|
| 1 | +/** |
| 2 | + * @name Python LDAP Injection |
| 3 | + * @description Python LDAP Injection through search filter |
| 4 | + * @kind path-problem |
| 5 | + * @problem.severity error |
| 6 | + * @id python/ldap-injection |
| 7 | + * @tags experimental |
| 8 | + * security |
| 9 | + * external/cwe/cwe-090 |
| 10 | + */ |
| 11 | + |
| 12 | +import python |
| 13 | +import semmle.python.dataflow.new.RemoteFlowSources |
| 14 | +import semmle.python.dataflow.new.DataFlow |
| 15 | +import semmle.python.dataflow.new.TaintTracking |
| 16 | +import semmle.python.dataflow.new.internal.TaintTrackingPublic |
| 17 | +import DataFlow::PathGraph |
| 18 | + |
| 19 | +class InitializeSink extends DataFlow::Node { |
| 20 | + InitializeSink() { |
| 21 | + exists(SsaVariable initVar, CallNode searchCall | |
| 22 | + // get variable whose value equals a call to ldap.initialize |
| 23 | + initVar.getDefinition().getImmediateDominator() = Value::named("ldap.initialize").getACall() and |
| 24 | + // get the Call in which the previous variable is used |
| 25 | + initVar.getAUse().getNode() = searchCall.getNode().getFunc().(Attribute).getObject() and |
| 26 | + // restrict that call's attribute (something.this) to match %search% |
| 27 | + searchCall.getNode().getFunc().(Attribute).getName().matches("%search%") and |
| 28 | + // set the third argument (search_filter) as sink |
| 29 | + this.asExpr() = searchCall.getArg(2).getNode() |
| 30 | + // set the first argument (DN) as sink |
| 31 | + // or this.asExpr() = searchCall.getArg(0) // Should this be set? |
| 32 | + ) |
| 33 | + } |
| 34 | +} |
| 35 | + |
| 36 | +class ConnectionSink extends DataFlow::Node { |
| 37 | + ConnectionSink() { |
| 38 | + exists(SsaVariable connVar, CallNode searchCall | |
| 39 | + // get variable whose value equals a call to ldap.initialize |
| 40 | + connVar.getDefinition().getImmediateDominator() = Value::named("ldap3.Connection").getACall() and |
| 41 | + // get the Call in which the previous variable is used |
| 42 | + connVar.getAUse().getNode() = searchCall.getNode().getFunc().(Attribute).getObject() and |
| 43 | + // restrict that call's attribute (something.this) to match %search% |
| 44 | + searchCall.getNode().getFunc().(Attribute).getName().matches("%search%") and |
| 45 | + // set the second argument (search_filter) as sink |
| 46 | + this.asExpr() = searchCall.getArg(1).getNode() |
| 47 | + // set the first argument (DN) as sink |
| 48 | + // or this.asExpr() = searchCall.getArg(0) // Should this be set? |
| 49 | + ) |
| 50 | + } |
| 51 | +} |
| 52 | + |
| 53 | +class EscapeSanitizer extends DataFlow::Node { |
| 54 | + EscapeSanitizer() { |
| 55 | + exists(Call c | |
| 56 | + ( |
| 57 | + // avoid flow through any %escape% function |
| 58 | + c.getFunc().(Attribute).getName().matches("%escape%") or // something.%escape%() |
| 59 | + c.getFunc().(Name).getId().matches("%escape%") // %escape%() |
| 60 | + ) and |
| 61 | + this.asExpr() = c |
| 62 | + ) |
| 63 | + } |
| 64 | +} |
| 65 | + |
| 66 | +class LDAPInjectionSink extends DataFlow::Node { |
| 67 | + LDAPInjectionSink() { |
| 68 | + this instanceof InitializeSink or |
| 69 | + this instanceof ConnectionSink |
| 70 | + } |
| 71 | +} |
| 72 | + |
| 73 | +class LDAPInjectionFlowConfig extends TaintTracking::Configuration { |
| 74 | + LDAPInjectionFlowConfig() { this = "LDAPInjectionFlowConfig" } |
| 75 | + |
| 76 | + override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } |
| 77 | + |
| 78 | + override predicate isSink(DataFlow::Node sink) { sink instanceof LDAPInjectionSink } |
| 79 | + |
| 80 | + override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof EscapeSanitizer } |
| 81 | +} |
| 82 | + |
| 83 | +from LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink |
| 84 | +where config.hasFlowPath(source, sink) |
| 85 | +select sink.getNode(), source, sink, "$@ LDAP query executes $@.", sink.getNode(), "This", |
| 86 | + source.getNode(), "a user-provided value" |
0 commit comments