@@ -14,313 +14,4 @@ class LdapInjectionFlowConfig extends TaintTracking::Configuration {
1414 override predicate isSink ( DataFlow:: Node sink ) { sink instanceof LdapInjectionSink }
1515
1616 override predicate isSanitizer ( DataFlow:: Node node ) { node instanceof LdapInjectionSanitizer }
17-
18- override predicate isAdditionalTaintStep ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
19- ldapNameStep ( node1 , node2 ) or
20- ldapNameAddAllStep ( node1 , node2 ) or
21- ldapNameGetCloneStep ( node1 , node2 ) or
22- filterStep ( node1 , node2 ) or
23- filterToStringStep ( node1 , node2 ) or
24- unboundIdSearchRequestStep ( node1 , node2 ) or
25- unboundIdSearchRequestDuplicateStep ( node1 , node2 ) or
26- unboundIdSearchRequestSetStep ( node1 , node2 ) or
27- ldapQueryStep ( node1 , node2 ) or
28- ldapQueryBaseStep ( node1 , node2 ) or
29- ldapQueryBuilderStep ( node1 , node2 ) or
30- hardcodedFilterStep ( node1 , node2 ) or
31- springLdapFilterToStringStep ( node1 , node2 ) or
32- ldapNameBuilderStep ( node1 , node2 ) or
33- ldapNameBuilderBuildStep ( node1 , node2 ) or
34- ldapUtilsStep ( node1 , node2 ) or
35- apacheSearchRequestStep ( node1 , node2 ) or
36- apacheSearchRequestGetStep ( node1 , node2 ) or
37- apacheLdapDnStep ( node1 , node2 ) or
38- apacheLdapDnGetStep ( node1 , node2 )
39- }
40- }
41-
42- /**
43- * Holds if `n1` to `n2` is a dataflow step that converts between `String` and `LdapName`,
44- * i.e. `new LdapName(tainted)`.
45- */
46- predicate ldapNameStep ( ExprNode n1 , ExprNode n2 ) {
47- exists ( ConstructorCall cc | cc .getConstructedType ( ) instanceof TypeLdapName |
48- n1 .asExpr ( ) = cc .getAnArgument ( ) and
49- n2 .asExpr ( ) = cc
50- )
51- }
52-
53- /**
54- * Holds if `n1` to `n2` is a dataflow step that converts between `List<Rdn>` and `LdapName`,
55- * i.e. `new LdapName().addAll(tainted)`.
56- */
57- predicate ldapNameAddAllStep ( ExprNode n1 , ExprNode n2 ) {
58- exists ( MethodAccess ma |
59- n1 .asExpr ( ) = ma .getAnArgument ( ) and
60- ( n2 .asExpr ( ) = ma or n2 .asExpr ( ) = ma .getQualifier ( ) )
61- |
62- ma .getMethod ( ) instanceof MethodLdapNameAddAll
63- )
64- }
65-
66- /**
67- * Holds if `n1` to `n2` is a dataflow step that converts between `LdapName` and `LdapName` or
68- * `String`, i.e. `taintedLdapName.clone()`, `taintedLdapName.getAll()`,
69- * `taintedLdapName.getRdns()` or `taintedLdapName.toString()`.
70- */
71- predicate ldapNameGetCloneStep ( ExprNode n1 , ExprNode n2 ) {
72- exists ( MethodAccess ma , Method m |
73- n1 .asExpr ( ) = ma .getQualifier ( ) and
74- n2 .asExpr ( ) = ma and
75- ma .getMethod ( ) = m
76- |
77- m instanceof MethodLdapNameClone or
78- m instanceof MethodLdapNameGetAll or
79- m instanceof MethodLdapNameGetRdns or
80- m instanceof MethodLdapNameToString
81- )
82- }
83-
84- /**
85- * Holds if `n1` to `n2` is a dataflow step that converts between `String` and UnboundID `Filter`,
86- * i.e. `Filter.create*(tainted)`.
