naively port tests from ldap examples

erik-krogh · erik-krogh · commit 9b5ff66b6864 · 2021-10-01T09:00:10.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -68,6 +68,22 @@ nodes
 | json-schema-validator.js:59:22:59:26 | query |
 | json-schema-validator.js:61:22:61:26 | query |
 | json-schema-validator.js:61:22:61:26 | query |
+| ldap.js:20:7:20:34 | q |
+| ldap.js:20:11:20:34 | url.par ... , true) |
+| ldap.js:20:21:20:27 | req.url |
+| ldap.js:20:21:20:27 | req.url |
+| ldap.js:22:7:22:33 | username |
+| ldap.js:22:18:22:18 | q |
+| ldap.js:22:18:22:24 | q.query |
+| ldap.js:22:18:22:33 | q.query.username |
+| ldap.js:25:13:25:57 | `(\|(nam ... ame}))` |
+| ldap.js:25:13:25:57 | `(\|(nam ... ame}))` |
+| ldap.js:25:24:25:31 | username |
+| ldap.js:25:46:25:53 | username |
+| ldap.js:32:15:32:59 | `(\|(nam ... ame}))` |
+| ldap.js:32:15:32:59 | `(\|(nam ... ame}))` |
+| ldap.js:32:26:32:33 | username |
+| ldap.js:32:48:32:55 | username |
 | marsdb-flow-to.js:10:9:10:18 | query |
 | marsdb-flow-to.js:10:17:10:18 | {} |
 | marsdb-flow-to.js:11:17:11:24 | req.body |
@@ -444,6 +460,25 @@ edges
 | json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) | json-schema-validator.js:50:15:50:48 | query |
 | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) |
 | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) |
+| ldap.js:20:7:20:34 | q | ldap.js:22:18:22:18 | q |
+| ldap.js:20:11:20:34 | url.par ... , true) | ldap.js:20:7:20:34 | q |
+| ldap.js:20:21:20:27 | req.url | ldap.js:20:11:20:34 | url.par ... , true) |
+| ldap.js:20:21:20:27 | req.url | ldap.js:20:11:20:34 | url.par ... , true) |
+| ldap.js:22:7:22:33 | username | ldap.js:25:24:25:31 | username |
+| ldap.js:22:7:22:33 | username | ldap.js:25:46:25:53 | username |
+| ldap.js:22:7:22:33 | username | ldap.js:32:26:32:33 | username |
+| ldap.js:22:7:22:33 | username | ldap.js:32:48:32:55 | username |
+| ldap.js:22:18:22:18 | q | ldap.js:22:18:22:24 | q.query |
+| ldap.js:22:18:22:24 | q.query | ldap.js:22:18:22:33 | q.query.username |
+| ldap.js:22:18:22:33 | q.query.username | ldap.js:22:7:22:33 | username |
+| ldap.js:25:24:25:31 | username | ldap.js:25:13:25:57 | `(\|(nam ... ame}))` |
+| ldap.js:25:24:25:31 | username | ldap.js:25:13:25:57 | `(\|(nam ... ame}))` |
+| ldap.js:25:46:25:53 | username | ldap.js:25:13:25:57 | `(\|(nam ... ame}))` |
+| ldap.js:25:46:25:53 | username | ldap.js:25:13:25:57 | `(\|(nam ... ame}))` |
+| ldap.js:32:26:32:33 | username | ldap.js:32:15:32:59 | `(\|(nam ... ame}))` |
+| ldap.js:32:26:32:33 | username | ldap.js:32:15:32:59 | `(\|(nam ... ame}))` |
+| ldap.js:32:48:32:55 | username | ldap.js:32:15:32:59 | `(\|(nam ... ame}))` |
+| ldap.js:32:48:32:55 | username | ldap.js:32:15:32:59 | `(\|(nam ... ame}))` |
 | marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:14:17:14:21 | query |
 | marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:14:17:14:21 | query |
 | marsdb-flow-to.js:10:17:10:18 | {} | marsdb-flow-to.js:10:9:10:18 | query |
@@ -852,6 +887,8 @@ edges
 | json-schema-validator.js:55:22:55:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:55:22:55:26 | query | This query depends on $@. | json-schema-validator.js:50:34:50:47 | req.query.data | a user-provided value |
 | json-schema-validator.js:59:22:59:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:59:22:59:26 | query | This query depends on $@. | json-schema-validator.js:50:34:50:47 | req.query.data | a user-provided value |
 | json-schema-validator.js:61:22:61:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:61:22:61:26 | query | This query depends on $@. | json-schema-validator.js:50:34:50:47 | req.query.data | a user-provided value |
+| ldap.js:25:13:25:57 | `(\|(nam ... ame}))` | ldap.js:20:21:20:27 | req.url | ldap.js:25:13:25:57 | `(\|(nam ... ame}))` | This query depends on $@. | ldap.js:20:21:20:27 | req.url | a user-provided value |
+| ldap.js:32:15:32:59 | `(\|(nam ... ame}))` | ldap.js:20:21:20:27 | req.url | ldap.js:32:15:32:59 | `(\|(nam ... ame}))` | This query depends on $@. | ldap.js:20:21:20:27 | req.url | a user-provided value |
 | marsdb-flow-to.js:14:17:14:21 | query | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:14:17:14:21 | query | This query depends on $@. | marsdb-flow-to.js:11:17:11:24 | req.body | a user-provided value |
 | marsdb.js:16:12:16:16 | query | marsdb.js:13:17:13:24 | req.body | marsdb.js:16:12:16:16 | query | This query depends on $@. | marsdb.js:13:17:13:24 | req.body | a user-provided value |
 | minimongo.js:18:12:18:16 | query | minimongo.js:15:17:15:24 | req.body | minimongo.js:18:12:18:16 | query | This query depends on $@. | minimongo.js:15:17:15:24 | req.body | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js
@@ -0,0 +1,64 @@
+const http = require("http");
+const url = require("url");
+const ldap = require("ldapjs");
+const client = ldap.createClient({
+  url: "ldap://127.0.0.1:1389",
+});
+
+// https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4
+const sanitizeInput = function (input) {
+  return input
+    .replace(/\*/g, "\\2a")
+    .replace(/\(/g, "\\28")
+    .replace(/\)/g, "\\29")
+    .replace(/\\/g, "\\5c")
+    .replace(/\0/g, "\\00")
+    .replace(/\//g, "\\2f");
+};
+
+const server = http.createServer((req, res) => {
+  let q = url.parse(req.url, true);
+
+  let username = q.query.username;
+
+  var opts1 = {
+    filter: `(|(name=${username})(username=${username}))`, // NOT OK
+  };
+
+  client.search("o=example", opts1, function (err, res) {});
+
+  client.search(
+    "o=example",
+    { filter: `(|(name=${username})(username=${username}))` }, // NOT OK
+    function (err, res) {}
+  );
+
+  // GOOD
+  client.search(
+    "o=example",
+    {
+      filter: `(|(name=${sanitizeInput(username)})(username=${sanitizeInput(
+        username
+      )}))`,
+    },
+    function (err, res) {}
+  );
+
+  // GOOD (https://github.com/ldapjs/node-ldapjs/issues/181)
+  let f = new OrFilter({
+    filters: [
+      new EqualityFilter({
+        attribute: "name",
+        value: username,
+      }),
+      new EqualityFilter({
+        attribute: "username",
+        value: username,
+      }),
+    ],
+  });
+
+  client.search("o=example", { filter: f }, function (err, res) {});
+});
+
+server.listen(389, () => {});
