Fix tests and add global option

Author: jorgectf

python/ql/src/experimental/semmle/python/frameworks/LDAP.qll

@@ -88,6 +88,11 @@ private module LDAP {
       result.(DataFlow::AttrRead).getAttributeName() instanceof LDAP2BindMethods
     }
 
+    /**List of SSL-demanding options */
+    private class LDAPSSLOptions extends DataFlow::Node {
+      LDAPSSLOptions() { this = ldap().getMember("OPT_X_TLS_" + ["DEMAND", "HARD"]).getAUse() }
+    }
+
     /**
      * A class to find `ldap` methods binding a connection.
      *
@@ -111,6 +116,8 @@ private module LDAP {
       override predicate useSSL() {
         // use initialize to correlate `this` and so avoid FP in several instances
         exists(DataFlow::CallCfgNode initialize |
+          ldap().getMember("set_option").getACall().getArg(_) instanceof LDAPSSLOptions
+          or
           this.getFunction().(DataFlow::AttrRead).getObject().getALocalSource() = initialize and
           initialize = ldapInitialize().getACall() and
           (
@@ -126,7 +133,7 @@ private module LDAP {
               setOption.getFunction().(DataFlow::AttrRead).getObject().getALocalSource() =
                 initialize and
               setOption.getFunction().(DataFlow::AttrRead).getAttributeName() = "set_option" and
-              setOption.getArg(0) = ldap().getMember("OPT_X_TLS_" + ["DEMAND", "HARD"]).getAUse() and
+              setOption.getArg(0) instanceof LDAPSSLOptions and
               not DataFlow::exprNode(any(False falseExpr))
                   .(DataFlow::LocalSourceNode)
                   .flowsTo(setOption.getArg(1))

python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_global.py

@@ -0,0 +1,24 @@
+import ldap
+from flask import request, Flask
+
+app = Flask(__name__)
+
+# GOOD
+
+# SSL through ldap global variable option
+
+ldap.set_option(ldap.OPT_X_TLS_DEMAND)
+
+
+@app.route("/one")
+def one():
+    ldap_connection_5 = ldap.initialize("ldap://somethingon.theinternet.com")
+    ldap_connection_5.simple_bind_s('', '')
+    user = ldap_connection_5.search_s(
+        "dn", ldap.SCOPE_SUBTREE, "search_filter")
+
+    return user
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)

python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_private.py

@@ -54,7 +54,7 @@ def one_bad():
 @app.route("/one_bad_2")
 def one_bad_2():
     ldap_connection_4 = ldap.initialize(schema + remote_host)
-    ldap_connection_4.set_option(ldap.OPT_X_TLS_NEVER)
+    ldap_connection_4.set_option(ldap.OPT_X_TLS_NEVER, True)
     ldap_connection_4.simple_bind_s('', '')
     user = ldap_connection_4.search_s(
         "dn", ldap.SCOPE_SUBTREE, "search_filter")

python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_remote.py

@@ -54,7 +54,7 @@ def one_bad():
 @app.route("/one_bad_2")
 def one_bad_2():
     ldap_connection_8 = ldap.initialize(schema + remote_host)
-    ldap_connection_8.set_option(ldap.OPT_X_TLS_NEVER)
+    ldap_connection_8.set_option(ldap.OPT_X_TLS_NEVER, True)
     ldap_connection_8.simple_bind_s('', '')
     user = ldap_connection_8.search_s(
         "dn", ldap.SCOPE_SUBTREE, "search_filter")

python/ql/test/experimental/query-tests/Security/CWE-522/ldap3_remote.py

@@ -13,7 +13,7 @@
 
 @app.route("/one")
 def one():
-    srv = Server("ldap://somethingon.theinternet.com", port=1337, True)
+    srv = Server("ldap://somethingon.theinternet.com", 1337, True)
     conn = Connection(srv, "dn", "password")
     conn.search("dn", "search_filter")
     return conn.response