[Go]: Add Improper LDAP Authentication query

[maikypedia]

Query PR

github/codeql#13366

Language

GoLang

CVE(s) ID list

• CVE-2017-14623

CWE

CWE-287

Report

This query covers Improper LDAP Authentication, that con occur when an application uses user-supplied data to establish a connection to a LDAP server.

I used a dataflow configuration looking for UntrustedFlowSource flowing to the password used in LDAP binding.

In order to avoid false positives I used RegexpCheck and equalityAsSanitizerGuard as barriers. For equalityAsSanitizerGuard I have taken as an example the equalityAsSanitizerGuard used in SSRF query. The difference here is that the query will consider whether the string to be compared is empty or not (this should avoid several possible FP)

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• Yes
• No

Blog post link

No response

[jorgectf]

👋 @maikypedia

Thank you for your contribution!

This reminds me of github/codeql#5444, but using user-controlled data instead 🚀
What do you think about also adding an empty string as a source in your query (like this)?

[maikypedia]

Hi 👋 @jorgectf, done here 😃 .

[jorgectf]

Hi 👋 @jorgectf, done here 😃 .

🎉

Could you address github/codeql#13366 (comment)? It seems that your query should catch UnauthenticatedBind instead of Bind.

[maikypedia]

Hi @jorgectf , I didn't realize that in v3 empty password option with Bind is disabled, sorry for the inconvenience 😅

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[maikypedia]

Due to the fact that LDAP version 3 is not vulnerable, it will not be included in the query. However, the reviewer has said that it would make sense to add v2 to the query instead. 😄

[maikypedia]

Sorry for the delay, it has already been rewritten :)

[ghsecuritylab]

Your submission is now in status Test run.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Created Hackerone report 2250587 for bounty 530077 : [762] [Go]: Add Improper LDAP Authentication query

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed