Skip to content

Python: Add LDAP Improper Authentication query #5444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RasmusWL merged 32 commits into from
Jul 22, 2021
Merged

Python: Add LDAP Improper Authentication query #5444

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
8715d29
Upload LDAP Improper authentication query, qhelp and tests
jorgectf Mar 18, 2021
809bf23
Move to experimental folder
jorgectf Mar 18, 2021
2f874c5
Precision warn and Remove CWE (broken) reference
jorgectf Mar 18, 2021
bfd4280
Fix imports and begin refactor
jorgectf Apr 6, 2021
db1f54a
Polish query file
jorgectf Apr 7, 2021
aa7763b
Set up Concepts
jorgectf Apr 7, 2021
8ca6e84
Refactor Calls to use ApiGraphs
jorgectf Apr 7, 2021
7e45649
Set up taint config and custom sink
jorgectf Apr 7, 2021
63bd323
Improve qhelp
jorgectf Apr 8, 2021
20fc5db
Polish query file
jorgectf Apr 8, 2021
2392be0
Improve sink
jorgectf Apr 8, 2021
015d203
Improve tests, move them and create qhelp examples
jorgectf Apr 8, 2021
1320eee
Add qlref
jorgectf Apr 8, 2021
5787406
Add .expected
jorgectf Apr 8, 2021
f140601
Write documentation
jorgectf Apr 8, 2021
ae806cd
Merge branch 'github:main' into jorgectf/python/ldapimproperauth
jorgectf May 7, 2021
1662c5d
resolve merge conflict
jorgectf Jun 14, 2021
d34d2ed
Add .qlref
jorgectf Jun 17, 2021
13cfcec
Change qhelp explanation
jorgectf Jun 17, 2021
5704ac3
Rework LDAP framework modeling
jorgectf Jun 17, 2021
9cbb7e0
Change query objective
jorgectf Jun 17, 2021
1d7ddce
Update .expected
jorgectf Jun 17, 2021
dfe16aa
Python: Handle both positional and keyword args for LDAP bind
RasmusWL Jun 28, 2021
b33f6a3
Python: Fix select for py/improper-ldap-auth
RasmusWL Jun 28, 2021
4a2c99a
Python: Inline `LDAPImproperAuth.qll`
RasmusWL Jun 28, 2021
5477b2e
Python: Minor refactoring cleanup
RasmusWL Jun 28, 2021
b942251
Rephrase .qhelp
jorgectf Jun 28, 2021
1d4d8ab
Fix tests
jorgectf Jun 28, 2021
1d432af
Update `.expected`
jorgectf Jun 28, 2021
2f9e645
Hardcode `ldap2` binding functions
jorgectf Jun 29, 2021
71e6db8
Merge branch 'main' into jorgectf/python/ldapimproperauth
RasmusWL Jul 22, 2021
42a997c
Python: Fix deprecation warning
RasmusWL Jul 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Fix tests
  • Loading branch information
@jorgectf
jorgectf committed Jun 28, 2021
commit 1d4d8ab6e0cd53f9785072384891e88de5dbbd70
6 changes: 4 additions & 2 deletions python/ql/src/experimental/Security/CWE-287/examples/auth_bad_2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
from flask import request, Flask
import ldap
import ldap.filter
import ldap.dn


@app.route("/bind_example")
def bind_example():
dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))

ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
ldap_connection.bind('cn=root', "")
Expand Down
7 changes: 4 additions & 3 deletions python/ql/src/experimental/Security/CWE-287/examples/auth_bad_3.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
from ldap3 import Server, Connection, ALL
from flask import request, Flask

from ldap3.utils.dn import escape_rdn
from ldap3.utils.conv import escape_filter_chars

@app.route("/passwordNone")
def passwordNone():
dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(escape_rdn(request.args['dc']))
search_filter = "(user={})".format(escape_filter_chars(request.args['search']))

srv = Server('servername', get_info=ALL)
conn = Connection(srv, user='user_dn', password=None)
Expand Down
9 changes: 5 additions & 4 deletions python/ql/src/experimental/Security/CWE-287/examples/auth_good_2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
from flask import request, Flask
import ldap
import os
import ldap.filter
import ldap.dn


