From 1f4c1147d3c73c940bc0748a040bc6c5a8fff8fe Mon Sep 17 00:00:00 2001 From: erik-krogh Date: Sat, 27 Jan 2024 19:46:31 +0100 Subject: [PATCH] FOOBAR --- .../Security/CWE-522/LdapInsecureAuth.qhelp | 23 ---- .../Security/CWE-522/LdapInsecureAuth.ql | 20 ---- .../python/security/LdapInsecureAuth.qll | 107 ------------------ .../LdapInsecureAuth.expected | 4 - .../CWE-522/LdapInsecureAuth.expected | 36 ------ 5 files changed, 190 deletions(-) delete mode 100644 python/ql/src/experimental/Security/CWE-522/LdapInsecureAuth.qhelp delete mode 100644 python/ql/src/experimental/Security/CWE-522/LdapInsecureAuth.ql delete mode 100644 python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.expected delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected diff --git a/python/ql/src/experimental/Security/CWE-522/LdapInsecureAuth.qhelp b/python/ql/src/experimental/Security/CWE-522/LdapInsecureAuth.qhelp deleted file mode 100644 index 9033697fd5996..0000000000000 --- a/python/ql/src/experimental/Security/CWE-522/LdapInsecureAuth.qhelp +++ /dev/null @@ -1,23 +0,0 @@ - - - - -

Failing to ensure the utilization of SSL in an LDAP connection can cause the entire communication -to be sent in cleartext making it easier for an attacker to intercept it.

- - - -

Always set use_SSL to True, call start_tls_s() or set a proper option flag (ldap.OPT_X_TLS_XXXXXX).

- - - -

This example shows both good and bad ways to deal with this issue under Python 3.

- -

The first one sets use_SSL to true as a keyword argument whereas the second one fails to provide a value for it, so -the default one is used (False).

