Add and adjust QL docs for classes and predicates

rvermeulen · rvermeulen · commit 3320061178e0 · 2020-07-22T16:04:55.000+02:00
diff --git a/java/ql/src/semmle/code/java/security/LdapInjection.qll b/java/ql/src/semmle/code/java/security/LdapInjection.qll
@@ -10,9 +10,10 @@ import semmle.code.java.frameworks.ApacheLdap
 /** A data flow sink for unvalidated user input that is used to construct LDAP queries. */
 abstract class LdapInjectionSink extends DataFlow::Node { }
 
-/** A class that identifies sanitizers that prevent LDAP injection attacks. */
+/** A sanitizer that prevents LDAP injection attacks. */
 abstract class LdapInjectionSanitizer extends DataFlow::Node { }
 
+/** Holds if the JNDI method parameter at index is susceptible to a LDAP injection attack. */
 private predicate jndiLdapInjectionSinkMethod(Method m, int index) {
   m.getDeclaringType().getAnAncestor() instanceof TypeDirContext and
   m.hasName("search") and
@@ -33,6 +34,7 @@ private class JndiLdapInjectionSink extends LdapInjectionSink {
   }
 }
 
+/** Holds if the UnboundID method parameter at `index` is susceptible to a LDAP injection attack. */
 private predicate unboundIdLdapInjectionSinkMethod(Method m, int index) {
   exists(Parameter param | m.getParameter(index) = param and not param.isVarargs() |
     m instanceof MethodUnboundIdLDAPConnectionSearch or
@@ -55,6 +57,7 @@ private class UnboundedIdLdapInjectionSink extends LdapInjectionSink {
   }
 }
 
+/** Holds if the Spring method parameter at `index` is susceptible to a LDAP injection attack. */
 private predicate springLdapInjectionSinkMethod(Method m, int index) {
   // LdapTemplate.authenticate, LdapTemplate.find* or LdapTemplate.search* method
   (
@@ -91,6 +94,7 @@ private class SpringLdapInjectionSink extends LdapInjectionSink {
   }
 }
 
+/** Holds if the Apache LDAP API method parameter at `index` is susceptible to a LDAP injection attack. */
 private predicate apacheLdapInjectionSinkMethod(Method m, int index) {
   exists(Parameter param | m.getParameter(index) = param and not param.isVarargs() |
     m.getDeclaringType().getAnAncestor() instanceof TypeApacheLdapConnection and
@@ -405,6 +409,7 @@ private predicate apacheLdapDnGetStep(DataFlow::ExprNode n1, DataFlow::ExprNode
   )
 }
 
+/** A set of additional taint steps to consider when taint tracking LDAP related data flows. */
 class LdapInjectionAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
     ldapNameStep(node1, node2) or

Original file line number	Diff line number	Diff line change
`@@ -10,9 +10,10 @@ import semmle.code.java.frameworks.ApacheLdap`
`10`	`10`	`/** A data flow sink for unvalidated user input that is used to construct LDAP queries. */`
`11`	`11`	`abstract class LdapInjectionSink extends DataFlow::Node { }`
`12`	`12`
`13`		`-/** A class that identifies sanitizers that prevent LDAP injection attacks. */`
	`13`	`+/** A sanitizer that prevents LDAP injection attacks. */`
`14`	`14`	`abstract class LdapInjectionSanitizer extends DataFlow::Node { }`
`15`	`15`
	`16`	`+/** Holds if the JNDI method parameter at index is susceptible to a LDAP injection attack. */`
`16`	`17`	`private predicate jndiLdapInjectionSinkMethod(Method m, int index) {`
`17`	`18`	`m.getDeclaringType().getAnAncestor() instanceof TypeDirContext and`
`18`	`19`	`m.hasName("search") and`
`@@ -33,6 +34,7 @@ private class JndiLdapInjectionSink extends LdapInjectionSink {`
`33`	`34`	`}`
`34`	`35`	`}`
`35`	`36`
	`37`	+/** Holds if the UnboundID method parameter at `index` is susceptible to a LDAP injection attack. */
`36`	`38`	`private predicate unboundIdLdapInjectionSinkMethod(Method m, int index) {`
`37`	`39`	`exists(Parameter param \| m.getParameter(index) = param and not param.isVarargs() \|`
`38`	`40`	`m instanceof MethodUnboundIdLDAPConnectionSearch or`
`@@ -55,6 +57,7 @@ private class UnboundedIdLdapInjectionSink extends LdapInjectionSink {`
`55`	`57`	`}`
`56`	`58`	`}`
`57`	`59`
	`60`	+/** Holds if the Spring method parameter at `index` is susceptible to a LDAP injection attack. */
`58`	`61`	`private predicate springLdapInjectionSinkMethod(Method m, int index) {`
`59`	`62`	`// LdapTemplate.authenticate, LdapTemplate.find* or LdapTemplate.search* method`
`60`	`63`	`(`
`@@ -91,6 +94,7 @@ private class SpringLdapInjectionSink extends LdapInjectionSink {`
`91`	`94`	`}`
`92`	`95`	`}`
`93`	`96`
	`97`	+/** Holds if the Apache LDAP API method parameter at `index` is susceptible to a LDAP injection attack. */
`94`	`98`	`private predicate apacheLdapInjectionSinkMethod(Method m, int index) {`
`95`	`99`	`exists(Parameter param \| m.getParameter(index) = param and not param.isVarargs() \|`
`96`	`100`	`m.getDeclaringType().getAnAncestor() instanceof TypeApacheLdapConnection and`
`@@ -405,6 +409,7 @@ private predicate apacheLdapDnGetStep(DataFlow::ExprNode n1, DataFlow::ExprNode`
`405`	`409`	`)`
`406`	`410`	`}`
`407`	`411`
	`412`	`+/** A set of additional taint steps to consider when taint tracking LDAP related data flows. */`
`408`	`413`	`class LdapInjectionAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {`
`409`	`414`	`override predicate step(DataFlow::Node node1, DataFlow::Node node2) {`
`410`	`415`	`ldapNameStep(node1, node2) or`