-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathLdap.qll
More file actions
106 lines (85 loc) · 3.42 KB
/
Ldap.qll
File metadata and controls
106 lines (85 loc) · 3.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
/**
* Provides modeling for `net-ldap` a ruby library for LDAP.
*/
private import ruby
private import codeql.ruby.ApiGraphs
private import codeql.ruby.dataflow.FlowSummary
private import codeql.ruby.Concepts
/**
* Provides modeling for `net-ldap` a ruby library for LDAP.
*/
module NetLdap {
/**
* Flow summary for `Net::LDAP.new`. This method establishes a connection to a LDAP server.
*/
private class LdapConnSummary extends SummarizedCallable::Range {
LdapConnSummary() { this = "Net::LDAP.new" }
override MethodCall getACall() { result = any(NetLdapConnection l).asExpr().getExpr() }
override predicate propagatesFlow(string input, string output, boolean preservesValue) {
input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
}
}
/**
* Flow summary for `Net::LDAP.Filter`.
*/
private class LdapFilterSummary extends SummarizedCallable::Range {
LdapFilterSummary() { this = "Net::LDAP::Filter" }
override MethodCall getACall() { result = any(NetLdapFilter l).asExpr().getExpr() }
override predicate propagatesFlow(string input, string output, boolean preservesValue) {
input = ["Argument[0]", "Argument[1]"] and output = "ReturnValue" and preservesValue = false
}
}
/** Net LDAP Api Node */
private API::Node ldap() { result = API::getTopLevelMember("Net").getMember("LDAP") }
/** A call that establishes a LDAP Connection */
private class NetLdapConnection extends DataFlow::CallNode {
NetLdapConnection() { this in [ldap().getAnInstantiation(), ldap().getAMethodCall("open")] }
predicate usesSsl() {
getValue(this, "encryption").getConstantValue().isStringlikeValue("simple_tls")
}
DataFlow::Node getAuthValue(string arg) {
result =
this.getKeywordArgument("auth")
.(DataFlow::HashLiteralNode)
.getElementFromKey(any(Ast::ConstantValue cv | cv.isStringlikeValue(arg)))
}
}
/** A call that constructs a LDAP query */
private class NetLdapFilter extends LdapConstruction::Range, DataFlow::CallNode {
NetLdapFilter() {
this =
any(ldap()
.getMember("Filter")
.getAMethodCall([
"begins", "bineq", "contains", "ends", "eq", "equals", "ex", "ge", "le", "ne",
"present"
])
)
}
override DataFlow::Node getQuery() { result = this.getArgument([0, 1]) }
}
/** A call considered as a LDAP execution. */
private class NetLdapExecution extends LdapExecution::Range, DataFlow::CallNode {
NetLdapExecution() { this = any(NetLdapConnection l).getAMethodCall("search") }
override DataFlow::Node getQuery() { result = this.getKeywordArgument(_) }
}
/** A call considered as a LDAP bind. */
private class NetLdapBind extends LdapBind::Range, DataFlow::CallNode {
private NetLdapConnection l;
NetLdapBind() { this = l.getAMethodCall("bind") }
override DataFlow::Node getHost() { result = getValue(l, "host") }
override DataFlow::Node getPassword() {
result = l.getAuthValue("password") or
result = l.getAMethodCall("auth").getArgument(1)
}
override predicate usesSsl() { l.usesSsl() }
}
/** LDAP Attribute value */
DataFlow::Node getValue(NetLdapConnection l, string attr) {
result =
[
l.getKeywordArgument(attr), l.getAMethodCall(attr).getArgument(0),
l.getAMethodCall(attr).getKeywordArgument(attr)
]
}
}