Skip to content

Python: Add LDAP Insecure Authentication query #5445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RasmusWL merged 23 commits into from
Sep 23, 2021
Merged

Python: Add LDAP Insecure Authentication query #5445

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
7de9214
Upload LDAP Insecure authentication query and tests
jorgectf Mar 18, 2021
3ce0a9c
Move to experimental folder
jorgectf Mar 18, 2021
957b3e1
Precision warn
jorgectf Mar 18, 2021
edb273a
Merge remote-tracking branch 'origin/jorgectf/python/ldapimproperauth…
jorgectf Jul 22, 2021
a34d6d3
Port to ApiGraphs and finish the query
jorgectf Jul 22, 2021
b03e75e
Extend `ldap3`'s `start_tls` and fix tests
jorgectf Jul 22, 2021
f02b6d6
Merge branch 'github:main' into jorgectf/python/ldapinsecureauth
jorgectf Jul 22, 2021
d458464
Apply suggestions from code review
jorgectf Aug 26, 2021
786edb7
Update `.expected`
jorgectf Aug 26, 2021
64b305c
Add `.qhelp` along with its example
jorgectf Aug 26, 2021
1bc16fb
Apply suggestions from code review
jorgectf Sep 7, 2021
ee98c0c
Add `start_tls_s()` comment and use `DataFlow::MethodCallNode` instead
jorgectf Sep 7, 2021
b802d79
Fix `OPT_X_TLS_` mandatory options
jorgectf Sep 7, 2021
8008011
Fix taint tracking comment
jorgectf Sep 7, 2021
4e261c6
Optimize `concatAndCompareAgainstFullHostRegex`
jorgectf Sep 7, 2021
54012eb
Optimize `getFullHostRegex`
jorgectf Sep 12, 2021
18b05bc
Fix tests and add global option
jorgectf Sep 12, 2021
3cf28ad
Merge remote-tracking branch 'origin/main' into jorgectf/python/ldapi…
jorgectf Sep 12, 2021
353c0a9
Add missing comment
jorgectf Sep 12, 2021
2ccc6dc
Merge branch 'main' into jorgectf/python/ldapinsecureauth
jorgectf Sep 14, 2021
b505662
Fix global test and update `.expected`
jorgectf Sep 14, 2021
70489b2
Merge branch 'main' into jorgectf/python/ldapinsecureauth
RasmusWL Sep 23, 2021
ef6e502
Python: Make LDAP global options test better
RasmusWL Sep 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
  • Loading branch information
@jorgectf @RasmusWL
jorgectf and RasmusWL authored Sep 7, 2021
commit 1bc16fb31e6c2e02414e63c5a65a83194f79042a
2 changes: 1 addition & 1 deletion python/ql/src/experimental/Security/CWE-522/LDAPInsecureAuth.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ to be sent in cleartext making it easier for an attacker to intercept it.</p>

<p>The first one sets <code>use_SSL</code> to true as a keyword argument whereas the second one fails to provide a value for it, so
the default one is used (<code>False</code>).</p>
<sample src="LDAPInsecureAuth.py" />
<sample src="examples/LDAPInsecureAuth.py" />
</example>

</qhelp>
2 changes: 1 addition & 1 deletion python/ql/src/experimental/Security/CWE-522/LDAPInsecureAuth.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
* @description Python LDAP Insecure LDAP Authentication
* @kind path-problem
* @problem.severity error
* @id python/insecure-ldap-auth
* @id py/insecure-ldap-auth
* @tags experimental
* security
* external/cwe/cwe-522
Comment thread
jorgectf marked this conversation as resolved.
Expand Down
3 changes: 2 additions & 1 deletion python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,9 +115,10 @@ private module LDAP {
initialize = ldapInitialize().getACall() and
(
// ldap_connection.start_tls_s()
Comment thread
jorgectf marked this conversation as resolved.
// see https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#ldap.LDAPObject.start_tls_s
exists(DataFlow::AttrRead startTLS |
Comment thread
RasmusWL marked this conversation as resolved.
Outdated
startTLS.getObject().getALocalSource() = initialize and
startTLS.getAttributeName().matches("%start_tls%")
startTLS.getAttributeName() = "start_tls_s"
)
or
// ldap_connection.set_option(ldap.OPT_X_TLS_%s, True)
Expand Down
6 changes: 4 additions & 2 deletions python/ql/src/experimental/semmle/python/security/LDAPInsecureAuth.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ class LDAPFullHost extends StrConst {
exists(string s |
s = this.getText() and
s.regexpMatch(getFullHostRegex()) and
not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex()) // No need to check for ldaps, it would be SSL by default.
// check what comes after the `ldap://` prefix
not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex())
)
}
}
Expand All @@ -36,7 +37,7 @@ class LDAPPrivateHost extends StrConst {
LDAPPrivateHost() { this.getText().regexpMatch(getPrivateHostRegex()) }
}

predicate concatAndCompareAgainstFullHostRegex(Expr schema, Expr host) {
predicate concatAndCompareAgainstFullHostRegex(LDAPSchema schema, StrConst host) {
schema instanceof LDAPSchema and
not host instanceof LDAPPrivateHost and
exists(string full_host |
Expand Down Expand Up @@ -96,6 +97,7 @@ class LDAPInsecureAuthConfig extends TaintTracking::Configuration {

override predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource or
source.asExpr() instanceof LDAPFullHost or
source.asExpr() instanceof LDAPBothStrings or
source.asExpr() instanceof LDAPBothVar or
source.asExpr() instanceof LDAPVarString or
Expand Down