python: rewrite to separate configurations

yoff · yoff · commit c2cd58edc46e · 2022-02-01T14:36:11.000+01:00
source nodes get duplicated, so perhaps flow states
are actually better for performance?
diff --git a/python/ql/lib/semmle/python/security/dataflow/LdapInjection.qll b/python/ql/lib/semmle/python/security/dataflow/LdapInjection.qll
@@ -8,80 +8,42 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 
-/**
- * A taint-tracking configuration for detecting LDAP injections.
- */
-class LDAPInjectionFlowConfig extends TaintTracking::Configuration {
-  LDAPInjectionFlowConfig() { this = "LDAPInjectionFlowConfig" }
+module LdapInjection {
+  import LdapInjectionCustomizations::LdapInjection
 
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
-    source instanceof RemoteFlowSource and
-    state instanceof Unsafe
-  }
+  class DnConfiguration extends TaintTracking::Configuration {
+    DnConfiguration() { this = "LdapDnInjection" }
 
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-    sink = any(LdapExecution ldap).getBaseDn() and
-    (state instanceof Unsafe or state instanceof UnsafeForDn)
-    or
-    sink = any(LdapExecution ldap).getFilter() and
-    (state instanceof Unsafe or state instanceof UnsafeForFilter)
-  }
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
 
-  override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-    // All additional flow steps signify a state change.
-    //    (n, `state`) --> (`node`, s)
-    // Thus, if a node in `state` transitions to `node` and a new state,
-    // then `state` should be blocked at `node`.
-    isAdditionalFlowStep(_, state, node, _)
-  }
+    override predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
 
-  override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    exists(LdapDnEscaping ldapDnEsc |
-      node1 = ldapDnEsc.getAnInput() and
-      node2 = ldapDnEsc.getOutput()
-    |
-      state1 instanceof Unsafe and
-      state2 instanceof UnsafeForFilter
-      or
-      state1 instanceof UnsafeForDn and
-      state2 instanceof Safe
-    )
-    or
-    exists(LdapFilterEscaping ldapFilterEsc |
-      node1 = ldapFilterEsc.getAnInput() and
-      node2 = ldapFilterEsc.getOutput()
-    |
-      state1 instanceof Unsafe and
-      state2 instanceof UnsafeForDn
-      or
-      state1 instanceof UnsafeForFilter and
-      state2 instanceof Safe
-    )
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof DnSanitizer }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof DnSanitizerGuard
+    }
   }
-}
 
-/** A flow satte signifying generally unsafe input. */
-class Unsafe extends DataFlow::FlowState {
-  Unsafe() { this = "Unsafe" }
-}
+  class FilterConfiguration extends TaintTracking::Configuration {
+    FilterConfiguration() { this = "LdapFilterInjection" }
 
-/** A flow state signifying input that is only unsafe for DNs. */
-class UnsafeForDn extends DataFlow::FlowState {
-  UnsafeForDn() { this = "UnsafeForDn" }
-}
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
 
-/** A flow state signifying input that is only unsafe for filter strings. */
-class UnsafeForFilter extends DataFlow::FlowState {
-  UnsafeForFilter() { this = "UnsafeForFilter" }
-}
+    override predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
 
