Update tests and .expected

jorgectf · jorgectf · commit 37d6ff76a384 · 2021-05-21T17:47:53.000+02:00
diff --git a/python/ql/src/experimental/Security/CWE-090/examples/example_bad1.py b/python/ql/src/experimental/Security/CWE-090/examples/example_bad1.py
@@ -4,9 +4,12 @@
 
 @app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
     user = ldap_connection.search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter)
+        dn, ldap.SCOPE_SUBTREE, search_filter)
diff --git a/python/ql/src/experimental/Security/CWE-090/examples/example_bad2.py b/python/ql/src/experimental/Security/CWE-090/examples/example_bad2.py
@@ -4,9 +4,12 @@
 
 @app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
-    conn.search(unsafe_dn, unsafe_filter)
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
diff --git a/python/ql/src/experimental/Security/CWE-090/examples/example_good1.py b/python/ql/src/experimental/Security/CWE-090/examples/example_good1.py
@@ -6,12 +6,15 @@
 
 @app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
     safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
 
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
     user = ldap_connection.search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, safe_filter)
+        dn, ldap.SCOPE_SUBTREE, search_filter)
diff --git a/python/ql/src/experimental/Security/CWE-090/examples/example_good2.py b/python/ql/src/experimental/Security/CWE-090/examples/example_good2.py
@@ -6,12 +6,15 @@
 
 @app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = escape_rdn(unsafe_dn)
+    safe_dc = escape_rdn(unsafe_dc)
     safe_filter = escape_filter_chars(unsafe_filter)
 
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True)
-    conn.search(safe_dn, safe_filter)
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_bad.py
@@ -10,12 +10,15 @@ def normal():
     A RemoteFlowSource is used directly as DN and search filter
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
-    conn.search(unsafe_dn, unsafe_filter)
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
 
 
 @app.route("/direct")
@@ -24,12 +27,15 @@ def direct():
     A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
+
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
 
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True).search(
-        unsafe_dn, unsafe_filter)
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True).search(
+        dn, search_filter)
 
 # if __name__ == "__main__":
 #     app.run(debug=True)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_good.py b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_good.py
@@ -12,15 +12,18 @@ def normal():
     A RemoteFlowSource is sanitized and used as DN and search filter
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = escape_rdn(unsafe_dn)
+    safe_dc = escape_rdn(unsafe_dc)
     safe_filter = escape_filter_chars(unsafe_filter)
 
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True)
-    conn.search(safe_dn, safe_filter)
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
 
 
 @app.route("/direct")
@@ -29,15 +32,18 @@ def direct():
     A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = escape_rdn(unsafe_dn)
+    safe_dc = escape_rdn(unsafe_dc)
     safe_filter = escape_filter_chars(unsafe_filter)
 
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True).search(
-        safe_dn, safe_filter)
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True).search(
+        dn, search_filter)
 
 # if __name__ == "__main__":
 #     app.run(debug=True)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_bad.py
@@ -10,12 +10,15 @@ def normal():
     A RemoteFlowSource is used directly as DN and search filter
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
     user = ldap_connection.search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter)
+        dn, ldap.SCOPE_SUBTREE, search_filter)
 
 
 @app.route("/direct")
@@ -24,11 +27,14 @@ def direct():
     A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search_s
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
+
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
 
-    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter)
+    user = ldap.initialize("ldap://127.0.0.1").search_s(
+        dn, ldap.SCOPE_SUBTREE, search_filter)
 
 
 @app.route("/normal_argbyname")
@@ -38,12 +44,15 @@ def normal_argbyname():
     an argument by name
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
+
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
 
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
     user = ldap_connection.search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, filterstr=unsafe_filter)
+        dn, ldap.SCOPE_SUBTREE, filterstr=search_filter)
 
 
 # if __name__ == "__main__":
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_good.py b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_good.py
@@ -12,15 +12,18 @@ def normal():
     A RemoteFlowSource is sanitized and used as DN and search filter
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
     safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
 
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
     user = ldap_connection.search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, safe_filter)
+        dn, ldap.SCOPE_SUBTREE, search_filter)
 
 
 @app.route("/direct")
@@ -29,14 +32,17 @@ def direct():
     A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search_s
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
     safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
 
-    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, safe_filter, ["testAttr1", "testAttr2"])
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    user = ldap.initialize("ldap://127.0.0.1").search_s(
+        dn, ldap.SCOPE_SUBTREE, search_filter, ["testAttr1", "testAttr2"])
 
 
 @app.route("/normal_argbyname")
@@ -46,15 +52,18 @@ def normal_argbyname():
     an argument by name
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
     safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
 
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
     user = ldap_connection.search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, filterstr=safe_filter)
+        dn, ldap.SCOPE_SUBTREE, filterstr=search_filter)
 
 
 # if __name__ == "__main__":