@app.route("/bind_example")
def bind_example():
dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))

ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
ldap_connection.bind('cn=root', os.environ.get('LDAP_PASSWORD'))
ldap_connection.bind('cn=root', "SecurePa$$!")
user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
10 changes: 5 additions & 5 deletions python/ql/src/experimental/Security/CWE-287/examples/auth_good_3.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
from ldap3 import Server, Connection, ALL
from flask import request, Flask
import os

from ldap3.utils.dn import escape_rdn
from ldap3.utils.conv import escape_filter_chars

@app.route("/passwordFromEnv")
def passwordFromEnv():
dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(escape_rdn(request.args['dc']))
search_filter = "(user={})".format(escape_filter_chars(request.args['search']))

srv = Server('servername', get_info=ALL)
conn = Connection(srv, user='user_dn',
password=os.environ.get('LDAP_PASSWORD'))
password="SecurePa$$!")
status, result, response, _ = conn.search(dn, search_filter)
44 changes: 20 additions & 24 deletions python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,19 @@
from flask import request, Flask
import ldap
import ldap.filter
import ldap.dn

app = Flask(__name__)


@app.route("/simple_bind_example")
def simple_bind_example():
"""
A RemoteFlowSource is used directly as DN and search filter while the bind's password
is not set
The bind's password argument is not set
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))

ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
ldap_connection.simple_bind('cn=root')
Expand All @@ -22,12 +23,11 @@ def simple_bind_example():
@app.route("/simple_bind_s_example")
def simple_bind_s_example():
"""
A RemoteFlowSource is used directly as DN and search filter while the bind's password
is not set
The bind's password argument is not set
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))

ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
ldap_connection.simple_bind_s('cn=root')
Expand All @@ -37,12 +37,11 @@ def simple_bind_s_example():
@app.route("/bind_s_example")
def bind_s_example():
"""
A RemoteFlowSource is used directly as DN and search filter while the bind's password
is set to None
The bind's password argument is set to None
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))

ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
ldap_connection.bind_s('cn=root', None)
Expand All @@ -51,12 +50,11 @@ def bind_s_example():
@app.route("/bind_s_example")
def bind_s_example_kwargs():
"""
A RemoteFlowSource is used directly as DN and search filter while the bind's password
is set to None
The bind's password argument is set to None
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))

ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
ldap_connection.bind_s(who='cn=root', cred=None)
Expand All @@ -65,12 +63,11 @@ def bind_s_example_kwargs():
@app.route("/bind_example")
def bind_example():
"""
A RemoteFlowSource is used directly as DN and search filter while the bind's password
is set to None
The bind's password argument is an empty string
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))

ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
ldap_connection.bind('cn=root', "")
Expand All @@ -80,12 +77,11 @@ def bind_example():
@app.route("/bind_example")
def bind_example():
"""
A RemoteFlowSource is used directly as DN and search filter while the bind's password
is set to None
The bind's password argument is an empty string
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))

ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
ldap_connection.bind(who='cn=root', cred="")
Expand Down
30 changes: 14 additions & 16 deletions python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_3.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,19 @@
from ldap3 import Server, Connection, ALL
from flask import request, Flask
from ldap3.utils.dn import escape_rdn
from ldap3.utils.conv import escape_filter_chars

app = Flask(__name__)


@app.route("/passwordNone")
def passwordNone():
"""
A RemoteFlowSource is used directly as DN and search filter while the connection's password
is set to None
The bind's password argument is set to None
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(escape_rdn(request.args['dc']))
search_filter = "(user={})".format(escape_filter_chars(request.args['search']))

srv = Server('servername', get_info=ALL)
conn = Connection(srv, 'user_dn', None)
Expand All @@ -22,12 +23,11 @@ def passwordNone():
@app.route("/passwordNone")
def passwordNoneKwargs():
"""
A RemoteFlowSource is used directly as DN and search filter while the connection's password
is set to None
The bind's password argument is set to None
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(escape_rdn(request.args['dc']))
search_filter = "(user={})".format(escape_filter_chars(request.args['search']))