87- */
88- predicate filterStep ( ExprNode n1 , ExprNode n2 ) {
89- exists ( MethodAccess ma , Method m |
90- n1 .asExpr ( ) = ma .getAnArgument ( ) and
91- n2 .asExpr ( ) = ma and
92- ma .getMethod ( ) = m
93- |
94- m instanceof MethodUnboundIdFilterCreate or
95- m instanceof MethodUnboundIdFilterCreateANDFilter or
96- m instanceof MethodUnboundIdFilterCreateNOTFilter or
97- m instanceof MethodUnboundIdFilterCreateORFilter or
98- m instanceof MethodUnboundIdFilterSimplifyFilter
99- )
100- }
101-
102- /**
103- * Holds if `n1` to `n2` is a dataflow step that converts between UnboundID `Filter` and `String`,
104- * i.e. `taintedFilter.toString()` or `taintedFilter.toString(buffer)`.
105- */
106- predicate filterToStringStep ( ExprNode n1 , ExprNode n2 ) {
107- exists ( MethodAccess ma , Method m |
108- n1 .asExpr ( ) = ma .getQualifier ( ) and
109- ( n2 .asExpr ( ) = ma or n2 .asExpr ( ) = ma .getAnArgument ( ) )
110- |
111- ma .getMethod ( ) = m and
112- m .getDeclaringType ( ) instanceof TypeUnboundIdLdapFilter and
113- ( m .hasName ( "toString" ) or m .hasName ( "toNormalizedString" ) )
114- )
115- }
116-
117- /**
118- * Holds if `n1` to `n2` is a dataflow step that converts between `String` and UnboundID
119- * `SearchRequest`, i.e. `new SearchRequest(tainted)`.
120- */
121- predicate unboundIdSearchRequestStep ( ExprNode n1 , ExprNode n2 ) {
122- exists ( ConstructorCall cc , int index , Parameter param |
123- cc .getConstructedType ( ) instanceof TypeUnboundIdSearchRequest
124- |
125- n1 .asExpr ( ) = cc .getArgument ( index ) and
126- n2 .asExpr ( ) = cc and
127- cc .getConstructor ( ) .getParameter ( index ) = param and
128- not param .isVarargs ( )
129- )
130- }
131-
132- /**
133- * Holds if `n1` to `n2` is a dataflow step that converts between UnboundID `SearchRequest`
134- * and UnboundID `SearchRequest`, i.e. `taintedSearchRequest.duplicate()`.
135- */
136- predicate unboundIdSearchRequestDuplicateStep ( ExprNode n1 , ExprNode n2 ) {
137- exists ( MethodAccess ma , Method m | n1 .asExpr ( ) = ma .getQualifier ( ) and n2 .asExpr ( ) = ma |
138- ma .getMethod ( ) = m and
139- m .getDeclaringType ( ) .getAnAncestor ( ) instanceof TypeUnboundIdReadOnlySearchRequest and
140- m .hasName ( "duplicate" )
141- )
142- }
143-
144- /**
145- * Holds if `n1` to `n2` is a dataflow step that converts between DN or filter and UnboundID
146- * `SearchRequest`, i.e. `searchRequest.setBaseDN(tainted)` or `searchRequest.setFilter(tainted)`.
147- */
148- predicate unboundIdSearchRequestSetStep ( ExprNode n1 , ExprNode n2 ) {
149- exists ( MethodAccess ma , Method m |
150- n1 .asExpr ( ) = ma .getAnArgument ( ) and
151- n2 .asExpr ( ) = ma .getQualifier ( ) and
152- ma .getMethod ( ) = m
153- |
154- m instanceof MethodUnboundIdSearchRequestSetBaseDN or
155- m instanceof MethodUnboundIdSearchRequestSetFilter
156- )
157- }
158-
159- /**
160- * Holds if `n1` to `n2` is a dataflow step that converts between `String` and Spring `LdapQuery`,
161- * i.e. `LdapQueryBuilder.query().filter(tainted)` or `LdapQueryBuilder.query().base(tainted)`.
162- */
163- predicate ldapQueryStep ( ExprNode n1 , ExprNode n2 ) {
164- exists ( MethodAccess ma , Method m , int index |
165- n1 .asExpr ( ) = ma .getArgument ( index ) and
166- n2 .asExpr ( ) = ma and
167- ma .getMethod ( ) = m and
168- index = 0
169- |
170- m instanceof MethodSpringLdapQueryBuilderFilter or
171- m instanceof MethodSpringLdapQueryBuilderBase
172- )
173- }
174-
175- /**
176- * Holds if `n1` to `n2` is a dataflow step that converts between Spring `LdapQueryBuilder` and
177- * `Name`, i.e. `taintedLdapQueryBuilder.base()`.
