Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Query to detect LDAP injections in Java
Cleanup
  • Loading branch information
ggolawski committed Jan 18, 2020
1 parent 95723b0 commit 00ee3d2
Show file tree
Hide file tree
Showing 5 changed files with 18 additions and 22 deletions.
24 changes: 10 additions & 14 deletions java/ql/src/Security/CWE/CWE-90/LdapInjectionLib.qll
Expand Up @@ -6,7 +6,6 @@ import semmle.code.java.frameworks.UnboundId
import semmle.code.java.frameworks.SpringLdap
import semmle.code.java.frameworks.ApacheLdap


/** Holds if the parameter of `c` at index `paramIndex` is varargs. */
bindingset[paramIndex]
predicate isVarargs(Callable c, int paramIndex) {
Expand All @@ -20,8 +19,8 @@ abstract class LdapInjectionSource extends DataFlow::Node { }
abstract class LdapInjectionSink extends DataFlow::ExprNode { }

/**
* A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries.
*/
* A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries.
*/
class LdapInjectionFlowConfig extends TaintTracking::Configuration {
LdapInjectionFlowConfig() { this = "LdapInjectionFlowConfig" }

Expand Down Expand Up @@ -79,7 +78,7 @@ class JndiLdapInjectionSink extends LdapInjectionSink {
|
m.getDeclaringType().getAnAncestor() instanceof TypeDirContext and
m.hasName("search") and
index in [0..1]
index in [0 .. 1]
)
}
}
Expand Down Expand Up @@ -129,16 +128,13 @@ class SpringLdapInjectionSink extends LdapInjectionSink {
) and
(
// Parameter index is 1 (DN or query) or 2 (filter) if method is not authenticate
(
index in [0..1] and
not m instanceof MethodSpringLdapTemplateAuthenticate
) or
index in [0 .. 1] and
not m instanceof MethodSpringLdapTemplateAuthenticate
or
// But it's not the last parameter in case of authenticate method (last param is password)
(
index in [0..1] and
index < m.getNumberOfParameters() - 1 and
m instanceof MethodSpringLdapTemplateAuthenticate
)
index in [0 .. 1] and
index < m.getNumberOfParameters() - 1 and
m instanceof MethodSpringLdapTemplateAuthenticate
)
)
}
Expand Down Expand Up @@ -442,4 +438,4 @@ predicate apacheLdapDnGetStep(ExprNode n1, ExprNode n2) {
m.getDeclaringType().getAnAncestor() instanceof TypeApacheDn and
(m.hasName("getName") or m.hasName("getNormName") or m.hasName("toString"))
)
}
}
6 changes: 2 additions & 4 deletions java/ql/src/semmle/code/java/frameworks/ApacheLdap.qll
Expand Up @@ -23,7 +23,5 @@ class TypeApacheSearchRequest extends Interface {

/** The class `org.apache.directory.api.ldap.model.name.Dn`. */
class TypeApacheDn extends Class {
TypeApacheDn() {
this.hasQualifiedName("org.apache.directory.api.ldap.model.name", "Dn")
}
}
TypeApacheDn() { this.hasQualifiedName("org.apache.directory.api.ldap.model.name", "Dn") }
}
2 changes: 1 addition & 1 deletion java/ql/src/semmle/code/java/frameworks/Jndi.qll
Expand Up @@ -56,4 +56,4 @@ class MethodLdapNameToString extends Method {
getDeclaringType() instanceof TypeLdapName and
hasName("toString")
}
}
}
6 changes: 4 additions & 2 deletions java/ql/src/semmle/code/java/frameworks/SpringLdap.qll
Expand Up @@ -9,7 +9,9 @@ import semmle.code.java.Member
/*--- Types ---*/
/** The class `org.springframework.ldap.core.LdapTemplate`. */
class TypeSpringLdapTemplate extends Class {
TypeSpringLdapTemplate() { this.hasQualifiedName("org.springframework.ldap.core", "LdapTemplate") }
TypeSpringLdapTemplate() {
this.hasQualifiedName("org.springframework.ldap.core", "LdapTemplate")
}
}

/** The class `org.springframework.ldap.query.LdapQueryBuilder`. */
Expand Down Expand Up @@ -188,4 +190,4 @@ class MethodSpringLdapUtilsNewLdapName extends Method {
getDeclaringType() instanceof TypeSpringLdapUtils and
hasName("newLdapName")
}
}
}
2 changes: 1 addition & 1 deletion java/ql/src/semmle/code/java/frameworks/UnboundId.qll
Expand Up @@ -110,4 +110,4 @@ class MethodUnboundIdLDAPConnectionSearchForEntry extends Method {
getDeclaringType() instanceof TypeUnboundIdLDAPConnection and
hasName("searchForEntry")
}
}
}

0 comments on commit 00ee3d2

Please sign in to comment.