srv = Server('servername', get_info=ALL)
conn = Connection(srv, user='user_dn', password=None)
Expand All @@ -36,12 +36,11 @@ def passwordNoneKwargs():
@app.route("/passwordEmpty")
def passwordEmpty():
"""
A RemoteFlowSource is used directly as DN and search filter while the connection's password
is empty
The bind's password argument is an empty string
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(escape_rdn(request.args['dc']))
search_filter = "(user={})".format(escape_filter_chars(request.args['search']))

srv = Server('servername', get_info=ALL)
conn = Connection(srv, user='user_dn', password="")
Expand All @@ -51,12 +50,11 @@ def passwordEmpty():
@app.route("/notPassword")
def notPassword():
"""
A RemoteFlowSource is used directly as DN and search filter while the connection's password
is not set
The bind's password argument is not set
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(escape_rdn(request.args['dc']))
search_filter = "(user={})".format(escape_filter_chars(request.args['search']))

srv = Server('servername', get_info=ALL)
conn = Connection(srv, user='user_dn')
Expand Down
39 changes: 18 additions & 21 deletions python/ql/test/experimental/query-tests/Security/CWE-287/auth_good_2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,67 +1,64 @@
from flask import request, Flask
import ldap
import os
import ldap.filter
import ldap.dn

app = Flask(__name__)


@app.route("/simple_bind_example")
def simple_bind_example():
"""
A RemoteFlowSource is used directly as DN and search filter while the bind's password
is an environment variable
The bind's password argument is a non-empty string
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))

ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
ldap_connection.simple_bind('cn=root', os.environ.get('LDAP_PASSWORD'))
ldap_connection.simple_bind('cn=root', "SecurePa$$!")
user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)


@app.route("/simple_bind_s_example")
def simple_bind_s_example():
"""
A RemoteFlowSource is used directly as DN and search filter while the bind's password
is an environment variable
The bind's password argument is a non-empty string
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))

ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
ldap_connection.simple_bind_s('cn=root', os.environ.get('LDAP_PASSWORD'))
ldap_connection.simple_bind_s('cn=root', "SecurePa$$!")
user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)


@app.route("/bind_s_example")
def bind_s_example():
"""
A RemoteFlowSource is used directly as DN and search filter while the bind's password
is an environment variable
The bind's password argument is a non-empty string
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))

ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
ldap_connection.bind_s('cn=root', os.environ.get('LDAP_PASSWORD'))
ldap_connection.bind_s('cn=root', "SecurePa$$!")
user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)


@app.route("/bind_example")
def bind_example():
"""
A RemoteFlowSource is used directly as DN and search filter while the bind's password
is an environment variable
The bind's password argument is a non-empty string
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(ldap.dn.escape_dn_chars(request.args['dc']))
search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search']))

ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
ldap_connection.bind('cn=root', os.environ.get('LDAP_PASSWORD'))
ldap_connection.bind('cn=root', "SecurePa$$!")
user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)

# if __name__ == "__main__":
Expand Down
12 changes: 6 additions & 6 deletions python/ql/test/experimental/query-tests/Security/CWE-287/auth_good_3.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,23 @@
from ldap3 import Server, Connection, ALL
from flask import request, Flask
import os
from ldap3.utils.dn import escape_rdn
from ldap3.utils.conv import escape_filter_chars

app = Flask(__name__)


@app.route("/passwordFromEnv")
def passwordFromEnv():
"""
A RemoteFlowSource is used directly as DN and search filter while the connection's password
is an environment variable
The bind's password argument is a non-empty string
"""

dn = request.args['dc']
search_filter = request.args['search']
dn = "dc={}".format(escape_rdn(request.args['dc']))
search_filter = "(user={})".format(escape_filter_chars(request.args['search']))

srv = Server('servername', get_info=ALL)
conn = Connection(srv, user='user_dn',
password=os.environ.get('LDAP_PASSWORD'))
password="SecurePa$$!")
status, result, response, _ = conn.search(dn, search_filter)

# if __name__ == "__main__":
Expand Down