python: create LDAP module in Concepts

Author: yoff

python/ql/lib/semmle/python/Concepts.qll

@@ -443,38 +443,41 @@ module RegexExecution {
   }
 }
 
-/**
- * A data-flow node that executes an LDAP query.
- *
- * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `LDAPQuery::Range` instead.
- */
-class LdapExecution extends DataFlow::Node {
-  LdapExecution::Range range;
-
-  LdapExecution() { this = range }
-
-  /** Gets the argument containing the filter string. */
-  DataFlow::Node getFilter() { result = range.getFilter() }
-
-  /** Gets the argument containing the base DN. */
-  DataFlow::Node getBaseDn() { result = range.getBaseDn() }
-}
-
-/** Provides classes for modeling new LDAP query execution-related APIs. */
-module LdapExecution {
+/** Provides classes for modeling LDAP-related APIs. */
+module LDAP {
   /**
    * A data-flow node that executes an LDAP query.
    *
-   * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `LDAPQuery` instead.
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `LDAPQuery::Range` instead.
    */
-  abstract class Range extends DataFlow::Node {
+  class LdapExecution extends DataFlow::Node {
+    LdapExecution::Range range;
+
+    LdapExecution() { this = range }
+
     /** Gets the argument containing the filter string. */
-    abstract DataFlow::Node getFilter();
+    DataFlow::Node getFilter() { result = range.getFilter() }
 
     /** Gets the argument containing the base DN. */
-    abstract DataFlow::Node getBaseDn();
+    DataFlow::Node getBaseDn() { result = range.getBaseDn() }
+  }
+
+  /** Provides classes for modeling new LDAP query execution-related APIs. */
+  module LdapExecution {
+    /**
+     * A data-flow node that executes an LDAP query.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `LDAPQuery` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets the argument containing the filter string. */
+      abstract DataFlow::Node getFilter();
+
+      /** Gets the argument containing the base DN. */
+      abstract DataFlow::Node getBaseDn();
+    }
   }
 }
 

python/ql/lib/semmle/python/frameworks/Ldap.qll

@@ -19,7 +19,7 @@ private module Ldap {
    *
    * See https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#functions
    */
-  private class LdapQueryExecution extends DataFlow::CallCfgNode, LdapExecution::Range {
+  private class LdapQueryExecution extends DataFlow::CallCfgNode, LDAP::LdapExecution::Range {
     LdapQueryExecution() {
       this =
         API::moduleImport("ldap")

python/ql/lib/semmle/python/frameworks/Ldap3.qll

@@ -15,7 +15,7 @@ private import semmle.python.ApiGraphs
  */
 private module Ldap3 {
   /** The execution of an `ldap` query. */
-  private class LdapQueryExecution extends DataFlow::CallCfgNode, LdapExecution::Range {
+  private class LdapQueryExecution extends DataFlow::CallCfgNode, LDAP::LdapExecution::Range {
     LdapQueryExecution() {
       this =
         API::moduleImport("ldap3")

python/ql/lib/semmle/python/security/dataflow/LdapInjectionCustomizations.qll

@@ -60,14 +60,14 @@ module LdapInjection {
    * A logging operation, considered as a flow sink.
    */
   class LdapExecutionAsDnSink extends DnSink {
-    LdapExecutionAsDnSink() { this = any(LdapExecution ldap).getBaseDn() }
+    LdapExecutionAsDnSink() { this = any(LDAP::LdapExecution ldap).getBaseDn() }
   }
 
   /**
    * A logging operation, considered as a flow sink.
    */
   class LdapExecutionAsFilterSink extends FilterSink {
-    LdapExecutionAsFilterSink() { this = any(LdapExecution ldap).getFilter() }
+    LdapExecutionAsFilterSink() { this = any(LDAP::LdapExecution ldap).getFilter() }
   }
 
   /**