Skip to content

Commit 9d421ff

Browse files
alexrfordalexrford
committed
Ruby: configsig rb/improper-ldap-auth
1 parent e45edca commit 9d421ff

File tree

2 files changed

+18
-4
lines changed

2 files changed

+18
-4
lines changed

ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,9 @@ private import ImproperLdapAuthCustomizations::ImproperLdapAuth
99

1010
/**
1111
* A taint-tracking configuration for detecting improper LDAP authentication vulnerabilities.
12+
* DEPRECATED: Use `ImproperLdapAuthFlow` instead
1213
*/
13-
class Configuration extends TaintTracking::Configuration {
14+
deprecated class Configuration extends TaintTracking::Configuration {
1415
Configuration() { this = "ImproperLdapAuth" }
1516

1617
override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -19,3 +20,16 @@ class Configuration extends TaintTracking::Configuration {
1920

2021
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
2122
}
23+
24+
private module ImproperLdapAuthConfig implements DataFlow::ConfigSig {
25+
predicate isSource(DataFlow::Node source) { source instanceof Source }
26+
27+
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
28+
29+
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
30+
}
31+
32+
/**
33+
* Taint-tracking for detecting improper LDAP authentication vulnerabilities.
34+
*/
35+
module ImproperLdapAuthFlow = TaintTracking::Global<ImproperLdapAuthConfig>;

ruby/ql/src/experimental/ldap-improper-auth/ImproperLdapAuth.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,9 @@
1212
import codeql.ruby.DataFlow
1313
import codeql.ruby.security.ImproperLdapAuthQuery
1414
import codeql.ruby.Concepts
15-
import DataFlow::PathGraph
15+
import ImproperLdapAuthFlow::PathGraph
1616

17-
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
18-
where config.hasFlowPath(source, sink)
17+
from ImproperLdapAuthFlow::PathNode source, ImproperLdapAuthFlow::PathNode sink
18+
where ImproperLdapAuthFlow::flowPath(source, sink)
1919
select sink.getNode(), source, sink, "This LDAP authencation depends on a $@.", source.getNode(),
2020
"user-provided value"

0 commit comments

Comments
 (0)