New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Go: Add Improper LDAP Authentication query (CWE-287) #13366
Go: Add Improper LDAP Authentication query (CWE-287) #13366
Conversation
Hi @maikypedia, thank you for opening this pull request! Looking at the documentation for |
Hi @mbg , I didn't realize that in v3 empty password option with Bind is disabled, sorry for the inconvenience 馃槄 |
Would it be worth adding |
ping @mbg |
Hi @maikypedia, sorry, I must have missed your question. Thank you for pinging me to bring this to my attention. For For |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your test isn't giving any results - it should be finding the bad cases. You may need to make sure that the test file builds correctly (try running go build
in the directory that it is in to see what the errors are).
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
QHelp previews: go/ql/src/experimental/CWE-287/ImproperLdapAuth.qhelpImproper LDAP AuthenticationIf an LDAP connection uses user-supplied data as password, anonymous bind could be caused using an empty password to result in a successful authentication. RecommendationDon't use user-supplied data as password while establishing an LDAP connection. ExampleIn the following examples, the code accepts a bind password via a HTTP request in variable package main
import (
"fmt"
"log"
)
func bad() interface{} {
bindPassword := req.URL.Query()["password"][0]
// Connect to the LDAP server
l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", "ldap.example.com", 389))
if err != nil {
log.Fatalf("Failed to connect to LDAP server: %v", err)
}
defer l.Close()
err = l.Bind("cn=admin,dc=example,dc=com", bindPassword)
if err != nil {
log.Fatalf("LDAP bind failed: %v", err)
}
} In the following examples, the code accepts a bind password via a HTTP request in variable package main
import (
"fmt"
"log"
)
func good() interface{} {
bindPassword := req.URL.Query()["password"][0]
// Connect to the LDAP server
l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", "ldap.example.com", 389))
if err != nil {
log.Fatalf("Failed to connect to LDAP server: %v", err)
}
defer l.Close()
if bindPassword != "" {
err = l.Bind("cn=admin,dc=example,dc=com", bindPassword)
if err != nil {
log.Fatalf("LDAP bind failed: %v", err)
}
}
} References
|
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well done for generating stubs. You've actually put them in two places by mistake - you can remove all changes to go/vendor
and keep the ones in the test folder. Your tests now generate the right results now, but they will also generate some build errors because of missing return statements. Please address that and the rest of my previous review comments.
I don't know if I've forgotten something, I think that's all for now. 馃槜 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't make any changes to go/vendor/modules.txt
. Please add a package declaration and imports to make LdapAuthBad.go
and LdapAuthGood.go
valid go files.
Hi @owen-mc ! Sorry for the delay, I had some exams these weeks 馃槄 In the example files of other experimental queries they do not include the imports of libraries that are not builtin, should I leave it like that? |
@maikypedia The reason for making these valid go files is so that Your test is failing. It couldn't build the go file. I think there is a missing |
Done :), thanks |
/** | ||
* A LDAP connection node. | ||
*/ | ||
abstract class LdapConn extends DataFlow::CallNode { } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is ever used. If that is the case then please delete it.
Done 馃槂 馃憤 |
This pull request adds a query for Improper LDAP Authentication to prevent attackers use an empty password. I am not very familiar with CodeQL Go, and I have been struggling to generate correct expected files 馃檭.
Looking forward to your suggestions.