178- */
179- predicate ldapQueryBaseStep ( ExprNode n1 , ExprNode n2 ) {
180- exists ( MethodAccess ma , Method m |
181- n1 .asExpr ( ) = ma .getQualifier ( ) and
182- n2 .asExpr ( ) = ma and
183- ma .getMethod ( ) = m
184- |
185- m instanceof MethodSpringLdapQueryBuilderBase and
186- m .getNumberOfParameters ( ) = 0
187- )
188- }
189-
190- /**
191- * Holds if `n1` to `n2` is a dataflow step that converts between Spring `LdapQueryBuilder`,
192- * `ConditionCriteria` or `ContainerCriteria`, i.e. when the query is built, for example
193- * `query().base(tainted).where("objectclass").is("person")`.
194- */
195- predicate ldapQueryBuilderStep ( ExprNode n1 , ExprNode n2 ) {
196- exists ( MethodAccess ma , Method m |
197- n1 .asExpr ( ) = ma .getQualifier ( ) and
198- n2 .asExpr ( ) = ma and
199- ma .getMethod ( ) = m
200- |
201- (
202- m .getDeclaringType ( ) instanceof TypeSpringLdapQueryBuilder or
203- m .getDeclaringType ( ) instanceof TypeSpringConditionCriteria or
204- m .getDeclaringType ( ) instanceof TypeSpringContainerCriteria
205- ) and
206- (
207- m .getReturnType ( ) instanceof TypeSpringLdapQueryBuilder or
208- m .getReturnType ( ) instanceof TypeSpringConditionCriteria or
209- m .getReturnType ( ) instanceof TypeSpringContainerCriteria
210- )
211- )
212- }
213-
214- /**
215- * Holds if `n1` to `n2` is a dataflow step that converts between `String` and Spring
216- * `HardcodedFilter`, i.e. `new HardcodedFilter(tainted)`.
217- */
218- predicate hardcodedFilterStep ( ExprNode n1 , ExprNode n2 ) {
219- exists ( ConstructorCall cc | cc .getConstructedType ( ) instanceof TypeSpringHardcodedFilter |
220- n1 .asExpr ( ) = cc .getAnArgument ( ) and
221- n2 .asExpr ( ) = cc
222- )
223- }
224-
225- /**
226- * Holds if `n1` to `n2` is a dataflow step that converts between Spring `Filter` and
227- * `String`, i.e. `taintedFilter.toString()`, `taintedFilter.encode()` or
228- * `taintedFilter.encode(buffer)`.
229- */
230- predicate springLdapFilterToStringStep ( ExprNode n1 , ExprNode n2 ) {
231- exists ( MethodAccess ma , Method m |
232- n1 .asExpr ( ) = ma .getQualifier ( ) and
233- ( n2 .asExpr ( ) = ma or n2 .asExpr ( ) = ma .getAnArgument ( ) ) and
234- ma .getMethod ( ) = m
235- |
236- m .getDeclaringType ( ) .getAnAncestor ( ) instanceof TypeSpringLdapFilter and
237- ( m .hasName ( "encode" ) or m .hasName ( "toString" ) )
238- )
239- }
240-
241- /**
242- * Holds if `n1` to `n2` is a dataflow step that converts between `String` and Spring
243- * `LdapNameBuilder`, i.e. `LdapNameBuilder.newInstance(tainted)` or
244- * `LdapNameBuilder.newInstance().add(tainted)`.
245- */
246- predicate ldapNameBuilderStep ( ExprNode n1 , ExprNode n2 ) {
247- exists ( MethodAccess ma , Method m |
248- n1 .asExpr ( ) = ma .getAnArgument ( ) and
249- ( n2 .asExpr ( ) = ma or n2 .asExpr ( ) = ma .getQualifier ( ) ) and
250- ma .getMethod ( ) = m and
251- m .getNumberOfParameters ( ) = 1
252- |
253- m instanceof MethodSpringLdapNameBuilderNewInstance or
254- m instanceof MethodSpringLdapNameBuilderAdd
255- )
256- }
257-
258- /**
259- * Holds if `n1` to `n2` is a dataflow step that converts between tainted Spring `LdapNameBuilder`
260- * and `LdapName`, `LdapNameBuilder.build()`.
