Improve tests, move them and create qhelp examples

jorgectf · jorgectf · commit 015d203fcb61 · 2021-04-09T00:50:47.000+02:00
diff --git a/python/ql/src/experimental/Security/CWE-287/examples/auth_bad_2.py b/python/ql/src/experimental/Security/CWE-287/examples/auth_bad_2.py
@@ -0,0 +1,12 @@
+from flask import request, Flask
+import ldap
+
+
+@app.route("/bind_example")
+def bind_example():
+    dn = request.args['dc']
+    search_filter = request.args['search']
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    ldap_connection.bind('cn=root', "")
+    user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
diff --git a/python/ql/src/experimental/Security/CWE-287/examples/auth_bad_3.py b/python/ql/src/experimental/Security/CWE-287/examples/auth_bad_3.py
@@ -0,0 +1,12 @@
+from ldap3 import Server, Connection, ALL
+from flask import request, Flask
+
+
+@app.route("/passwordNone")
+def passwordNone():
+    dn = request.args['dc']
+    search_filter = request.args['search']
+
+    srv = Server('servername', get_info=ALL)
+    conn = Connection(srv, user='user_dn', password=None)
+    status, result, response, _ = conn.search(dn, search_filter)
diff --git a/python/ql/src/experimental/Security/CWE-287/examples/auth_good_2.py b/python/ql/src/experimental/Security/CWE-287/examples/auth_good_2.py
@@ -0,0 +1,13 @@
+from flask import request, Flask
+import ldap
+import os
+
+
+@app.route("/bind_example")
+def bind_example():
+    dn = request.args['dc']
+    search_filter = request.args['search']
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    ldap_connection.bind('cn=root', os.environ.get('LDAP_PASSWORD'))
+    user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
diff --git a/python/ql/src/experimental/Security/CWE-287/examples/auth_good_3.py b/python/ql/src/experimental/Security/CWE-287/examples/auth_good_3.py
@@ -2,8 +2,6 @@
 from flask import request, Flask
 import os
 
-app = Flask(__name__)
-
 
 @app.route("/passwordFromEnv")
 def passwordFromEnv():
@@ -14,7 +12,3 @@ def passwordFromEnv():
     conn = Connection(srv, user='user_dn',
                       password=os.environ.get('LDAP_PASSWORD'))
     status, result, response, _ = conn.search(dn, search_filter)
-    return result
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_2.py b/python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_2.py
@@ -4,48 +4,64 @@
 app = Flask(__name__)
 
 
-@app.route("/simple_bind")
-def simple_bind():
+@app.route("/simple_bind_example")
+def simple_bind_example():
+    """
+    A RemoteFlowSource is used directly as DN and search filter while the bind's password
+    is not set
+    """
+
     dn = request.args['dc']
     search_filter = request.args['search']
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.simple_bind('cn=root')
     user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-    return user[0]
 
 
-@app.route("/simple_bind_s")
-def simple_bind_s():
+@app.route("/simple_bind_s_example")
+def simple_bind_s_example():
+    """
+    A RemoteFlowSource is used directly as DN and search filter while the bind's password
+    is not set
+    """
+
     dn = request.args['dc']
     search_filter = request.args['search']
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.simple_bind_s('cn=root')
     user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-    return user[0]
 
 
-@app.route("/bind_s")
-def bind_s():
+@app.route("/bind_s_example")
+def bind_s_example():
+    """
+    A RemoteFlowSource is used directly as DN and search filter while the bind's password
+    is set to None
+    """
+
     dn = request.args['dc']
     search_filter = request.args['search']
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.bind_s('cn=root', None)
     user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-    return user[0]
 
 
-@app.route("/bind")
-def bind():
+@app.route("/bind_example")
+def bind_example():
+    """
+    A RemoteFlowSource is used directly as DN and search filter while the bind's password
+    is set to None
+    """
+
     dn = request.args['dc']
     search_filter = request.args['search']
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    ldap_connection.bind('cn=root', None)
+    ldap_connection.bind('cn=root', "")
     user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-    return user[0]
 
 
 # if __name__ == "__main__":
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_3.py b/python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_3.py
@@ -6,24 +6,47 @@
 
