add calls to parseDN as sinks for ldap-injection

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll

@@ -52,6 +52,9 @@ module SqlInjection {
       or
       // A search options object, which contains a filter and a baseDN.
       this = any(LDAPjs::SearchOptions opt).getARhs()
+      or
+      // A call to "parseDN", which parses a DN from a string.
+      this = LDAPjs::ldapjs().getMember("parseDN").getACall().getArgument(0)
     }
   }
 

javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected

@@ -94,6 +94,9 @@ nodes
 | ldap.js:66:30:66:53 | { filte ... ilter } |
 | ldap.js:66:30:66:53 | { filte ... ilter } |
 | ldap.js:66:40:66:51 | parsedFilter |
+| ldap.js:68:27:68:42 | `cn=${username}` |
+| ldap.js:68:27:68:42 | `cn=${username}` |
+| ldap.js:68:33:68:40 | username |
 | marsdb-flow-to.js:10:9:10:18 | query |
 | marsdb-flow-to.js:10:17:10:18 | {} |
 | marsdb-flow-to.js:11:17:11:24 | req.body |
@@ -480,6 +483,7 @@ edges
 | ldap.js:22:7:22:33 | username | ldap.js:32:48:32:55 | username |
 | ldap.js:22:7:22:33 | username | ldap.js:64:16:64:23 | username |
 | ldap.js:22:7:22:33 | username | ldap.js:64:38:64:45 | username |
+| ldap.js:22:7:22:33 | username | ldap.js:68:33:68:40 | username |
 | ldap.js:22:18:22:18 | q | ldap.js:22:18:22:24 | q.query |
 | ldap.js:22:18:22:24 | q.query | ldap.js:22:18:22:33 | q.query.username |
 | ldap.js:22:18:22:33 | q.query.username | ldap.js:22:7:22:33 | username |
@@ -498,6 +502,8 @@ edges
 | ldap.js:64:38:64:45 | username | ldap.js:64:5:64:49 | `(\|(nam ... ame}))` |
 | ldap.js:66:40:66:51 | parsedFilter | ldap.js:66:30:66:53 | { filte ... ilter } |
 | ldap.js:66:40:66:51 | parsedFilter | ldap.js:66:30:66:53 | { filte ... ilter } |
+| ldap.js:68:33:68:40 | username | ldap.js:68:27:68:42 | `cn=${username}` |
+| ldap.js:68:33:68:40 | username | ldap.js:68:27:68:42 | `cn=${username}` |
 | marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:14:17:14:21 | query |
 | marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:14:17:14:21 | query |
 | marsdb-flow-to.js:10:17:10:18 | {} | marsdb-flow-to.js:10:9:10:18 | query |
@@ -909,6 +915,7 @@ edges
 | ldap.js:28:30:28:34 | opts1 | ldap.js:20:21:20:27 | req.url | ldap.js:28:30:28:34 | opts1 | This query depends on $@. | ldap.js:20:21:20:27 | req.url | a user-provided value |
 | ldap.js:32:5:32:61 | { filte ... e}))` } | ldap.js:20:21:20:27 | req.url | ldap.js:32:5:32:61 | { filte ... e}))` } | This query depends on $@. | ldap.js:20:21:20:27 | req.url | a user-provided value |
 | ldap.js:66:30:66:53 | { filte ... ilter } | ldap.js:20:21:20:27 | req.url | ldap.js:66:30:66:53 | { filte ... ilter } | This query depends on $@. | ldap.js:20:21:20:27 | req.url | a user-provided value |
+| ldap.js:68:27:68:42 | `cn=${username}` | ldap.js:20:21:20:27 | req.url | ldap.js:68:27:68:42 | `cn=${username}` | This query depends on $@. | ldap.js:20:21:20:27 | req.url | a user-provided value |
 | marsdb-flow-to.js:14:17:14:21 | query | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:14:17:14:21 | query | This query depends on $@. | marsdb-flow-to.js:11:17:11:24 | req.body | a user-provided value |
 | marsdb.js:16:12:16:16 | query | marsdb.js:13:17:13:24 | req.body | marsdb.js:16:12:16:16 | query | This query depends on $@. | marsdb.js:13:17:13:24 | req.body | a user-provided value |
 | minimongo.js:18:12:18:16 | query | minimongo.js:15:17:15:24 | req.body | minimongo.js:18:12:18:16 | query | This query depends on $@. | minimongo.js:15:17:15:24 | req.body | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js

@@ -64,6 +64,8 @@ const server = http.createServer((req, res) => {
     `(|(name=${username})(username=${username}))`
   );
   client.search("o=example", { filter: parsedFilter }, function (err, res) {}); // NOT OK
+
+  const dn = ldap.parseDN(`cn=${username}`, function (err, dn) {}); // NOT OK
 });
 
 server.listen(389, () => {});