-/**
- * A flow state that signifies safe input.
- * Including this makes `isAdditionalFlowStep` and `isBarrier` simpler.
- */
-class Safe extends DataFlow::FlowState {
-  Safe() { this = "Safe" }
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof FilterSanitizer }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof FilterSanitizerGuard
+    }
+  }
+
+  import DataFlow::PathGraph
+
+  predicate ldapInjection(DataFlow::PathNode source, DataFlow::PathNode sink) {
+    any(DnConfiguration dnConfig).hasFlowPath(source, sink)
+    or
+    any(FilterConfiguration filterConfig).hasFlowPath(source, sink)
+  }
 }
diff --git a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionCustomizations.qll
@@ -0,0 +1,97 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "ldap injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "ldap injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module LdapInjection {
+  /**
+   * A data flow source for "ldap injection" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "ldap injection" vulnerabilities.
+   */
+  abstract class DnSink extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "ldap injection" vulnerabilities.
+   */
+  abstract class FilterSink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "ldap injection" vulnerabilities.
+   */
+  abstract class DnSanitizer extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "ldap injection" vulnerabilities.
+   */
+  abstract class FilterSanitizer extends DataFlow::Node { }
+
+  /**
+   * A sanitizer guard for "ldap injection" vulnerabilities.
+   */
+  abstract class DnSanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * A sanitizer guard for "ldap injection" vulnerabilities.
+   */
+  abstract class FilterSanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A logging operation, considered as a flow sink.
+   */
+  class LdapExecutionAsDnSink extends DnSink {
+    LdapExecutionAsDnSink() { this = any(LdapExecution ldap).getBaseDn() }
+  }
+
+  /**
+   * A logging operation, considered as a flow sink.
+   */
+  class LdapExecutionAsFilterSink extends FilterSink {
+    LdapExecutionAsFilterSink() { this = any(LdapExecution ldap).getFilter() }
+  }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  class StringConstCompareAsDnSanitizerGuard extends DnSanitizerGuard, StringConstCompare { }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  class StringConstCompareAsFilterSanitizerGuard extends FilterSanitizerGuard, StringConstCompare {
+  }
+
+  /**
+   * A call to replace line breaks functions as a sanitizer.
+   */
+  class LdapDnEscapingSanitizer extends DnSanitizer, DataFlow::CallCfgNode {
+    LdapDnEscapingSanitizer() { this = any(LdapDnEscaping ldapDnEsc).getOutput() }
+  }
+
+  /**
+   * A call to replace line breaks functions as a sanitizer.
+   */
+  class LdapFilterEscapingSanitizer extends FilterSanitizer, DataFlow::CallCfgNode {
+    LdapFilterEscapingSanitizer() { this = any(LdapFilterEscaping ldapDnEsc).getOutput() }
+  }
+}
diff --git a/python/ql/src/Security/CWE-090/LdapInjection.ql b/python/ql/src/Security/CWE-090/LdapInjection.ql
@@ -16,7 +16,7 @@ import python
 import semmle.python.security.dataflow.LdapInjection
 import DataFlow::PathGraph
 
-from LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from DataFlow::PathNode source, DataFlow::PathNode sink
+where LdapInjection::ldapInjection(source, sink)
 select sink.getNode(), source, sink, "$@ LDAP query parameter comes from $@.", sink.getNode(),
   "This", source.getNode(), "a user-provided value"
diff --git a/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected b/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected
@@ -41,6 +41,7 @@ edges
 | ldap_bad.py:48:21:48:44 | ControlFlowNode for Subscript | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter |
 nodes
 | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | ldap3_bad.py:13:17:13:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | ldap3_bad.py:13:17:13:34 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | ldap3_bad.py:14:21:14:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
@@ -49,6 +50,7 @@ nodes
 | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn |
 | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter |
 | ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | ldap3_bad.py:30:17:30:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | ldap3_bad.py:30:17:30:34 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | ldap3_bad.py:31:21:31:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
@@ -57,6 +59,7 @@ nodes
 | ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn |
 | ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter |
 | ldap_bad.py:13:17:13:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:13:17:13:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | ldap_bad.py:13:17:13:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | ldap_bad.py:13:17:13:34 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | ldap_bad.py:14:21:14:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
@@ -65,6 +68,7 @@ nodes
 | ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn |
 | ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter |
 | ldap_bad.py:30:17:30:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:30:17:30:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | ldap_bad.py:30:17:30:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | ldap_bad.py:30:17:30:34 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | ldap_bad.py:31:21:31:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
@@ -73,6 +77,7 @@ nodes
 | ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn |
 | ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter |
 | ldap_bad.py:47:17:47:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:47:17:47:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | ldap_bad.py:47:17:47:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | ldap_bad.py:47:17:47:34 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | ldap_bad.py:48:21:48:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
