Python: Make LDAP global options test better

Before it didn't really showcase that we know it can make connections
secure.

python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LDAPInsecureAuth.expected

@@ -0,0 +1,4 @@
+edges
+nodes
+subpaths
+#select

python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LDAPInsecureAuth.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-522/LDAPInsecureAuth.ql

python/ql/test/experimental/query-tests/Security/CWE-522-global-option/ldap2_global.py

@@ -1,3 +1,6 @@
+# since global options are considered to affect all files in a repo, we need to keep
+# this test in its' own directory (so it doesn't interfere with other tests).
+
 import ldap
 from flask import request, Flask
 
@@ -7,11 +10,13 @@ app = Flask(__name__)
 
 # SSL through ldap global variable option
 
-ldap.set_option(ldap.OPT_X_TLS_NEVER)
+ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
 
 
 @app.route("/one")
 def one():
+    # The following connection would have been insecure if the global option above was
+    # not set
     ldap_connection_5 = ldap.initialize("ldap://somethingon.theinternet.com")
     ldap_connection_5.simple_bind_s('', '')
     user = ldap_connection_5.search_s(

python/ql/test/experimental/query-tests/Security/CWE-522/LDAPInsecureAuth.expected

@@ -6,7 +6,6 @@ edges
 | ldap3_remote.py:138:21:138:32 | ControlFlowNode for Attribute | ldap3_remote.py:138:21:138:40 | ControlFlowNode for Subscript |
 | ldap3_remote.py:138:21:138:40 | ControlFlowNode for Subscript | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host |
 nodes
-| ldap2_global.py:15:41:15:76 | ControlFlowNode for Str | semmle.label | ControlFlowNode for Str |
 | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
@@ -21,7 +20,6 @@ nodes
 | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host |
 subpaths
 #select
-| ldap2_global.py:15:41:15:76 | ControlFlowNode for Str | ldap2_global.py:15:41:15:76 | ControlFlowNode for Str | ldap2_global.py:15:41:15:76 | ControlFlowNode for Str | $@ is authenticated insecurely. | ldap2_global.py:15:41:15:76 | ControlFlowNode for Str | This LDAP host |
 | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | $@ is authenticated insecurely. | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | This LDAP host |
 | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | $@ is authenticated insecurely. | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | This LDAP host |
 | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | $@ is authenticated insecurely. | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | This LDAP host |