Correct barrier

Author: maikypedia

go/ql/src/experimental/CWE-287/ImproperLdapAuth.ql

@@ -1,13 +1,12 @@
 /**
- * @name LDAP query built from user-controlled sources
- * @description Building an LDAP query from user-controlled sources is vulnerable to insertion of
- *              malicious LDAP code by the user.
+ * @name Improper LDAP Authentication
+ * @description A user-controlled query carries no authentication
  * @kind path-problem
- * @problem.severity error
- * @id go/ldap-injection
+ * @problem.severity warning
+ * @id go/improper-ldap-auth
  * @tags security
  *       experimental
- *       external/cwe/cwe-90
+ *       external/cwe/cwe-287
  */
 
 import go

go/ql/src/experimental/CWE-287/ImproperLdapAuth.qll

@@ -45,10 +45,14 @@ class RegexpCheckAsBarrierGuard extends RegexpCheckBarrier, LdapSanitizer { }
 private predicate equalityAsSanitizerGuard(DataFlow::Node g, Expr e, boolean outcome) {
   exists(DataFlow::Node passwd, DataFlow::EqualityTestNode eq |
     g = eq and
-    exists(eq.getAnOperand().getStringValue()) and
     passwd = eq.getAnOperand() and
     e = passwd.asExpr() and
-    outcome = true
+    (
+      eq.getAnOperand().getStringValue().length() > 0 and outcome = eq.getPolarity()
+      or
+      eq.getAnOperand().getStringValue().length() = 0 and
+      outcome = eq.getPolarity().booleanNot()
+    )
   )
 }
 
@@ -64,7 +68,7 @@ class EqualityAsSanitizerGuard extends LdapSanitizer {
 
 /**
  * A taint-tracking configuration for reasoning about when an `UntrustedFlowSource`
- * flows into an argument or field that is vulnerable to LDAP injection.
+ * flows into an argument or field that is vulnerable to Improper LDAP Authentication.
  */
 class ImproperLdapAuthConfiguration extends TaintTracking::Configuration {
   ImproperLdapAuthConfiguration() { this = "Improper LDAP Auth" }