Fix tests

Author: jorgectf

python/ql/src/experimental/Security/CWE-287/examples/auth_bad_2.py

@@ -1,11 +1,13 @@
 from flask import request, Flask
 import ldap
+import ldap.filter
+import ldap.dn
 
 
 @app.route("/bind_example")
 def bind_example():
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
+    search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.bind('cn=root', "")

python/ql/src/experimental/Security/CWE-287/examples/auth_bad_3.py

@@ -1,11 +1,12 @@
 from ldap3 import Server, Connection, ALL
 from flask import request, Flask
-
+from ldap3.utils.dn import escape_rdn
+from ldap3.utils.conv import escape_filter_chars
 
 @app.route("/passwordNone")
 def passwordNone():
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(escape_rdn(request.args['dc']))
+    search_filter = "(user={})".format(escape_filter_chars(request.args['search']))
 
     srv = Server('servername', get_info=ALL)
     conn = Connection(srv, user='user_dn', password=None)

python/ql/src/experimental/Security/CWE-287/examples/auth_good_2.py

@@ -1,13 +1,14 @@
 from flask import request, Flask
 import ldap
-import os
+import ldap.filter
+import ldap.dn
 
 
 @app.route("/bind_example")
 def bind_example():
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
+    search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    ldap_connection.bind('cn=root', os.environ.get('LDAP_PASSWORD'))
+    ldap_connection.bind('cn=root', "SecurePa$$!")
     user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)

python/ql/src/experimental/Security/CWE-287/examples/auth_good_3.py

@@ -1,14 +1,14 @@
 from ldap3 import Server, Connection, ALL
 from flask import request, Flask
-import os
-
+from ldap3.utils.dn import escape_rdn
+from ldap3.utils.conv import escape_filter_chars
 
 @app.route("/passwordFromEnv")
 def passwordFromEnv():
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(escape_rdn(request.args['dc']))
+    search_filter = "(user={})".format(escape_filter_chars(request.args['search']))
 
     srv = Server('servername', get_info=ALL)
     conn = Connection(srv, user='user_dn',
-                      password=os.environ.get('LDAP_PASSWORD'))
+                      password="SecurePa$$!")
     status, result, response, _ = conn.search(dn, search_filter)

python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_2.py

@@ -1,18 +1,19 @@
 from flask import request, Flask
 import ldap
+import ldap.filter
+import ldap.dn
 
 app = Flask(__name__)
 
 
 @app.route("/simple_bind_example")
 def simple_bind_example():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the bind's password
-    is not set
+    The bind's password argument is not set
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
+    search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.simple_bind('cn=root')
@@ -22,12 +23,11 @@ def simple_bind_example():
 @app.route("/simple_bind_s_example")
 def simple_bind_s_example():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the bind's password
-    is not set
+    The bind's password argument is not set
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
+    search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.simple_bind_s('cn=root')
@@ -37,12 +37,11 @@ def simple_bind_s_example():
 @app.route("/bind_s_example")
 def bind_s_example():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the bind's password
-    is set to None
+    The bind's password argument is set to None
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
+    search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.bind_s('cn=root', None)
@@ -51,12 +50,11 @@ def bind_s_example():
 @app.route("/bind_s_example")
 def bind_s_example_kwargs():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the bind's password
-    is set to None
+    The bind's password argument is set to None
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
+    search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.bind_s(who='cn=root', cred=None)
@@ -65,12 +63,11 @@ def bind_s_example_kwargs():
 @app.route("/bind_example")
 def bind_example():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the bind's password
-    is set to None
+    The bind's password argument is an empty string
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
+    search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.bind('cn=root', "")
@@ -80,12 +77,11 @@ def bind_example():
 @app.route("/bind_example")
 def bind_example():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the bind's password
-    is set to None
+    The bind's password argument is an empty string
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
+    search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.bind(who='cn=root', cred="")

python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_3.py

@@ -1,18 +1,19 @@
 from ldap3 import Server, Connection, ALL
 from flask import request, Flask
+from ldap3.utils.dn import escape_rdn
+from ldap3.utils.conv import escape_filter_chars
 
 app = Flask(__name__)
 
