Modify(_ *ModifyRequest) error {
+	return nil
+}
+
+func (_ *Conn) PasswordModify(_ *PasswordModifyRequest) (*PasswordModifyResult, error) {
+	return nil, nil
+}
+
+func (_ *Conn) Search(_ *SearchRequest) (*SearchResult, error) {
+	return nil, nil
+}
+
+func (_ *Conn) SearchWithPaging(_ *SearchRequest, _ uint32) (*SearchResult, error) {
+	return nil, nil
+}
+
+func (_ *Conn) SetTimeout(_ time.Duration) {}
+
+func (_ *Conn) SimpleBind(_ *SimpleBindRequest) (*SimpleBindResult, error) {
+	return nil, nil
+}
+
+func (_ *Conn) Start() {}
+
+func (_ *Conn) StartTLS(_ *tls.Config) error {
+	return nil
+}
+
+type Control interface {
+	Encode() interface{}
+	GetControlType() string
+	String() string
+}
+
+type DelRequest struct {
+	DN       string
+	Controls []Control
+}
+
+func Dial(_ string, _ string) (*Conn, error) {
+	return nil, nil
+}
+
+type Entry struct {
+	DN         string
+	Attributes []*EntryAttribute
+}
+
+func (_ *Entry) GetAttributeValue(_ string) string {
+	return ""
+}
+
+func (_ *Entry) GetAttributeValues(_ string) []string {
+	return nil
+}
+
+func (_ *Entry) GetRawAttributeValue(_ string) []byte {
+	return nil
+}
+
+func (_ *Entry) GetRawAttributeValues(_ string) [][]byte {
+	return nil
+}
+
+func (_ *Entry) PrettyPrint(_ int) {}
+
+func (_ *Entry) Print() {}
+
+type EntryAttribute struct {
+	Name       string
+	Values     []string
+	ByteValues [][]byte
+}
+
+func (_ *EntryAttribute) PrettyPrint(_ int) {}
+
+func (_ *EntryAttribute) Print() {}
+
+type ModifyRequest struct {
+	DN                string
+	AddAttributes     []PartialAttribute
+	DeleteAttributes  []PartialAttribute
+	ReplaceAttributes []PartialAttribute
+}
+
+func (_ *ModifyRequest) Add(_ string, _ []string) {}
+
+func (_ *ModifyRequest) Delete(_ string, _ []string) {}
+
+func (_ *ModifyRequest) Replace(_ string, _ []string) {}
+
+type PartialAttribute struct {
+	Type string
+	Vals []string
+}
+
+type PasswordModifyRequest struct {
+	UserIdentity string
+	OldPassword  string
+	NewPassword  string
+}
+
+type PasswordModifyResult struct {
+	GeneratedPassword string
+}
+
+type SearchRequest struct {
+	BaseDN       string
+	Scope        int
+	DerefAliases int
+	SizeLimit    int
+	TimeLimit    int
+	TypesOnly    bool
+	Filter       string
+	Attributes   []string
+	Controls     []Control
+}
+
+type SearchResult struct {
+	Entries   []*Entry
+	Referrals []string
+	Controls  []Control
+}
+
+func (_ *SearchResult) PrettyPrint(_ int) {}
+
+func (_ *SearchResult) Print() {}
+
+type SimpleBindRequest struct {
+	Username string
+	Password string
+	Controls []Control
+}
+
+type SimpleBindResult struct {
+	Controls []Control
+}

go/ql/test/experimental/CWE-287/vendor/modules.txt

@@ -0,0 +1,6 @@
+# gopkg.in/ldap.v2 v2.5.1
+## explicit
+gopkg.in/ldap.v2
+# gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d
+## explicit
+gopkg.in/asn1-ber.v1

