Skip to content

Python: promote LDAP injection query#7783

Merged
RasmusWL merged 16 commits intogithub:mainfrom
yoff:python/promote-ldap-injection
Feb 15, 2022
Merged

Python: promote LDAP injection query#7783
RasmusWL merged 16 commits intogithub:mainfrom
yoff:python/promote-ldap-injection

Conversation

@yoff
Copy link
Contributor

@yoff yoff commented Jan 28, 2022

Some questions:

  • Is the use of flow states acceptable or would you rather see two configurations?
  • Should we rename the query to simply "LDAP injection"?

@yoff yoff requested a review from a team as a code owner January 28, 2022 13:03
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original configuration did not match sinks with sanitizers.
Here it is resolved using flow state, it could also be done by using two configurations.

Good catch. I remember this bit, and thought it was called out in the original PR, but I couldn't see it anywhere.

I think it would be a simpler setup with two configurations (if there were 3 different kinds, the state-transitions would become overly complex).

Other things

This is no LdapInjectionCustomizations.qll file, which should be added.

Please also update docs/codeql/support/reusables/frameworks.rst

Should we rename the query to simply "LDAP injection"?

I don't understand what you're suggesting. That use that for the @name field? (I'm not against it, but it would also be nice to match what it's called in Java/C#)

}
}

/**
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm thinking we should create an Ldap module that will contain all LDAP related concepts, like we've done for HTTP related concepts. I know that we have multiple experimental queries, so I think it could be worth the effort 👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am happy to do that, it was like that in the external contribution, actually :-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I misunderstood. Yes, that is a good idea.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Comment on lines +576 to +590
/**
* An escape of a string so it can be safely used as a distinguished name (DN)
* in an LDAP search.
*/
class LdapDnEscaping extends Escaping {
LdapDnEscaping() { range.getKind() = Escaping::getLdapDnKind() }
}

/**
* An escape of a string so it can be safely used as a filter in an LDAP search.
*/
class LdapFilterEscaping extends Escaping {
LdapFilterEscaping() { range.getKind() = Escaping::getLdapFilterKind() }
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we do add such a Ldap module, I'm really at odds with whether we should move those ldap escaping classes in there (since they're clearly only ldap related), or whether we should keep them here close to the other escaping classes 🤔 I guess that since we have HtmlEscaping defined right here, we should not move them.

(keeping this note as a way to highlight this, but nothing to do for this code)

Comment on lines +39 to +40
DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
DataFlow::FlowState state2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a reason you're not using the typical nodeFrom -> nodeTo naming?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That comes from the data flow API. I would change it (but I will do a two-config version instead first).

@yoff
Copy link
Contributor Author

yoff commented Feb 1, 2022

This is no LdapInjectionCustomizations.qll file, which should be added.

I wondered about this, but forgot to write about it. Do we always add a customisations file, even if the reasonable customisations are covered by concepts?

yoff and others added 5 commits February 1, 2022 10:06
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
source nodes get duplicated, so perhaps flow states
are actually better for performance?
@yoff yoff requested a review from RasmusWL February 1, 2022 13:40
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few minor things, then we should be good to go 👍

/** Provides classes for modeling new LDAP query execution-related APIs. */
module LdapExecution {
/** Provides classes for modeling LDAP-related APIs. */
module LDAP {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: our style guide suggests that because this acronym is longer than 2 characters, it should be written as Ldap. I guess there is some value in having consistency between the existing HTTP module. I'm not really sure whether this is something we need to change...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I modelled it after the HTTP module. I guess we can change both in a clean-up PR? Or are we creating deprecation work for ourselves that way?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's OK

@yoff yoff requested a review from RasmusWL February 14, 2022 10:56
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found a really minor detail, otherwise LGTM 👍

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
@yoff yoff requested a review from RasmusWL February 14, 2022 15:06
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍

@RasmusWL RasmusWL merged commit 5a90214 into github:main Feb 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants