Revert "Add "" and nil as sources"

maikypedia · maikypedia · commit ffd618d6cc8c · 2023-08-25T15:23:55.000+02:00
This reverts commit 664c1eb.
diff --git a/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthCustomizations.qll
@@ -27,22 +27,6 @@ module ImproperLdapAuth {
    */
   private class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
 
-  /**
-   * A source of empty input, considered as a flow source.
-   */
-  private class EmptySourceAsSource extends Source, EmptySource { }
-
-  class EmptySource extends DataFlow::Node {
-    /** Gets a string that describes the type of this remote flow source. */
-    EmptySource() {
-      (
-        this.getConstantValue().isStringlikeValue("")
-        or
-        this.(DataFlow::ExprNode).getConstantValue().isNil()
-      )
-    }
-  }
-
   /**
    * An LDAP query execution considered as a flow sink.
    */
@@ -60,6 +44,5 @@ module ImproperLdapAuth {
    * sanitizer-guard.
    */
   private class StringConstArrayInclusionCallAsSanitizer extends Sanitizer,
-    StringConstArrayInclusionCallBarrier
-  { }
+    StringConstArrayInclusionCallBarrier { }
 }
diff --git a/ruby/ql/src/experimental/ldap-improper-auth/ImproperLdapAuth.ql b/ruby/ql/src/experimental/ldap-improper-auth/ImproperLdapAuth.ql
@@ -17,4 +17,4 @@ import DataFlow::PathGraph
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This LDAP authencation depends on a $@.", source.getNode(),
-  "user-provided value or the password is empty"
+  "user-provided value"
diff --git a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected
@@ -5,10 +5,6 @@ edges
 | ImproperLdapAuth.rb:24:5:24:8 | pass | ImproperLdapAuth.rb:31:24:31:27 | pass |
 | ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:24:12:24:24 | ...[...] |
 | ImproperLdapAuth.rb:24:12:24:24 | ...[...] | ImproperLdapAuth.rb:24:5:24:8 | pass |
-| ImproperLdapAuth.rb:37:5:37:8 | pass | ImproperLdapAuth.rb:47:23:47:26 | pass |
-| ImproperLdapAuth.rb:37:12:37:14 | nil | ImproperLdapAuth.rb:37:5:37:8 | pass |
-| ImproperLdapAuth.rb:55:5:55:8 | pass | ImproperLdapAuth.rb:62:24:62:27 | pass |
-| ImproperLdapAuth.rb:55:12:55:13 | "" | ImproperLdapAuth.rb:55:5:55:8 | pass |
 nodes
 | ImproperLdapAuth.rb:5:5:5:8 | pass | semmle.label | pass |
 | ImproperLdapAuth.rb:5:12:5:17 | call to params | semmle.label | call to params |
@@ -18,17 +14,7 @@ nodes
 | ImproperLdapAuth.rb:24:12:24:17 | call to params | semmle.label | call to params |
 | ImproperLdapAuth.rb:24:12:24:24 | ...[...] | semmle.label | ...[...] |
 | ImproperLdapAuth.rb:31:24:31:27 | pass | semmle.label | pass |
-| ImproperLdapAuth.rb:37:5:37:8 | pass | semmle.label | pass |
-| ImproperLdapAuth.rb:37:12:37:14 | nil | semmle.label | nil |
-| ImproperLdapAuth.rb:47:23:47:26 | pass | semmle.label | pass |
-| ImproperLdapAuth.rb:55:5:55:8 | pass | semmle.label | pass |
-| ImproperLdapAuth.rb:55:12:55:13 | "" | semmle.label | "" |
-| ImproperLdapAuth.rb:62:24:62:27 | pass | semmle.label | pass |
 subpaths
 #select
 | ImproperLdapAuth.rb:15:23:15:26 | pass | ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:15:23:15:26 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:5:12:5:17 | call to params | user-provided value |
 | ImproperLdapAuth.rb:31:24:31:27 | pass | ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:31:24:31:27 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:24:12:24:17 | call to params | user-provided value |
-| ImproperLdapAuth.rb:47:23:47:26 | pass | ImproperLdapAuth.rb:37:12:37:14 | nil | ImproperLdapAuth.rb:47:23:47:26 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:37:12:37:14 | nil | user-provided value |
-| ImproperLdapAuth.rb:47:23:47:26 | pass | ImproperLdapAuth.rb:47:23:47:26 | pass | ImproperLdapAuth.rb:47:23:47:26 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:47:23:47:26 | pass | user-provided value |
-| ImproperLdapAuth.rb:62:24:62:27 | pass | ImproperLdapAuth.rb:55:12:55:13 | "" | ImproperLdapAuth.rb:62:24:62:27 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:55:12:55:13 | "" | user-provided value |
-| ImproperLdapAuth.rb:62:24:62:27 | pass | ImproperLdapAuth.rb:62:24:62:27 | pass | ImproperLdapAuth.rb:62:24:62:27 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:62:24:62:27 | pass | user-provided value |
diff --git a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb
@@ -31,38 +31,6 @@ def some_request_handler
     ldap.auth "admin", pass
     ldap.bind
   end
-
-  def some_request_handler
-    # An empty password is used 
-    pass = nil
-
-    # BAD: empty password
-    ldap = Net::LDAP.new(
-        host: 'ldap.example.com',
-        port: 636,
-        encryption: :simple_tls,
-        auth: {
-            method: :simple,
-            username: 'uid=admin,dc=example,dc=com',
-            password: pass
-        }
-    )
-    ldap.bind
-  end
-
-  def some_request_handler
-    # An empty password is used 
-    pass = ""
-
-    # BAD: empty password
-    ldap = Net::LDAP.new
-    ldap.host = your_server_ip_address
-    ldap.encryption(:method => :simple_tls)
-    ldap.port = 639
-    ldap.auth "admin", pass
-    ldap.bind
-  end
-
 end
 
 class BarController < ApplicationController
