Skip to content

Python: Add LDAP Injection query#5443

Merged
RasmusWL merged 35 commits intogithub:mainfrom
jorgectf:jorgectf/python/ldapInjection
May 26, 2021
Merged

Python: Add LDAP Injection query#5443
RasmusWL merged 35 commits intogithub:mainfrom
jorgectf:jorgectf/python/ldapInjection

Conversation

@jorgectf
Copy link
Contributor

@jorgectf jorgectf commented Mar 18, 2021
edited
Loading

Any suggestions/tricks to improve the query or workarounds (to learn), no matter how minimal they are, are massively appreciated.

@jorgectf jorgectf requested a review from a team as a code owner March 18, 2021 16:32
@jorgectf jorgectf mentioned this pull request Mar 18, 2021
Closed
1 task
@jorgectf

This comment has been minimized.

Sign in to view
jorgectf
jorgectf commented Mar 23, 2021
View reviewed changes
jorgectf
jorgectf commented Mar 23, 2021
View reviewed changes
python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql Outdated
Comment on lines +54 to +65
class EscapeSanitizer extends DataFlow::Node {
EscapeSanitizer() {
exists(Call c |
(
// avoid flow through any %escape% function
c.getFunc().(Attribute).getName().matches("%escape%") or // something.%escape%()
c.getFunc().(Name).getId().matches("%escape%") // %escape%()
) and
this.asExpr() = c
)
}
}
Copy link
Contributor Author

@jorgectf jorgectf Mar 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pending refactor. (Pending decision -> covering the specific methods of the libs or matching %sanitize% like this)

Copy link
Contributor

@mrthankyou mrthankyou Mar 26, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure how the CodeQL team feels about it but if there are cases where a CodeQL query developer thinks that data is going to be sanitized by a sanitize-type function, should the FilterOrDNSanitizationCall predicate be extracted out so that it can be used in other queries and not just the LDAP Injection vulnerabilities?

@jorgectf jorgectf force-pushed the jorgectf/python/ldapInjection branch from 9902679 to 85ec82a Compare March 28, 2021 19:07
@jorgectf

This comment has been minimized.

Sign in to view
mrthankyou
mrthankyou reviewed Mar 29, 2021
View reviewed changes
jorgectf
jorgectf commented Mar 31, 2021
View reviewed changes
jorgectf
jorgectf commented Apr 8, 2021
View reviewed changes
python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected Outdated
Comment on lines +85 to +86
| ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | This | ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | a user-provided value |
| ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | ldap3_bad.py:14:35:14:41 | ControlFlowNode for request | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | This | ldap3_bad.py:14:35:14:41 | ControlFlowNode for request | a user-provided value |
Copy link
Contributor Author

@jorgectf jorgectf Apr 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refer to this discussion about the repeated result regarding unsafe_filter.

RasmusWL
RasmusWL reviewed May 5, 2021
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this looks like fine port of the query from Java/C#.

There are some minor things I would clean up before promoting this from experimental (like the examples for how proper escaping should look like being functional), but overall the code looks ok.

I'll get in touch privately to see how to we should proceed form here, since I know you're busy at the moment 👍

@RasmusWL RasmusWL self-assigned this May 5, 2021
@RasmusWL RasmusWL mentioned this pull request May 5, 2021
Merged
RasmusWL
RasmusWL reviewed May 7, 2021
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other minor things you could look at before we merge this PR is:

Just FYI, as discussed in #5680 (comment), you don't need to suffix everything with Node. For example, I would probably have called LDAPQuery.getLDAPNode for LDAPQuery.getQuery() (since just calling it LDAPQuery.getLDAP seems wrong), and LDAPEscape.getEscapeNode for LDAPEscape.getAnInput (again, since LDAPEscape.getEscape sounds strange)... but this is clearly just nitpicks, and something that will be easy to do if we promote this query out of experimental.

@jorgectf
Copy link
Contributor Author

jorgectf commented May 7, 2021

If you take a look at the non-experimental frameworks folder, you can see that our normal way of doing this is to create one .qll file for each package modeled

34b8af3

A few of the elements were missing QLDoc (we strive to add QLDoc to all publicly exposed elements). I added suggestions for adding these.

c2b96b3

you don't need to suffix everything with Node

6159fbe

@jorgectf jorgectf force-pushed the jorgectf/python/ldapInjection branch from 08be907 to 8665747 Compare May 8, 2021 16:09
RasmusWL
RasmusWL reviewed May 10, 2021
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making those last changes 👍 Besides fixing up the example of how to use escaping, and a few QLDocs that could be slightly improved, I think this PR looks good 💪

jorgectf and others added 2 commits May 21, 2021 16:17
@jorgectf @RasmusWL
Apply documentation suggestions
9e9678b 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
@jorgectf
Update tests and .expected
37d6ff7
@jorgectf jorgectf force-pushed the jorgectf/python/ldapInjection branch from ac55c76 to 37d6ff7 Compare May 21, 2021 16:41
RasmusWL
RasmusWL approved these changes May 26, 2021
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working through the last few things, I've resolved the merge conflict and made the autoformatter happy, so now we can merge this query 💪

@RasmusWL RasmusWL merged commit 795a1c7 into github:main May 26, 2021
@jorgectf
Copy link
Contributor Author

jorgectf commented May 26, 2021

Thanks for working through the last few things, I've resolved the merge conflict and made the autoformatter happy, so now we can merge this query 💪

Thanks for the fix and the merge :)

@jorgectf jorgectf mentioned this pull request Jun 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RasmusWL RasmusWL RasmusWL approved these changes

+1 more reviewer

@mrthankyou mrthankyou mrthankyou left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@RasmusWL RasmusWL

Labels

documentation Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jorgectf @RasmusWL @mrthankyou