recognize string sanitizers for ldap-injection

erik-krogh · erik-krogh · commit 6a9277b5cedb · 2021-10-01T09:01:29.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
@@ -58,18 +58,17 @@ module SqlInjection {
     }
   }
 
+  import semmle.javascript.security.IncompleteBlacklistSanitizer as IncompleteBlacklistSanitizer
+
   /**
-   * A call to a function whose name suggests that it escapes LDAP search query parameter.
+   * A chain of replace calls that replaces all unsafe chars for ldap injection.
+   * For simplicity it's used as a sanitizer for all of `js/sql-injection`.
    */
-  class FilterOrDNSanitizationCall extends Sanitizer, DataFlow::CallNode {
-    // TODO: remove, or use something else? (AdhocWhitelistSanitizer?)
-    FilterOrDNSanitizationCall() {
-      exists(string sanitize, string input |
-        sanitize = "(?:escape|saniti[sz]e|validate|filter)" and
-        input = "[Ii]nput?"
-      |
-        this.getCalleeName()
-            .regexpMatch("(?i)(" + sanitize + input + ")" + "|(" + input + sanitize + ")")
+  class LDAPStringSanitizer extends Sanitizer,
+    IncompleteBlacklistSanitizer::StringReplaceCallSequence {
+    LDAPStringSanitizer() {
+      forall(string char | char = ["*", "(", ")", "\\", "/"] |
+        this.getAMember().getAReplacedString() = char
       )
     }
   }
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js
@@ -36,7 +36,7 @@ const server = http.createServer((req, res) => {
   // GOOD
   client.search(
     "o=example",
-    {
+    { // OK
       filter: `(|(name=${sanitizeInput(username)})(username=${sanitizeInput(
         username
       )}))`,

Original file line number	Diff line number	Diff line change
`@@ -58,18 +58,17 @@ module SqlInjection {`
`58`	`58`	`}`
`59`	`59`	`}`
`60`	`60`
	`61`	`+ import semmle.javascript.security.IncompleteBlacklistSanitizer as IncompleteBlacklistSanitizer`
	`62`	`+`
`61`	`63`	`/**`
`62`		`- * A call to a function whose name suggests that it escapes LDAP search query parameter.`
	`64`	`+ * A chain of replace calls that replaces all unsafe chars for ldap injection.`
	`65`	+ * For simplicity it's used as a sanitizer for all of `js/sql-injection`.
`63`	`66`	`*/`
`64`		`- class FilterOrDNSanitizationCall extends Sanitizer, DataFlow::CallNode {`
`65`		`- // TODO: remove, or use something else? (AdhocWhitelistSanitizer?)`
`66`		`- FilterOrDNSanitizationCall() {`
`67`		`- exists(string sanitize, string input \|`
`68`		`- sanitize = "(?:escape\|saniti[sz]e\|validate\|filter)" and`
`69`		`- input = "[Ii]nput?"`
`70`		`- \|`
`71`		`- this.getCalleeName()`
`72`		`- .regexpMatch("(?i)(" + sanitize + input + ")" + "\|(" + input + sanitize + ")")`
	`67`	`+ class LDAPStringSanitizer extends Sanitizer,`
	`68`	`+ IncompleteBlacklistSanitizer::StringReplaceCallSequence {`
	`69`	`+ LDAPStringSanitizer() {`
	`70`	`+ forall(string char \| char = ["*", "(", ")", "\\", "/"] \|`
	`71`	`+ this.getAMember().getAReplacedString() = char`
`73`	`72`	`)`
`74`	`73`	`}`
`75`	`74`	`}`