261- */
262- predicate ldapNameBuilderBuildStep ( ExprNode n1 , ExprNode n2 ) {
263- exists ( MethodAccess ma | n1 .asExpr ( ) = ma .getQualifier ( ) and n2 .asExpr ( ) = ma |
264- ma .getMethod ( ) instanceof MethodSpringLdapNameBuilderBuild
265- )
266- }
267-
268- /**
269- * Holds if `n1` to `n2` is a dataflow step that converts between `String` and `LdapName` via
270- * Spring `LdapUtils.newLdapName`, i.e. `LdapUtils.newLdapName(tainted)`.
271- */
272- predicate ldapUtilsStep ( ExprNode n1 , ExprNode n2 ) {
273- exists ( MethodAccess ma | n1 .asExpr ( ) = ma .getAnArgument ( ) and n2 .asExpr ( ) = ma |
274- ma .getMethod ( ) instanceof MethodSpringLdapUtilsNewLdapName
275- )
276- }
277-
278- /**
279- * Holds if `n1` to `n2` is a dataflow step that converts between `String` and Apache LDAP API
280- * `SearchRequest`, i.e. `searchRequest.setFilter(tainted)` or `searchRequest.setBase(tainted)`.
281- */
282- predicate apacheSearchRequestStep ( ExprNode n1 , ExprNode n2 ) {
283- exists ( MethodAccess ma , Method m |
284- n1 .asExpr ( ) = ma .getAnArgument ( ) and
285- n2 .asExpr ( ) = ma .getQualifier ( )
286- |
287- ma .getMethod ( ) = m and
288- m .getDeclaringType ( ) .getAnAncestor ( ) instanceof TypeApacheSearchRequest and
289- ( m .hasName ( "setFilter" ) or m .hasName ( "setBase" ) )
290- )
291- }
292-
293- /**
294- * Holds if `n1` to `n2` is a dataflow step that converts between Apache LDAP API `SearchRequest`
295- * and filter or DN i.e. `tainterSearchRequest.getFilter()` or `taintedSearchRequest.getBase()`.
296- */
297- predicate apacheSearchRequestGetStep ( ExprNode n1 , ExprNode n2 ) {
298- exists ( MethodAccess ma , Method m | n1 .asExpr ( ) = ma .getQualifier ( ) and n2 .asExpr ( ) = ma |
299- ma .getMethod ( ) = m and
300- m .getDeclaringType ( ) .getAnAncestor ( ) instanceof TypeApacheSearchRequest and
301- ( m .hasName ( "getFilter" ) or m .hasName ( "getBase" ) )
302- )
303- }
304-
305- /**
306- * Holds if `n1` to `n2` is a dataflow step that converts between `String` and Apache LDAP API
307- * `Dn`, i.e. `new Dn(tainted)`.
308- */
309- predicate apacheLdapDnStep ( ExprNode n1 , ExprNode n2 ) {
310- exists ( ConstructorCall cc | cc .getConstructedType ( ) instanceof TypeApacheDn |
311- n1 .asExpr ( ) = cc .getAnArgument ( ) and
312- n2 .asExpr ( ) = cc
313- )
314- }
315-
316- /**
317- * Holds if `n1` to `n2` is a dataflow step that converts between Apache LDAP API `Dn`
318- * and `String` i.e. `taintedDn.getName()`, `taintedDn.getNormName()` or `taintedDn.toString()`.
319- */
320- predicate apacheLdapDnGetStep ( ExprNode n1 , ExprNode n2 ) {
321- exists ( MethodAccess ma , Method m | n1 .asExpr ( ) = ma .getQualifier ( ) and n2 .asExpr ( ) = ma |
322- ma .getMethod ( ) = m and
323- m .getDeclaringType ( ) .getAnAncestor ( ) instanceof TypeApacheDn and
324- ( m .hasName ( "getName" ) or m .hasName ( "getNormName" ) or m .hasName ( "toString" ) )
325- )
32617}
0 commit comments