- - - - diff --git a/python/ql/src/experimental/Security/CWE-522/LdapInsecureAuth.ql b/python/ql/src/experimental/Security/CWE-522/LdapInsecureAuth.ql deleted file mode 100644 index 8b72780d91a89..0000000000000 --- a/python/ql/src/experimental/Security/CWE-522/LdapInsecureAuth.ql +++ /dev/null @@ -1,20 +0,0 @@ -/** - * @name Python Insecure LDAP Authentication - * @description Python LDAP Insecure LDAP Authentication - * @kind path-problem - * @problem.severity error - * @id py/insecure-ldap-auth - * @tags security - * experimental - * external/cwe/cwe-522 - * external/cwe/cwe-523 - */ - -// determine precision above -import python -import experimental.semmle.python.security.LdapInsecureAuth -import LdapInsecureAuthFlow::PathGraph - -from LdapInsecureAuthFlow::PathNode source, LdapInsecureAuthFlow::PathNode sink -where LdapInsecureAuthFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "This LDAP host is authenticated insecurely." diff --git a/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll b/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll deleted file mode 100644 index e8249dcdff731..0000000000000 --- a/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll +++ /dev/null @@ -1,107 +0,0 @@ -/** - * Provides a taint-tracking configuration for detecting LDAP injection vulnerabilities - */ - -import python -import semmle.python.dataflow.new.DataFlow -import semmle.python.dataflow.new.TaintTracking -import semmle.python.dataflow.new.RemoteFlowSources -import experimental.semmle.python.Concepts - -string getFullHostRegex() { result = "(?i)ldap://.+" } - -string getSchemaRegex() { result = "(?i)ldap(://)?" } - -string getPrivateHostRegex() { - result = - "(?i)localhost(?:[:/?#].*)?|127\\.0\\.0\\.1(?:[:/?#].*)?|10(?:\\.[0-9]+){3}(?:[:/?#].*)?|172\\.16(?:\\.[0-9]+){2}(?:[:/?#].*)?|192.168(?:\\.[0-9]+){2}(?:[:/?#].*)?|\\[?0:0:0:0:0:0:0:1\\]?(?:[:/?#].*)?|\\[?::1\\]?(?:[:/?#].*)?" -} - -// "ldap://somethingon.theinternet.com" -class LdapFullHost extends StrConst { - LdapFullHost() { - exists(string s | - s = this.getText() and - s.regexpMatch(getFullHostRegex()) and - // check what comes after the `ldap://` prefix - not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex()) - ) - } -} - -class LdapSchema extends StrConst { - LdapSchema() { this.getText().regexpMatch(getSchemaRegex()) } -} - -class LdapPrivateHost extends StrConst { - LdapPrivateHost() { this.getText().regexpMatch(getPrivateHostRegex()) } -} - -predicate concatAndCompareAgainstFullHostRegex(LdapSchema schema, StrConst host) { - not host instanceof LdapPrivateHost and - (schema.getText() + host.getText()).regexpMatch(getFullHostRegex()) -} - -// "ldap://" + "somethingon.theinternet.com" -class LdapBothStrings extends BinaryExpr { - LdapBothStrings() { concatAndCompareAgainstFullHostRegex(this.getLeft(), this.getRight()) } -} - -// schema + host -class LdapBothVar extends BinaryExpr { - LdapBothVar() { - exists(SsaVariable schemaVar, SsaVariable hostVar | - this.getLeft() = schemaVar.getVariable().getALoad() and // getAUse is incompatible with Expr - this.getRight() = hostVar.getVariable().getALoad() and - concatAndCompareAgainstFullHostRegex(schemaVar - .getDefinition() - .getImmediateDominator() - .getNode(), hostVar.getDefinition().getImmediateDominator().getNode()) - ) - } -} - -// schema + "somethingon.theinternet.com" -class LdapVarString extends BinaryExpr { - LdapVarString() { - exists(SsaVariable schemaVar | - this.getLeft() = schemaVar.getVariable().getALoad() and - concatAndCompareAgainstFullHostRegex(schemaVar - .getDefinition() - .getImmediateDominator() - .getNode(), this.getRight()) - ) - } -} - -// "ldap://" + host -class LdapStringVar extends BinaryExpr { - LdapStringVar() { - exists(SsaVariable hostVar | - this.getRight() = hostVar.getVariable().getALoad() and - concatAndCompareAgainstFullHostRegex(this.getLeft(), - hostVar.getDefinition().getImmediateDominator().getNode()) - ) - } -} - -/** - * A taint-tracking configuration for detecting LDAP insecure authentications. - */ -private module LdapInsecureAuthConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { - source instanceof RemoteFlowSource or - source.asExpr() instanceof LdapFullHost or - source.asExpr() instanceof LdapBothStrings or - source.asExpr() instanceof LdapBothVar or - source.asExpr() instanceof LdapVarString or - source.asExpr() instanceof LdapStringVar - } - - predicate isSink(DataFlow::Node sink) { - exists(LdapBind ldapBind | not ldapBind.useSsl() and sink = ldapBind.getHost()) - } -} - -/** Global taint-tracking for detecting "LDAP insecure authentications" vulnerabilities. */ -module LdapInsecureAuthFlow = TaintTracking::Global; diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.expected b/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.expected deleted file mode 100644 index e217064d1dfc0..0000000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.expected +++ /dev/null @@ -1,4 +0,0 @@ -edges -nodes -subpaths -#select diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected b/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected deleted file mode 100644 index a4c97c8ead7c5..0000000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected +++ /dev/null @@ -1,36 +0,0 @@ -edges -| ldap3_remote.py:2:19:2:25 | ControlFlowNode for ImportMember | ldap3_remote.py:2:19:2:25 | ControlFlowNode for request | -| ldap3_remote.py:2:19:2:25 | ControlFlowNode for request | ldap3_remote.py:138:21:138:27 | ControlFlowNode for request | -| ldap3_remote.py:101:5:101:8 | ControlFlowNode for host | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | -| ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:101:5:101:8 | ControlFlowNode for host | -| ldap3_remote.py:114:5:114:8 | ControlFlowNode for host | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | -| ldap3_remote.py:114:12:114:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:114:5:114:8 | ControlFlowNode for host | -| ldap3_remote.py:126:5:126:8 | ControlFlowNode for host | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | -| ldap3_remote.py:126:12:126:31 | ControlFlowNode for BinaryExpr | ldap3_remote.py:126:5:126:8 | ControlFlowNode for host | -| ldap3_remote.py:138:5:138:8 | ControlFlowNode for host | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | -| ldap3_remote.py:138:21:138:27 | ControlFlowNode for request | ldap3_remote.py:138:5:138:8 | ControlFlowNode for host | -nodes -| ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| ldap3_remote.py:2:19:2:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| ldap3_remote.py:2:19:2:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap3_remote.py:101:5:101:8 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:114:5:114:8 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:114:12:114:49 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:126:5:126:8 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:126:12:126:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:138:5:138:8 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:138:21:138:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -subpaths -#select -| ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | This LDAP host is authenticated insecurely. | -| ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | ldap3_remote.py:114:12:114:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | ldap3_remote.py:126:12:126:31 | ControlFlowNode for BinaryExpr | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | ldap3_remote.py:2:19:2:25 | ControlFlowNode for ImportMember | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. |