 @app.route("/passwordNone")
 def passwordNone():
+    """
+    A RemoteFlowSource is used directly as DN and search filter while the connection's password
+    is set to None
+    """
+
     dn = request.args['dc']
     search_filter = request.args['search']
 
     srv = Server('servername', get_info=ALL)
     conn = Connection(srv, user='user_dn', password=None)
     status, result, response, _ = conn.search(dn, search_filter)
-    return result
+
+
+@app.route("/passwordEmpty")
+def passwordEmpty():
+    """
+    A RemoteFlowSource is used directly as DN and search filter while the connection's password
+    is empty
+    """
+
+    dn = request.args['dc']
+    search_filter = request.args['search']
+
+    srv = Server('servername', get_info=ALL)
+    conn = Connection(srv, user='user_dn', password="")
+    status, result, response, _ = conn.search(dn, search_filter)
 
 
 @app.route("/notPassword")
 def notPassword():
+    """
+    A RemoteFlowSource is used directly as DN and search filter while the connection's password
+    is not set
+    """
+
     dn = request.args['dc']
     search_filter = request.args['search']
 
     srv = Server('servername', get_info=ALL)
     conn = Connection(srv, user='user_dn')
     status, result, response, _ = conn.search(dn, search_filter)
-    return result
 
 
 # if __name__ == "__main__":
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287/auth_good_2.py b/python/ql/test/experimental/query-tests/Security/CWE-287/auth_good_2.py
@@ -5,48 +5,64 @@
 app = Flask(__name__)
 
 
-@app.route("/simple_bind")
-def simple_bind():
+@app.route("/simple_bind_example")
+def simple_bind_example():
+    """
+    A RemoteFlowSource is used directly as DN and search filter while the bind's password
+    is an environment variable
+    """
+
     dn = request.args['dc']
     search_filter = request.args['search']
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.simple_bind('cn=root', os.environ.get('LDAP_PASSWORD'))
     user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-    return user[0]
 
 
-@app.route("/simple_bind_s")
-def simple_bind_s():
+@app.route("/simple_bind_s_example")
+def simple_bind_s_example():
+    """
+    A RemoteFlowSource is used directly as DN and search filter while the bind's password
+    is an environment variable
+    """
+
     dn = request.args['dc']
     search_filter = request.args['search']
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.simple_bind_s('cn=root', os.environ.get('LDAP_PASSWORD'))
     user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-    return user[0]
 
 
-@app.route("/bind_s")
-def bind_s():
+@app.route("/bind_s_example")
+def bind_s_example():
+    """
+    A RemoteFlowSource is used directly as DN and search filter while the bind's password
+    is an environment variable
+    """
+
     dn = request.args['dc']
     search_filter = request.args['search']
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.bind_s('cn=root', os.environ.get('LDAP_PASSWORD'))
     user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-    return user[0]
 
 
-@app.route("/bind")
-def bind():
+@app.route("/bind_example")
+def bind_example():
+    """
+    A RemoteFlowSource is used directly as DN and search filter while the bind's password
+    is an environment variable
+    """
+
     dn = request.args['dc']
     search_filter = request.args['search']
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     ldap_connection.bind('cn=root', os.environ.get('LDAP_PASSWORD'))
     user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-    return user[0]
 
 # if __name__ == "__main__":
 #     app.run(debug=True)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287/auth_good_3.py b/python/ql/test/experimental/query-tests/Security/CWE-287/auth_good_3.py
@@ -0,0 +1,24 @@
+from ldap3 import Server, Connection, ALL
+from flask import request, Flask
+import os
+
+app = Flask(__name__)
+
+
+@app.route("/passwordFromEnv")
+def passwordFromEnv():
+    """
+    A RemoteFlowSource is used directly as DN and search filter while the connection's password
+    is an environment variable
+    """
+
+    dn = request.args['dc']
+    search_filter = request.args['search']
+
+    srv = Server('servername', get_info=ALL)
+    conn = Connection(srv, user='user_dn',
+                      password=os.environ.get('LDAP_PASSWORD'))
+    status, result, response, _ = conn.search(dn, search_filter)
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