go/vendor/gopkg.in/ldap.v2/stub.go

@@ -0,0 +1,185 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for gopkg.in/ldap.v2, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: gopkg.in/ldap.v2 (exports: Conn; functions: Dial)
+
+// Package ldap is a stub of gopkg.in/ldap.v2, generated by depstubber.
+package ldap
+
+import (
+	tls "crypto/tls"
+	time "time"
+)
+
+type AddRequest struct {
+	DN         string
+	Attributes []Attribute
+}
+
+func (_ *AddRequest) Attribute(_ string, _ []string) {}
+
+type Attribute struct {
+	Type string
+	Vals []string
+}
+
+type Conn struct {
+	Debug interface{}
+}
+
+func (_ *Conn) Add(_ *AddRequest) error {
+	return nil
+}
+
+func (_ *Conn) Bind(_ string, _ string) error {
+	return nil
+}
+
+func (_ *Conn) Close() {}
+
+func (_ *Conn) Compare(_ string, _ string, _ string) (bool, error) {
+	return false, nil
+}
+
+func (_ *Conn) Del(_ *DelRequest) error {
+	return nil
+}
+
+func (_ *Conn) Modify(_ *ModifyRequest) error {
+	return nil
+}
+
+func (_ *Conn) PasswordModify(_ *PasswordModifyRequest) (*PasswordModifyResult, error) {
+	return nil, nil
+}
+
+func (_ *Conn) Search(_ *SearchRequest) (*SearchResult, error) {
+	return nil, nil
+}
+
+func (_ *Conn) SearchWithPaging(_ *SearchRequest, _ uint32) (*SearchResult, error) {
+	return nil, nil
+}
+
+func (_ *Conn) SetTimeout(_ time.Duration) {}
+
+func (_ *Conn) SimpleBind(_ *SimpleBindRequest) (*SimpleBindResult, error) {
+	return nil, nil
+}
+
+func (_ *Conn) Start() {}
+
+func (_ *Conn) StartTLS(_ *tls.Config) error {
+	return nil
+}
+
+type Control interface {
+	Encode() interface{}
+	GetControlType() string
+	String() string
+}
+
+type DelRequest struct {
+	DN       string
+	Controls []Control
+}
+
+func Dial(_ string, _ string) (*Conn, error) {
+	return nil, nil
+}
+
+type Entry struct {
+	DN         string
+	Attributes []*EntryAttribute
+}
+
+func (_ *Entry) GetAttributeValue(_ string) string {
+	return ""
+}
+
+func (_ *Entry) GetAttributeValues(_ string) []string {
+	return nil
+}
+
+func (_ *Entry) GetRawAttributeValue(_ string) []byte {
+	return nil
+}
+
+func (_ *Entry) GetRawAttributeValues(_ string) [][]byte {
+	return nil
+}
+
+func (_ *Entry) PrettyPrint(_ int) {}
+
+func (_ *Entry) Print() {}
+
+type EntryAttribute struct {
+	Name       string
+	Values     []string
+	ByteValues [][]byte
+}
+
+func (_ *EntryAttribute) PrettyPrint(_ int) {}
+
+func (_ *EntryAttribute) Print() {}
+
+type ModifyRequest struct {
+	DN                string
+	AddAttributes     []PartialAttribute
+	DeleteAttributes  []PartialAttribute
+	ReplaceAttributes []PartialAttribute
+}
+
+func (_ *ModifyRequest) Add(_ string, _ []string) {}
+
+func (_ *ModifyRequest) Delete(_ string, _ []string) {}
+
+func (_ *ModifyRequest) Replace(_ string, _ []string) {}
+
+type PartialAttribute struct {
+	Type string
+	Vals []string
+}
+
+type PasswordModifyRequest struct {
+	UserIdentity string
+	OldPassword  string
+	NewPassword  string
+}
+
+type PasswordModifyResult struct {
+	GeneratedPassword string
+}
+
+type SearchRequest struct {
+	BaseDN       string
+	Scope        int
+	DerefAliases int
+	SizeLimit    int
+	TimeLimit    int
+	TypesOnly    bool
+	Filter       string
+	Attributes   []string
+	Controls     []Control
+}
+
+type SearchResult struct {
+	Entries   []*Entry
+	Referrals []string
+	Controls  []Control
+}
+
+func (_ *SearchResult) PrettyPrint(_ int) {}
+
+func (_ *SearchResult) Print() {}
+
+type SimpleBindRequest struct {
+	Username string
+	Password string
+	Controls []Control
+}
+
+type SimpleBindResult struct {
+	Controls []Control
+}

go/vendor/modules.txt

@@ -1,27 +1,12 @@
 # golang.org/x/mod v0.8.0
-## explicit; go 1.17
-golang.org/x/mod/internal/lazyregexp
-golang.org/x/mod/modfile
-golang.org/x/mod/module
-golang.org/x/mod/semver
-# golang.org/x/sys v0.5.0
-## explicit; go 1.17
-golang.org/x/sys/execabs
+## explicit
+golang.org/x/mod
 # golang.org/x/tools v0.6.0
-## explicit; go 1.18
-golang.org/x/tools/go/gcexportdata
-golang.org/x/tools/go/internal/packagesdriver
-golang.org/x/tools/go/packages
-golang.org/x/tools/internal/event
-golang.org/x/tools/internal/event/core
-golang.org/x/tools/internal/event/keys
-golang.org/x/tools/internal/event/label
-golang.org/x/tools/internal/gcimporter
-golang.org/x/tools/internal/gocommand
-golang.org/x/tools/internal/packagesinternal
-golang.org/x/tools/internal/pkgbits
-golang.org/x/tools/internal/tokeninternal
-golang.org/x/tools/internal/typeparams
-golang.org/x/tools/internal/typesinternal
+## explicit
+golang.org/x/tools
+# golang.org/x/sys v0.5.0
+## explicit
+golang.org/x/sys
 # golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
-## explicit; go 1.11
+## explicit
+golang.org/x/xerrors