Add InsecureLdapUrlSink

2026-04-28 10:15:14 +02:00 · 2023-03-17 11:36:12 -04:00
parent 24d4859149
commit f28f1af5a4
2 changed files with 17 additions and 20 deletions
--- a/java/ql/lib/semmle/code/java/security/InsecureLdapAuth.qll
+++ b/java/ql/lib/semmle/code/java/security/InsecureLdapAuth.qll
@@ -1,6 +1,7 @@
 /** Provides classes to reason about insecure LDAP authentication. */

 import java
+private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.frameworks.Networking
 private import semmle.code.java.frameworks.Jndi

@@ -113,3 +114,12 @@ predicate isSslEnv(MethodAccess ma) {
  hasFieldValueEnv(ma, "java.naming.security.protocol", "ssl") or
  hasFieldNameEnv(ma, "SECURITY_PROTOCOL", "ssl")
 }
+
+class InsecureLdapUrlSink extends DataFlow::Node {
+  InsecureLdapUrlSink() {
+    exists(ConstructorCall cc |
+      cc.getConstructedType().getAnAncestor() instanceof TypeDirContext and
+      this.asExpr() = cc.getArgument(0)
+    )
+  }
+}
--- a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll
@@ -12,12 +12,7 @@ import semmle.code.java.security.InsecureLdapAuth
 private module InsecureLdapUrlConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof InsecureLdapUrl }

-  predicate isSink(DataFlow::Node sink) {
-    exists(ConstructorCall cc |
-      cc.getConstructedType().getAnAncestor() instanceof TypeDirContext and
-      sink.asExpr() = cc.getArgument(0)
-    )
-  }
+  predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }

  /** Method call of `env.put()`. */
  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
@@ -37,16 +32,12 @@ module InsecureLdapUrlFlow = TaintTracking::Make<InsecureLdapUrlConfig>;
 private module BasicAuthConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) {
    exists(MethodAccess ma |
-      isBasicAuthEnv(ma) and ma.getQualifier() = src.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
+      isBasicAuthEnv(ma) and
+      ma.getQualifier() = src.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
    )
  }

-  predicate isSink(DataFlow::Node sink) {
-    exists(ConstructorCall cc |
-      cc.getConstructedType().getAnAncestor() instanceof TypeDirContext and
-      sink.asExpr() = cc.getArgument(0)
-    )
-  }
+  predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }
 }

 module BasicAuthFlow = DataFlow::Make<BasicAuthConfig>;
@@ -57,16 +48,12 @@ module BasicAuthFlow = DataFlow::Make<BasicAuthConfig>;
 private module RequiresSslConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) {
    exists(MethodAccess ma |
-      isSslEnv(ma) and ma.getQualifier() = src.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
+      isSslEnv(ma) and
+      ma.getQualifier() = src.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
    )
  }

-  predicate isSink(DataFlow::Node sink) {
-    exists(ConstructorCall cc |
-      cc.getConstructedType().getAnAncestor() instanceof TypeDirContext and
-      sink.asExpr() = cc.getArgument(0)
-    )
-  }
+  predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }
 }

 module RequiresSslFlow = DataFlow::Make<RequiresSslConfig>;