Skip to content

Commit 2b286a8

Browse files
erik-krogherik-krogh
committed
naively move ldap into the SQL injection query
1 parent 94e2676 commit 2b286a8

File tree

7 files changed

+41
-168
lines changed

7 files changed

+41
-168
lines changed

javascript/ql/lib/javascript.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,7 @@ import semmle.javascript.frameworks.History
9999
import semmle.javascript.frameworks.Immutable
100100
import semmle.javascript.frameworks.Knex
101101
import semmle.javascript.frameworks.LazyCache
102+
import semmle.javascript.frameworks.Ldapjs
102103
import semmle.javascript.frameworks.LodashUnderscore
103104
import semmle.javascript.frameworks.Logging
104105
import semmle.javascript.frameworks.HttpFrameworks

javascript/ql/src/experimental/Security/CWE-090/Ldapjs.qll renamed to javascript/ql/lib/semmle/javascript/frameworks/Ldapjs.qll

File renamed without changes.

javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,4 +41,44 @@ module SqlInjection {
4141
class GraphqlInjectionSink extends Sink {
4242
GraphqlInjectionSink() { this instanceof GraphQL::GraphQLString }
4343
}
44+
45+
/**
46+
* An LDAP filter for an API call that executes an operation against the LDAP server.
47+
*/
48+
class LdapjsSearchFilterAsSink extends Sink {
49+
// TODO: As taint-step?
50+
/*
51+
* override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
52+
* exists(LdapjsParseFilter filter |
53+
* pred = filter.getArgument(0) and
54+
* succ = filter
55+
* )
56+
* }
57+
*/
58+
59+
LdapjsSearchFilterAsSink() { this instanceof Ldapjs::LdapjsSearchFilter }
60+
}
61+
62+
/**
63+
* An LDAP DN argument for an API call that executes an operation against the LDAP server.
64+
*/
65+
class LdapjsDNArgumentAsSink extends Sink {
66+
LdapjsDNArgumentAsSink() { this instanceof Ldapjs::LdapjsDNArgument }
67+
}
68+
69+
/**
70+
* A call to a function whose name suggests that it escapes LDAP search query parameter.
71+
*/
72+
class FilterOrDNSanitizationCall extends Sanitizer, DataFlow::CallNode {
73+
// TODO: remove, or use something else? (AdhocWhitelistSanitizer?)
74+
FilterOrDNSanitizationCall() {
75+
exists(string sanitize, string input |
76+
sanitize = "(?:escape|saniti[sz]e|validate|filter)" and
77+
input = "[Ii]nput?"
78+
|
79+
this.getCalleeName()
80+
.regexpMatch("(?i)(" + sanitize + input + ")" + "|(" + input + sanitize + ")")
81+
)
82+
}
83+
}
4484
}

javascript/ql/src/experimental/Security/CWE-090/LdapInjection.qhelp

Lines changed: 0 additions & 50 deletions
This file was deleted.

javascript/ql/src/experimental/Security/CWE-090/LdapInjection.ql

Lines changed: 0 additions & 20 deletions
This file was deleted.

javascript/ql/src/experimental/Security/CWE-090/LdapInjection.qll

Lines changed: 0 additions & 25 deletions
This file was deleted.

javascript/ql/src/experimental/Security/CWE-090/LdapInjectionCustomizations.qll

Lines changed: 0 additions & 73 deletions
This file was deleted.

0 commit comments

Comments
 (0)