Add "" and nil as sources

maikypedia · maikypedia · commit 664c1eba72e6 · 2023-08-22T18:10:33.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthCustomizations.qll
@@ -27,6 +27,22 @@ module ImproperLdapAuth {
    */
   private class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
 
+  /**
+   * A source of empty input, considered as a flow source.
+   */
+  private class EmptySourceAsSource extends Source, EmptySource { }
+
+  class EmptySource extends DataFlow::Node {
+    /** Gets a string that describes the type of this remote flow source. */
+    EmptySource() {
+      (
+        this.getConstantValue().isStringlikeValue("")
+        or
+        this.(DataFlow::ExprNode).getConstantValue().isNil()
+      )
+    }
+  }
+
   /**
    * An LDAP query execution considered as a flow sink.
    */
@@ -44,5 +60,6 @@ module ImproperLdapAuth {
    * sanitizer-guard.
    */
   private class StringConstArrayInclusionCallAsSanitizer extends Sanitizer,
-    StringConstArrayInclusionCallBarrier { }
+    StringConstArrayInclusionCallBarrier
+  { }
 }
diff --git a/ruby/ql/src/experimental/ldap-improper-auth/ImproperLdapAuth.ql b/ruby/ql/src/experimental/ldap-improper-auth/ImproperLdapAuth.ql
@@ -17,4 +17,4 @@ import DataFlow::PathGraph
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This LDAP authencation depends on a $@.", source.getNode(),
-  "user-provided value"
+  "user-provided value or the password is empty"
diff --git a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected
@@ -5,6 +5,10 @@ edges
 | ImproperLdapAuth.rb:24:5:24:8 | pass | ImproperLdapAuth.rb:31:24:31:27 | pass |
 | ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:24:12:24:24 | ...[...] |
 | ImproperLdapAuth.rb:24:12:24:24 | ...[...] | ImproperLdapAuth.rb:24:5:24:8 | pass |
+| ImproperLdapAuth.rb:37:5:37:8 | pass | ImproperLdapAuth.rb:47:23:47:26 | pass |
+| ImproperLdapAuth.rb:37:12:37:14 | nil | ImproperLdapAuth.rb:37:5:37:8 | pass |
+| ImproperLdapAuth.rb:55:5:55:8 | pass | ImproperLdapAuth.rb:62:24:62:27 | pass |
+| ImproperLdapAuth.rb:55:12:55:13 | "" | ImproperLdapAuth.rb:55:5:55:8 | pass |
 nodes
 | ImproperLdapAuth.rb:5:5:5:8 | pass | semmle.label | pass |
 | ImproperLdapAuth.rb:5:12:5:17 | call to params | semmle.label | call to params |
@@ -14,7 +18,17 @@ nodes
 | ImproperLdapAuth.rb:24:12:24:17 | call to params | semmle.label | call to params |
 | ImproperLdapAuth.rb:24:12:24:24 | ...[...] | semmle.label | ...[...] |
 | ImproperLdapAuth.rb:31:24:31:27 | pass | semmle.label | pass |
+| ImproperLdapAuth.rb:37:5:37:8 | pass | semmle.label | pass |
+| ImproperLdapAuth.rb:37:12:37:14 | nil | semmle.label | nil |
+| ImproperLdapAuth.rb:47:23:47:26 | pass | semmle.label | pass |
+| ImproperLdapAuth.rb:55:5:55:8 | pass | semmle.label | pass |
+| ImproperLdapAuth.rb:55:12:55:13 | "" | semmle.label | "" |
+| ImproperLdapAuth.rb:62:24:62:27 | pass | semmle.label | pass |
 subpaths
 #select
 | ImproperLdapAuth.rb:15:23:15:26 | pass | ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:15:23:15:26 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:5:12:5:17 | call to params | user-provided value |
 | ImproperLdapAuth.rb:31:24:31:27 | pass | ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:31:24:31:27 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:24:12:24:17 | call to params | user-provided value |
+| ImproperLdapAuth.rb:47:23:47:26 | pass | ImproperLdapAuth.rb:37:12:37:14 | nil | ImproperLdapAuth.rb:47:23:47:26 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:37:12:37:14 | nil | user-provided value |
+| ImproperLdapAuth.rb:47:23:47:26 | pass | ImproperLdapAuth.rb:47:23:47:26 | pass | ImproperLdapAuth.rb:47:23:47:26 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:47:23:47:26 | pass | user-provided value |
+| ImproperLdapAuth.rb:62:24:62:27 | pass | ImproperLdapAuth.rb:55:12:55:13 | "" | ImproperLdapAuth.rb:62:24:62:27 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:55:12:55:13 | "" | user-provided value |
+| ImproperLdapAuth.rb:62:24:62:27 | pass | ImproperLdapAuth.rb:62:24:62:27 | pass | ImproperLdapAuth.rb:62:24:62:27 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:62:24:62:27 | pass | user-provided value |
diff --git a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb
@@ -31,6 +31,38 @@ def some_request_handler
     ldap.auth "admin", pass
     ldap.bind
   end
+
+  def some_request_handler
+    # An empty password is used 
+    pass = nil
+
+    # BAD: empty password
+    ldap = Net::LDAP.new(
+        host: 'ldap.example.com',
+        port: 636,
+        encryption: :simple_tls,
+        auth: {
+            method: :simple,
+            username: 'uid=admin,dc=example,dc=com',
+            password: pass
+        }
+    )
+    ldap.bind
+  end
+
+  def some_request_handler
+    # An empty password is used 
+    pass = ""
+
+    # BAD: empty password
+    ldap = Net::LDAP.new
+    ldap.host = your_server_ip_address
+    ldap.encryption(:method => :simple_tls)
+    ldap.port = 639
+    ldap.auth "admin", pass
+    ldap.bind
+  end
+
 end
 
 class BarController < ApplicationController
