Python: Make LDAP global options test better

RasmusWL · RasmusWL · commit ef6e502ff068 · 2021-09-23T10:18:18.000+02:00
Before it didn't really showcase that we know it can make connections
secure.
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LDAPInsecureAuth.expected b/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LDAPInsecureAuth.expected
@@ -0,0 +1,4 @@
+edges
+nodes
+subpaths
+#select
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LDAPInsecureAuth.qlref b/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LDAPInsecureAuth.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-522/LDAPInsecureAuth.ql
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/ldap2_global.py b/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/ldap2_global.py
@@ -1,3 +1,6 @@
+# since global options are considered to affect all files in a repo, we need to keep
+# this test in its' own directory (so it doesn't interfere with other tests).
+
 import ldap
 from flask import request, Flask
 
@@ -7,11 +10,13 @@
 
 # SSL through ldap global variable option
 
-ldap.set_option(ldap.OPT_X_TLS_NEVER)
+ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
 
 
 @app.route("/one")
 def one():
+    # The following connection would have been insecure if the global option above was
+    # not set
     ldap_connection_5 = ldap.initialize("ldap://somethingon.theinternet.com")
     ldap_connection_5.simple_bind_s('', '')
     user = ldap_connection_5.search_s(
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/LDAPInsecureAuth.expected b/python/ql/test/experimental/query-tests/Security/CWE-522/LDAPInsecureAuth.expected
@@ -6,7 +6,6 @@ edges
 | ldap3_remote.py:138:21:138:32 | ControlFlowNode for Attribute | ldap3_remote.py:138:21:138:40 | ControlFlowNode for Subscript |
 | ldap3_remote.py:138:21:138:40 | ControlFlowNode for Subscript | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host |
 nodes
-| ldap2_global.py:15:41:15:76 | ControlFlowNode for Str | semmle.label | ControlFlowNode for Str |
 | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
@@ -21,7 +20,6 @@ nodes
 | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host |
 subpaths
 #select
-| ldap2_global.py:15:41:15:76 | ControlFlowNode for Str | ldap2_global.py:15:41:15:76 | ControlFlowNode for Str | ldap2_global.py:15:41:15:76 | ControlFlowNode for Str | $@ is authenticated insecurely. | ldap2_global.py:15:41:15:76 | ControlFlowNode for Str | This LDAP host |
 | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | $@ is authenticated insecurely. | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | This LDAP host |
 | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | $@ is authenticated insecurely. | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | This LDAP host |
 | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | $@ is authenticated insecurely. | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | This LDAP host |

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +edges
 +nodes
 +subpaths
 +#select
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+experimental/Security/CWE-522/LDAPInsecureAuth.ql`