Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python: Add LDAP Injection query #5443

Merged
merged 35 commits into from
May 26, 2021
Merged

Python: Add LDAP Injection query #5443

merged 35 commits into from
May 26, 2021

Conversation

jorgectf
Copy link
Contributor

@jorgectf jorgectf commented Mar 18, 2021
edited
Loading

Any suggestions/tricks to improve the query or workarounds (to learn), no matter how minimal they are, are massively appreciated.

@jorgectf jorgectf requested a review from a team as a code owner March 18, 2021 16:32
@jorgectf jorgectf mentioned this pull request Mar 18, 2021
Closed
1 task
@jorgectf

This comment has been minimized.

Sign in to view
jorgectf
jorgectf commented Mar 23, 2021
View reviewed changes
python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql Outdated
Comment on lines 54 to 65
class EscapeSanitizer extends DataFlow::Node {
EscapeSanitizer() {
exists(Call c |
(
// avoid flow through any %escape% function
c.getFunc().(Attribute).getName().matches("%escape%") or // something.%escape%()
c.getFunc().(Name).getId().matches("%escape%") // %escape%()
) and
this.asExpr() = c
)
}
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pending refactor. (Pending decision -> covering the specific methods of the libs or matching %sanitize% like this)

Copy link
Contributor

@mrthankyou mrthankyou Mar 26, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure how the CodeQL team feels about it but if there are cases where a CodeQL query developer thinks that data is going to be sanitized by a sanitize-type function, should the FilterOrDNSanitizationCall predicate be extracted out so that it can be used in other queries and not just the LDAP Injection vulnerabilities?

@jorgectf jorgectf force-pushed the jorgectf/python/ldapInjection branch from 9902679 to 85ec82a Compare March 28, 2021 19:07
@jorgectf

This comment has been minimized.

Sign in to view
jorgectf
jorgectf commented Apr 8, 2021
View reviewed changes
python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected Outdated
Comment on lines 85 to 86
| ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | This | ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | a user-provided value |
| ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | ldap3_bad.py:14:35:14:41 | ControlFlowNode for request | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | This | ldap3_bad.py:14:35:14:41 | ControlFlowNode for request | a user-provided value |
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refer to this discussion about the repeated result regarding unsafe_filter.

RasmusWL
RasmusWL reviewed May 5, 2021
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this looks like fine port of the query from Java/C#.

There are some minor things I would clean up before promoting this from experimental (like the examples for how proper escaping should look like being functional), but overall the code looks ok.

I'll get in touch privately to see how to we should proceed form here, since I know you're busy at the moment 👍

python/ql/src/experimental/Security/CWE-090/examples/example_good2.py Outdated Show resolved Hide resolved
@RasmusWL RasmusWL self-assigned this May 5, 2021
@RasmusWL RasmusWL mentioned this pull request May 5, 2021
Merged
RasmusWL
RasmusWL reviewed May 7, 2021
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other minor things you could look at before we merge this PR is:

Just FYI, as discussed in #5680 (comment), you don't need to suffix everything with Node. For example, I would probably have called LDAPQuery.getLDAPNode for LDAPQuery.getQuery() (since just calling it LDAPQuery.getLDAP seems wrong), and LDAPEscape.getEscapeNode for LDAPEscape.getAnInput (again, since LDAPEscape.getEscape sounds strange)... but this is clearly just nitpicks, and something that will be easy to do if we promote this query out of experimental.

python/ql/src/experimental/semmle/python/Concepts.qll Outdated Show resolved Hide resolved
python/ql/src/experimental/semmle/python/Concepts.qll Outdated Show resolved Hide resolved
@jorgectf
Copy link
Contributor Author

jorgectf commented May 7, 2021

If you take a look at the non-experimental frameworks folder, you can see that our normal way of doing this is to create one .qll file for each package modeled

34b8af3

A few of the elements were missing QLDoc (we strive to add QLDoc to all publicly exposed elements). I added suggestions for adding these.

c2b96b3

you don't need to suffix everything with Node

6159fbe

@jorgectf jorgectf force-pushed the jorgectf/python/ldapInjection branch from 08be907 to 8665747 Compare May 8, 2021 16:09
RasmusWL
RasmusWL reviewed May 10, 2021
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making those last changes 👍 Besides fixing up the example of how to use escaping, and a few QLDocs that could be slightly improved, I think this PR looks good 💪

python/ql/src/experimental/semmle/python/frameworks/LDAP.qll Outdated Show resolved Hide resolved
python/ql/src/experimental/semmle/python/frameworks/LDAP.qll Outdated Show resolved Hide resolved
@jorgectf jorgectf force-pushed the jorgectf/python/ldapInjection branch from ac55c76 to 37d6ff7 Compare May 21, 2021 16:41
RasmusWL
RasmusWL approved these changes May 26, 2021
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working through the last few things, I've resolved the merge conflict and made the autoformatter happy, so now we can merge this query 💪

@RasmusWL RasmusWL merged commit 795a1c7 into github:main May 26, 2021
@jorgectf
Copy link
Contributor Author

Thanks for working through the last few things, I've resolved the merge conflict and made the autoformatter happy, so now we can merge this query 💪

Thanks for the fix and the merge :)

@jorgectf jorgectf mentioned this pull request Jun 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrthankyou mrthankyou mrthankyou left review comments

@RasmusWL RasmusWL RasmusWL approved these changes

Assignees

@RasmusWL RasmusWL

Labels
documentation Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jorgectf @RasmusWL @mrthankyou