 
 @app.route("/passwordNone")
 def passwordNone():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the connection's password
-    is set to None
+    The bind's password argument is set to None
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(escape_rdn(request.args['dc']))
+    search_filter = "(user={})".format(escape_filter_chars(request.args['search']))
 
     srv = Server('servername', get_info=ALL)
     conn = Connection(srv, 'user_dn', None)
@@ -22,12 +23,11 @@ def passwordNone():
 @app.route("/passwordNone")
 def passwordNoneKwargs():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the connection's password
-    is set to None
+    The bind's password argument is set to None
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(escape_rdn(request.args['dc']))
+    search_filter = "(user={})".format(escape_filter_chars(request.args['search']))
 
     srv = Server('servername', get_info=ALL)
     conn = Connection(srv, user='user_dn', password=None)
@@ -36,12 +36,11 @@ def passwordNoneKwargs():
 @app.route("/passwordEmpty")
 def passwordEmpty():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the connection's password
-    is empty
+    The bind's password argument is an empty string
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(escape_rdn(request.args['dc']))
+    search_filter = "(user={})".format(escape_filter_chars(request.args['search']))
 
     srv = Server('servername', get_info=ALL)
     conn = Connection(srv, user='user_dn', password="")
@@ -51,12 +50,11 @@ def passwordEmpty():
 @app.route("/notPassword")
 def notPassword():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the connection's password
-    is not set
+    The bind's password argument is not set
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(escape_rdn(request.args['dc']))
+    search_filter = "(user={})".format(escape_filter_chars(request.args['search']))
 
     srv = Server('servername', get_info=ALL)
     conn = Connection(srv, user='user_dn')

python/ql/test/experimental/query-tests/Security/CWE-287/auth_good_2.py

@@ -1,67 +1,64 @@
 from flask import request, Flask
 import ldap
-import os
+import ldap.filter
+import ldap.dn
 
 app = Flask(__name__)
 
 
 @app.route("/simple_bind_example")
 def simple_bind_example():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the bind's password
-    is an environment variable
+    The bind's password argument is a non-empty string
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
+    search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    ldap_connection.simple_bind('cn=root', os.environ.get('LDAP_PASSWORD'))
+    ldap_connection.simple_bind('cn=root', "SecurePa$$!")
     user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
 
 
 @app.route("/simple_bind_s_example")
 def simple_bind_s_example():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the bind's password
-    is an environment variable
+    The bind's password argument is a non-empty string
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
+    search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    ldap_connection.simple_bind_s('cn=root', os.environ.get('LDAP_PASSWORD'))
+    ldap_connection.simple_bind_s('cn=root', "SecurePa$$!")
     user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
 
 
 @app.route("/bind_s_example")
 def bind_s_example():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the bind's password
-    is an environment variable
+    The bind's password argument is a non-empty string
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
+    search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    ldap_connection.bind_s('cn=root', os.environ.get('LDAP_PASSWORD'))
+    ldap_connection.bind_s('cn=root', "SecurePa$$!")
     user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
 
 
 @app.route("/bind_example")
 def bind_example():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the bind's password
-    is an environment variable
+    The bind's password argument is a non-empty string
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
+    search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    ldap_connection.bind('cn=root', os.environ.get('LDAP_PASSWORD'))
+    ldap_connection.bind('cn=root', "SecurePa$$!")
     user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
 
 # if __name__ == "__main__":

python/ql/test/experimental/query-tests/Security/CWE-287/auth_good_3.py

@@ -1,23 +1,23 @@
 from ldap3 import Server, Connection, ALL
 from flask import request, Flask
-import os
+from ldap3.utils.dn import escape_rdn
+from ldap3.utils.conv import escape_filter_chars
 
 app = Flask(__name__)
 
 
 @app.route("/passwordFromEnv")
 def passwordFromEnv():
     """
-    A RemoteFlowSource is used directly as DN and search filter while the connection's password
-    is an environment variable
+    The bind's password argument is a non-empty string
     """
 
-    dn = request.args['dc']
-    search_filter = request.args['search']
+    dn = "dc={}".format(escape_rdn(request.args['dc']))
+    search_filter = "(user={})".format(escape_filter_chars(request.args['search']))
 
     srv = Server('servername', get_info=ALL)
     conn = Connection(srv, user='user_dn',
-                      password=os.environ.get('LDAP_PASSWORD'))
+                      password="SecurePa$$!")
     status, result, response, _ = conn.search(dn, search_filter)
 
 # if __name__ == "__main__":