Revert "Add "" and nil as sources"

This reverts commit 664c1eba72.
2026-04-27 17:55:19 +02:00 · 2023-08-25 15:23:55 +02:00
parent 664c1eba72
commit ffd618d6cc
4 changed files with 2 additions and 65 deletions
--- a/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthCustomizations.qll
@@ -27,22 +27,6 @@ module ImproperLdapAuth {
   */
  private class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }

-  /**
-   * A source of empty input, considered as a flow source.
-   */
-  private class EmptySourceAsSource extends Source, EmptySource { }
-
-  class EmptySource extends DataFlow::Node {
-    /** Gets a string that describes the type of this remote flow source. */
-    EmptySource() {
-      (
-        this.getConstantValue().isStringlikeValue("")
-        or
-        this.(DataFlow::ExprNode).getConstantValue().isNil()
-      )
-    }
-  }
-
  /**
   * An LDAP query execution considered as a flow sink.
   */
@@ -60,6 +44,5 @@ module ImproperLdapAuth {
   * sanitizer-guard.
   */
  private class StringConstArrayInclusionCallAsSanitizer extends Sanitizer,
-    StringConstArrayInclusionCallBarrier
-  { }
+    StringConstArrayInclusionCallBarrier { }
 }
--- a/ruby/ql/src/experimental/ldap-improper-auth/ImproperLdapAuth.ql
+++ b/ruby/ql/src/experimental/ldap-improper-auth/ImproperLdapAuth.ql
@@ -17,4 +17,4 @@ import DataFlow::PathGraph
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This LDAP authencation depends on a $@.", source.getNode(),
-  "user-provided value or the password is empty"
+  "user-provided value"
--- a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected
+++ b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected
@@ -5,10 +5,6 @@ edges
 | ImproperLdapAuth.rb:24:5:24:8 | pass | ImproperLdapAuth.rb:31:24:31:27 | pass |
 | ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:24:12:24:24 | ...[...] |
 | ImproperLdapAuth.rb:24:12:24:24 | ...[...] | ImproperLdapAuth.rb:24:5:24:8 | pass |
-| ImproperLdapAuth.rb:37:5:37:8 | pass | ImproperLdapAuth.rb:47:23:47:26 | pass |
-| ImproperLdapAuth.rb:37:12:37:14 | nil | ImproperLdapAuth.rb:37:5:37:8 | pass |
-| ImproperLdapAuth.rb:55:5:55:8 | pass | ImproperLdapAuth.rb:62:24:62:27 | pass |
-| ImproperLdapAuth.rb:55:12:55:13 | "" | ImproperLdapAuth.rb:55:5:55:8 | pass |
 nodes
 | ImproperLdapAuth.rb:5:5:5:8 | pass | semmle.label | pass |
 | ImproperLdapAuth.rb:5:12:5:17 | call to params | semmle.label | call to params |
@@ -18,17 +14,7 @@ nodes
 | ImproperLdapAuth.rb:24:12:24:17 | call to params | semmle.label | call to params |
 | ImproperLdapAuth.rb:24:12:24:24 | ...[...] | semmle.label | ...[...] |
 | ImproperLdapAuth.rb:31:24:31:27 | pass | semmle.label | pass |
-| ImproperLdapAuth.rb:37:5:37:8 | pass | semmle.label | pass |
-| ImproperLdapAuth.rb:37:12:37:14 | nil | semmle.label | nil |
-| ImproperLdapAuth.rb:47:23:47:26 | pass | semmle.label | pass |
-| ImproperLdapAuth.rb:55:5:55:8 | pass | semmle.label | pass |
-| ImproperLdapAuth.rb:55:12:55:13 | "" | semmle.label | "" |
-| ImproperLdapAuth.rb:62:24:62:27 | pass | semmle.label | pass |
 subpaths
 #select
 | ImproperLdapAuth.rb:15:23:15:26 | pass | ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:15:23:15:26 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:5:12:5:17 | call to params | user-provided value |
 | ImproperLdapAuth.rb:31:24:31:27 | pass | ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:31:24:31:27 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:24:12:24:17 | call to params | user-provided value |
-| ImproperLdapAuth.rb:47:23:47:26 | pass | ImproperLdapAuth.rb:37:12:37:14 | nil | ImproperLdapAuth.rb:47:23:47:26 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:37:12:37:14 | nil | user-provided value |
-| ImproperLdapAuth.rb:47:23:47:26 | pass | ImproperLdapAuth.rb:47:23:47:26 | pass | ImproperLdapAuth.rb:47:23:47:26 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:47:23:47:26 | pass | user-provided value |
-| ImproperLdapAuth.rb:62:24:62:27 | pass | ImproperLdapAuth.rb:55:12:55:13 | "" | ImproperLdapAuth.rb:62:24:62:27 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:55:12:55:13 | "" | user-provided value |
-| ImproperLdapAuth.rb:62:24:62:27 | pass | ImproperLdapAuth.rb:62:24:62:27 | pass | ImproperLdapAuth.rb:62:24:62:27 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:62:24:62:27 | pass | user-provided value |
--- a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb
+++ b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb
@@ -31,38 +31,6 @@ class FooController < ActionController::Base
    ldap.auth "admin", pass
    ldap.bind
  end
-
-  def some_request_handler
-    # An empty password is used 
-    pass = nil
-
-    # BAD: empty password
-    ldap = Net::LDAP.new(
-        host: 'ldap.example.com',
-        port: 636,
-        encryption: :simple_tls,
-        auth: {
-            method: :simple,
-            username: 'uid=admin,dc=example,dc=com',
-            password: pass
-        }
-    )
-    ldap.bind
-  end
-
-  def some_request_handler
-    # An empty password is used 
-    pass = ""
-
-    # BAD: empty password
-    ldap = Net::LDAP.new
-    ldap.host = your_server_ip_address
-    ldap.encryption(:method => :simple_tls)
-    ldap.port = 639
-    ldap.auth "admin", pass
-    ldap.bind
-  end
-
 end

 class BarController < ApplicationController