Apply suggestions from code review

jorgectf · RasmusWL · web-flow · commit 1bc16fb31e6c · 2021-09-07T18:37:33.000+02:00
Co-authored-by: Rasmus Wriedt Larsen &lt;rasmuswriedtlarsen@gmail.com&gt;
diff --git a/python/ql/src/experimental/Security/CWE-522/LDAPInsecureAuth.qhelp b/python/ql/src/experimental/Security/CWE-522/LDAPInsecureAuth.qhelp
@@ -17,7 +17,7 @@ to be sent in cleartext making it easier for an attacker to intercept it.</p>
 
 <p>The first one sets <code>use_SSL</code> to true as a keyword argument whereas the second one fails to provide a value for it, so
 the default one is used (<code>False</code>).</p>
-<sample src="LDAPInsecureAuth.py" />
+<sample src="examples/LDAPInsecureAuth.py" />
 </example>
 
 </qhelp>
diff --git a/python/ql/src/experimental/Security/CWE-522/LDAPInsecureAuth.ql b/python/ql/src/experimental/Security/CWE-522/LDAPInsecureAuth.ql
@@ -3,7 +3,7 @@
  * @description Python LDAP Insecure LDAP Authentication
  * @kind path-problem
  * @problem.severity error
- * @id python/insecure-ldap-auth
+ * @id py/insecure-ldap-auth
  * @tags experimental
  *       security
  *       external/cwe/cwe-522
diff --git a/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll b/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
@@ -115,9 +115,10 @@ private module LDAP {
           initialize = ldapInitialize().getACall() and
           (
             // ldap_connection.start_tls_s()
+            // see https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#ldap.LDAPObject.start_tls_s
             exists(DataFlow::AttrRead startTLS |
               startTLS.getObject().getALocalSource() = initialize and
-              startTLS.getAttributeName().matches("%start_tls%")
+              startTLS.getAttributeName() = "start_tls_s"
             )
             or
             // ldap_connection.set_option(ldap.OPT_X_TLS_%s, True)
diff --git a/python/ql/src/experimental/semmle/python/security/LDAPInsecureAuth.qll b/python/ql/src/experimental/semmle/python/security/LDAPInsecureAuth.qll
@@ -23,7 +23,8 @@ class LDAPFullHost extends StrConst {
     exists(string s |
       s = this.getText() and
       s.regexpMatch(getFullHostRegex()) and
-      not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex()) // No need to check for ldaps, it would be SSL by default.
+      // check what comes after the `ldap://` prefix
+      not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex())
     )
   }
 }
@@ -36,7 +37,7 @@ class LDAPPrivateHost extends StrConst {
   LDAPPrivateHost() { this.getText().regexpMatch(getPrivateHostRegex()) }
 }
 
-predicate concatAndCompareAgainstFullHostRegex(Expr schema, Expr host) {
+predicate concatAndCompareAgainstFullHostRegex(LDAPSchema schema, StrConst host) {
   schema instanceof LDAPSchema and
   not host instanceof LDAPPrivateHost and
   exists(string full_host |
@@ -96,6 +97,7 @@ class LDAPInsecureAuthConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource or
+    source.asExpr() instanceof LDAPFullHost or
     source.asExpr() instanceof LDAPBothStrings or
     source.asExpr() instanceof LDAPBothVar or
     source.asExpr() instanceof LDAPVarString or

Original file line number	Diff line number	Diff line change
`@@ -115,9 +115,10 @@ private module LDAP {`
`115`	`115`	`initialize = ldapInitialize().getACall() and`
`116`	`116`	`(`
`117`	`117`	`// ldap_connection.start_tls_s()`
	`118`	`+ // see https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#ldap.LDAPObject.start_tls_s`
`118`	`119`	`exists(DataFlow::AttrRead startTLS \|`
`119`	`120`	`startTLS.getObject().getALocalSource() = initialize and`
`120`		`- startTLS.getAttributeName().matches("%start_tls%")`
	`121`	`+ startTLS.getAttributeName() = "start_tls_s"`
`121`	`122`	`)`
`122`	`123`	`or`
`123`	`124`	`// ldap_connection.set_option(ldap.OPT_X_TLS_%s, True)`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,8 @@ class LDAPFullHost extends StrConst {`
`23`	`23`	`exists(string s \|`
`24`	`24`	`s = this.getText() and`
`25`	`25`	`s.regexpMatch(getFullHostRegex()) and`
`26`		`- not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex()) // No need to check for ldaps, it would be SSL by default.`
	`26`	+ // check what comes after the `ldap://` prefix
	`27`	`+ not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex())`
`27`	`28`	`)`
`28`	`29`	`}`
`29`	`30`	`}`
`@@ -36,7 +37,7 @@ class LDAPPrivateHost extends StrConst {`
`36`	`37`	`LDAPPrivateHost() { this.getText().regexpMatch(getPrivateHostRegex()) }`
`37`	`38`	`}`
`38`	`39`
`39`		`-predicate concatAndCompareAgainstFullHostRegex(Expr schema, Expr host) {`
	`40`	`+predicate concatAndCompareAgainstFullHostRegex(LDAPSchema schema, StrConst host) {`
`40`	`41`	`schema instanceof LDAPSchema and`
`41`	`42`	`not host instanceof LDAPPrivateHost and`
`42`	`43`	`exists(string full_host \|`
`@@ -96,6 +97,7 @@ class LDAPInsecureAuthConfig extends TaintTracking::Configuration {`
`96`	`97`
`97`	`98`	`override predicate isSource(DataFlow::Node source) {`
`98`	`99`	`source instanceof RemoteFlowSource or`
	`100`	`+ source.asExpr() instanceof LDAPFullHost or`
`99`	`101`	`source.asExpr() instanceof LDAPBothStrings or`
`100`	`102`	`source.asExpr() instanceof LDAPBothVar or`
`101`	`103`	`source.asExpr() instanceof LDAPVarString or`