Python: promote LDAP injection query#7783
Conversation
The original configuration did not match sinks with sanitizers. Here it is resolved using flow state, it could also be done by using two configurations.
RasmusWL
left a comment
There was a problem hiding this comment.
The original configuration did not match sinks with sanitizers.
Here it is resolved using flow state, it could also be done by using two configurations.
Good catch. I remember this bit, and thought it was called out in the original PR, but I couldn't see it anywhere.
I think it would be a simpler setup with two configurations (if there were 3 different kinds, the state-transitions would become overly complex).
Other things
This is no LdapInjectionCustomizations.qll file, which should be added.
Please also update docs/codeql/support/reusables/frameworks.rst
Should we rename the query to simply "LDAP injection"?
I don't understand what you're suggesting. That use that for the @name field? (I'm not against it, but it would also be nice to match what it's called in Java/C#)
| } | ||
| } | ||
|
|
||
| /** |
There was a problem hiding this comment.
I'm thinking we should create an Ldap module that will contain all LDAP related concepts, like we've done for HTTP related concepts. I know that we have multiple experimental queries, so I think it could be worth the effort 👍
There was a problem hiding this comment.
I am happy to do that, it was like that in the external contribution, actually :-)
There was a problem hiding this comment.
Oh, I misunderstood. Yes, that is a good idea.
| /** | ||
| * An escape of a string so it can be safely used as a distinguished name (DN) | ||
| * in an LDAP search. | ||
| */ | ||
| class LdapDnEscaping extends Escaping { | ||
| LdapDnEscaping() { range.getKind() = Escaping::getLdapDnKind() } | ||
| } | ||
|
|
||
| /** | ||
| * An escape of a string so it can be safely used as a filter in an LDAP search. | ||
| */ | ||
| class LdapFilterEscaping extends Escaping { | ||
| LdapFilterEscaping() { range.getKind() = Escaping::getLdapFilterKind() } | ||
| } | ||
|
|
There was a problem hiding this comment.
If we do add such a Ldap module, I'm really at odds with whether we should move those ldap escaping classes in there (since they're clearly only ldap related), or whether we should keep them here close to the other escaping classes 🤔 I guess that since we have HtmlEscaping defined right here, we should not move them.
(keeping this note as a way to highlight this, but nothing to do for this code)
| DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2, | ||
| DataFlow::FlowState state2 |
There was a problem hiding this comment.
is there a reason you're not using the typical nodeFrom -> nodeTo naming?
There was a problem hiding this comment.
That comes from the data flow API. I would change it (but I will do a two-config version instead first).
I wondered about this, but forgot to write about it. Do we always add a customisations file, even if the reasonable customisations are covered by concepts? |
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
source nodes get duplicated, so perhaps flow states are actually better for performance?
RasmusWL
left a comment
There was a problem hiding this comment.
Just a few minor things, then we should be good to go 👍
| /** Provides classes for modeling new LDAP query execution-related APIs. */ | ||
| module LdapExecution { | ||
| /** Provides classes for modeling LDAP-related APIs. */ | ||
| module LDAP { |
There was a problem hiding this comment.
nitpick: our style guide suggests that because this acronym is longer than 2 characters, it should be written as Ldap. I guess there is some value in having consistency between the existing HTTP module. I'm not really sure whether this is something we need to change...
There was a problem hiding this comment.
Yeah, I modelled it after the HTTP module. I guess we can change both in a clean-up PR? Or are we creating deprecation work for ourselves that way?
python/ql/lib/semmle/python/security/dataflow/LdapInjection.qll
Outdated
Show resolved
Hide resolved
python/ql/lib/semmle/python/security/dataflow/LdapInjection.qll
Outdated
Show resolved
Hide resolved
RasmusWL
left a comment
There was a problem hiding this comment.
Found a really minor detail, otherwise LGTM 👍
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
Some questions: