Skip to content

Commit 0c09d66

Browse files
rvermeulenrvermeulen
committed
Consolidate different sinks into a default sink.
1 parent 3320061 commit 0c09d66

File tree

1 file changed

+19
-53
lines changed

1 file changed

+19
-53
lines changed

java/ql/src/semmle/code/java/security/LdapInjection.qll

Lines changed: 19 additions & 53 deletions
Original file line numberDiff line numberDiff line change
@@ -13,27 +13,32 @@ abstract class LdapInjectionSink extends DataFlow::Node { }
1313
/** A sanitizer that prevents LDAP injection attacks. */
1414
abstract class LdapInjectionSanitizer extends DataFlow::Node { }
1515

16-
/** Holds if the JNDI method parameter at index is susceptible to a LDAP injection attack. */
17-
private predicate jndiLdapInjectionSinkMethod(Method m, int index) {
18-
m.getDeclaringType().getAnAncestor() instanceof TypeDirContext and
19-
m.hasName("search") and
20-
index in [0 .. 1]
21-
}
22-
23-
/**
24-
* JNDI sink for LDAP injection vulnerabilities, i.e. 1st (DN) or 2nd (filter) argument to
25-
* `search` method from `DirContext`.
26-
*/
27-
private class JndiLdapInjectionSink extends LdapInjectionSink {
28-
JndiLdapInjectionSink() {
16+
/** Default sink for LDAP injection vulnerabilities. */
17+
private class DefaultLdapInjectionSink extends LdapInjectionSink {
18+
DefaultLdapInjectionSink() {
2919
exists(MethodAccess ma, Method m, int index |
3020
ma.getMethod() = m and
3121
ma.getArgument(index) = this.asExpr() and
32-
jndiLdapInjectionSinkMethod(m, index)
22+
ldapInjectionSinkMethod(m, index)
3323
)
3424
}
3525
}
3626

27+
/** Holds if the method parameter at index is susceptible to a LDAP injection attack. */
28+
private predicate ldapInjectionSinkMethod(Method m, int index) {
29+
jndiLdapInjectionSinkMethod(m, index) or
30+
unboundIdLdapInjectionSinkMethod(m, index) or
31+
springLdapInjectionSinkMethod(m, index) or
32+
apacheLdapInjectionSinkMethod(m, index)
33+
}
34+
35+
/** Holds if the JNDI method parameter at index is susceptible to a LDAP injection attack. */
36+
private predicate jndiLdapInjectionSinkMethod(Method m, int index) {
37+
m.getDeclaringType().getAnAncestor() instanceof TypeDirContext and
38+
m.hasName("search") and
39+
index in [0 .. 1]
40+
}
41+
3742
/** Holds if the UnboundID method parameter at `index` is susceptible to a LDAP injection attack. */
3843
private predicate unboundIdLdapInjectionSinkMethod(Method m, int index) {
3944
exists(Parameter param | m.getParameter(index) = param and not param.isVarargs() |
@@ -43,20 +48,6 @@ private predicate unboundIdLdapInjectionSinkMethod(Method m, int index) {
4348
)
4449
}
4550

46-
/**
47-
* UnboundID sink for LDAP injection vulnerabilities,
48-
* i.e. LDAPConnection.search, LDAPConnection.asyncSearch or LDAPConnection.searchForEntry method.
49-
*/
50-
private class UnboundedIdLdapInjectionSink extends LdapInjectionSink {
51-
UnboundedIdLdapInjectionSink() {
52-
exists(MethodAccess ma, Method m, int index |
53-
ma.getMethod() = m and
54-
ma.getArgument(index) = this.asExpr() and
55-
unboundIdLdapInjectionSinkMethod(m, index)
56-
)
57-
}
58-
}
59-
6051
/** Holds if the Spring method parameter at `index` is susceptible to a LDAP injection attack. */
6152
private predicate springLdapInjectionSinkMethod(Method m, int index) {
6253
// LdapTemplate.authenticate, LdapTemplate.find* or LdapTemplate.search* method
@@ -80,20 +71,6 @@ private predicate springLdapInjectionSinkMethod(Method m, int index) {
8071
)
8172
}
8273

83-
/**
84-
* Spring LDAP sink for LDAP injection vulnerabilities,
85-
* i.e. LdapTemplate.authenticate, LdapTemplate.find* or LdapTemplate.search* method.
86-
*/
87-
private class SpringLdapInjectionSink extends LdapInjectionSink {
88-
SpringLdapInjectionSink() {
89-
exists(MethodAccess ma, Method m, int index |
90-
ma.getMethod() = m and
91-
ma.getArgument(index) = this.asExpr() and
92-
springLdapInjectionSinkMethod(m, index)
93-
)
94-
}
95-
}
96-
9774
/** Holds if the Apache LDAP API method parameter at `index` is susceptible to a LDAP injection attack. */
9875
private predicate apacheLdapInjectionSinkMethod(Method m, int index) {
9976
exists(Parameter param | m.getParameter(index) = param and not param.isVarargs() |
@@ -102,17 +79,6 @@ private predicate apacheLdapInjectionSinkMethod(Method m, int index) {
10279
)
10380
}
10481

105-
/** Apache LDAP API sink for LDAP injection vulnerabilities, i.e. LdapConnection.search method. */
106-
private class ApacheLdapInjectionSink extends LdapInjectionSink {
107-
ApacheLdapInjectionSink() {
108-
exists(MethodAccess ma, Method m, int index |
109-
ma.getMethod() = m and
110-
ma.getArgument(index) = this.asExpr() and
111-
apacheLdapInjectionSinkMethod(m, index)
112-
)
113-
}
114-
}
115-
11682
/** A sanitizer that clears the taint on primitive types. */
11783
private class PrimitiveTypeLdapSanitizer extends LdapInjectionSanitizer {
11884
PrimitiveTypeLdapSanitizer() { this.getType() instanceof PrimitiveType }

0 commit comments

Comments
 (0)