cklin
diff --git a/‎python/ql/src/experimental/Security/CWE-090/LDAPInsecureAuth.ql
Lines changed: 0 additions & 192 deletions b/‎python/ql/src/experimental/Security/CWE-090/LDAPInsecureAuth.ql
Lines changed: 0 additions & 192 deletions
diff --git a/‎python/ql/src/experimental/Security/CWE-522/LDAPInsecureAuth.ql
Lines changed: 20 additions & 0 deletions b/‎python/ql/src/experimental/Security/CWE-522/LDAPInsecureAuth.ql
Lines changed: 20 additions & 0 deletions
diff --git a/‎python/ql/src/experimental/semmle/python/Concepts.qll
Lines changed: 23 additions & 0 deletions b/‎python/ql/src/experimental/semmle/python/Concepts.qll
Lines changed: 23 additions & 0 deletions
diff --git a/‎python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
Lines changed: 54 additions & 0 deletions b/‎python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
Lines changed: 54 additions & 0 deletions
@@ -0,0 +1,20 @@
+/**
+ * @name Python Insecure LDAP Authentication
+ * @description Python LDAP Insecure LDAP Authentication
+ * @kind path-problem
+ * @problem.severity error
+ * @id python/insecure-ldap-auth
+ * @tags experimental
+ *       security
+ *       external/cwe/cwe-522
+ */
+
+// determine precision above
+import python
+import DataFlow::PathGraph
+import experimental.semmle.python.security.LDAPInsecureAuth
+
+from LDAPInsecureAuthConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ is authenticated insecurely.", sink.getNode(),
+  "This LDAP host"
@@ -156,10 +156,20 @@ module LDAPBind {
    * extend `LDAPBind` instead.
    */
   abstract class Range extends DataFlow::Node {
+    /**
+     * Gets the argument containing the binding host.
+     */
+    abstract DataFlow::Node getHost();
+
     /**
      * Gets the argument containing the binding expression.
      */
     abstract DataFlow::Node getPassword();
+
+    /**
+     * Checks if the binding process use SSL.
+     */
+    abstract predicate useSSL();
   }
 }
 
@@ -174,5 +184,18 @@ class LDAPBind extends DataFlow::Node {
 
   LDAPBind() { this = range }
 
+  /**
+   * Gets the argument containing the binding host.
+   */
+  DataFlow::Node getHost() { result = range.getHost() }
+
+  /**
+   * Gets the argument containing the binding expression.
+   */
   DataFlow::Node getPassword() { result = range.getPassword() }
+
+  /**
+   * Checks if the binding process use SSL.
+   */
+  predicate useSSL() { range.useSSL() }
 }
@@ -99,6 +99,42 @@ private module LDAP {
       override DataFlow::Node getPassword() {
         result in [this.getArg(1), this.getArgByName("cred")]
       }
+
+      override DataFlow::Node getHost() {
+        exists(DataFlow::CallCfgNode initialize |
+          this.getFunction().(DataFlow::AttrRead).getObject().getALocalSource() = initialize and
+          initialize = ldapInitialize().getACall() and
+          result = initialize.getArg(0)
+        )
+      }
+
+      override predicate useSSL() {
+        // use initialize to correlate `this` and so avoid FP in several instances
+        exists(DataFlow::CallCfgNode initialize |
+          this.getFunction().(DataFlow::AttrRead).getObject().getALocalSource() = initialize and
+          initialize = ldapInitialize().getACall() and
+          (
+            // ldap_connection.start_tls_s()
+            exists(DataFlow::AttrRead startTLS |
+              startTLS.getObject().getALocalSource() = initialize and
+              startTLS.getAttributeName().matches("%start_tls%")
+            )
+            or
+            // ldap_connection.set_option(ldap.OPT_X_TLS_%s, True)
+            // ldap_connection.set_option(ldap.OPT_X_TLS_%s)
+            exists(DataFlow::CallCfgNode setOption |
+              setOption.getFunction().(DataFlow::AttrRead).getObject().getALocalSource() =
+                initialize and
+              setOption.getFunction().(DataFlow::AttrRead).getAttributeName() = "set_option" and
+              setOption.getArg(0) =
+                ldap().getMember("OPT_X_TLS_" + ["ALLOW", "TRY", "DEMAND", "HARD"]).getAUse() and
+              not DataFlow::exprNode(any(False falseExpr))
+                  .(DataFlow::LocalSourceNode)
+                  .flowsTo(setOption.getArg(1))
+            )
+          )
+        )
+      }
     }
 
     /**
@@ -166,6 +202,24 @@ private module LDAP {
       override DataFlow::Node getPassword() {
         result in [this.getArg(2), this.getArgByName("password")]
       }
+
+      override DataFlow::Node getHost() {
+        exists(DataFlow::CallCfgNode serverCall |
+          serverCall = ldap3Server().getACall() and
+          this.getArg(0).getALocalSource() = serverCall and
+          result = serverCall.getArg(0)
+        )
+      }
+
+      override predicate useSSL() {
+        exists(DataFlow::CallCfgNode serverCall |
+          serverCall = ldap3Server().getACall() and
+          this.getArg(0).getALocalSource() = serverCall and
+          DataFlow::exprNode(any(True trueExpr))
+              .(DataFlow::LocalSourceNode)
+              .flowsTo([serverCall.getArg(2), serverCall.getArgByName("use_ssl")])
+        )
+      }
     }
 
     /**