Skip to content

JS: Move LDAP injection out of experimental #6781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Nov 2, 2021
Merged

JS: Move LDAP injection out of experimental #6781

merged 15 commits into from
Nov 2, 2021

Conversation

erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Sep 30, 2021
edited
Loading

I've added LDAP as a sink for js/sql-injection (it already has no-sql / graphql injection).

I've basically rewritten the entire thing, but each commit should be a logical step (they were the steps I took while porting).
There are some TODO's in some of the commits.

Evaluation on js/sql-injection looks fine.

(Internal: I'm using this PR to test a dca feature, ignore the backrefs).

@erik-krogh erik-krogh marked this pull request as ready for review October 1, 2021 08:03
@erik-krogh erik-krogh requested a review from a team as a code owner October 1, 2021 08:03
esbena
esbena reviewed Oct 27, 2021
View reviewed changes
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the LDAPXyzAbc casing througout this PR should be LdapXyzAbc in the name of (ql/javascript) consistency.

javascript/ql/lib/semmle/javascript/frameworks/LDAPjs.qll Outdated
SearchOptions() { call.getMethodName() = "search" and this = call.getParameter(1) }
}

/** A creation of an LDAPjs filter, or object containing a filter, that doesn't sanitizes the input. */
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "that doesn't sanitizes the input" bit is hard to derive from the LDAPFilterStep name. Cold the name include taint, somehow? TaintPreservingLDapFilterStep, NonSanitizingLDAPFilterStep...

Alternatively, we could keep the name, but add a default predicate:

  predicate sanitizing() { none() }

javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
}
}

import semmle.javascript.security.IncompleteBlacklistSanitizer as IncompleteBlacklistSanitizer
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't the autoformatter have moved this up?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it doesn't do that.
I got the import there because it's close to where the import is used.

@erik-krogh
Copy link
Contributor Author

I think the LDAPXyzAbc casing througout this PR should be LdapXyzAbc in the name of (ql/javascript) consistency.

I'm still mentioning the name of the library as LDAPjs in the documentation strings.
Because that's how they do it.

@erik-krogh erik-krogh mentioned this pull request Nov 2, 2021
Closed
@erik-krogh erik-krogh merged commit 54fba2d into github:main Nov 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@esbena esbena esbena approved these changes

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@erik-krogh @esbena