Skip to content

Commit f28f1af

Browse files
egregius313egregius313
committed
Add InsecureLdapUrlSink 
1 parent 24d4859 commit f28f1af

File tree

2 files changed

+17
-20
lines changed

2 files changed

+17
-20
lines changed

java/ql/lib/semmle/code/java/security/InsecureLdapAuth.qll

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
/** Provides classes to reason about insecure LDAP authentication. */
22

33
import java
4+
private import semmle.code.java.dataflow.DataFlow
45
private import semmle.code.java.frameworks.Networking
56
private import semmle.code.java.frameworks.Jndi
67

@@ -113,3 +114,12 @@ predicate isSslEnv(MethodAccess ma) {
113114
hasFieldValueEnv(ma, "java.naming.security.protocol", "ssl") or
114115
hasFieldNameEnv(ma, "SECURITY_PROTOCOL", "ssl")
115116
}
117+
118+
class InsecureLdapUrlSink extends DataFlow::Node {
119+
InsecureLdapUrlSink() {
120+
exists(ConstructorCall cc |
121+
cc.getConstructedType().getAnAncestor() instanceof TypeDirContext and
122+
this.asExpr() = cc.getArgument(0)
123+
)
124+
}
125+
}

java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll

Lines changed: 7 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -12,12 +12,7 @@ import semmle.code.java.security.InsecureLdapAuth
1212
private module InsecureLdapUrlConfig implements DataFlow::ConfigSig {
1313
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof InsecureLdapUrl }
1414

15-
predicate isSink(DataFlow::Node sink) {
16-
exists(ConstructorCall cc |
17-
cc.getConstructedType().getAnAncestor() instanceof TypeDirContext and
18-
sink.asExpr() = cc.getArgument(0)
19-
)
20-
}
15+
predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }
2116

2217
/** Method call of `env.put()`. */
2318
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
@@ -37,16 +32,12 @@ module InsecureLdapUrlFlow = TaintTracking::Make<InsecureLdapUrlConfig>;
3732
private module BasicAuthConfig implements DataFlow::ConfigSig {
3833
predicate isSource(DataFlow::Node src) {
3934
exists(MethodAccess ma |
40-
isBasicAuthEnv(ma) and ma.getQualifier() = src.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
35+
isBasicAuthEnv(ma) and
36+
ma.getQualifier() = src.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
4137
)
4238
}
4339

44-
predicate isSink(DataFlow::Node sink) {
45-
exists(ConstructorCall cc |
46-
cc.getConstructedType().getAnAncestor() instanceof TypeDirContext and
47-
sink.asExpr() = cc.getArgument(0)
48-
)
49-
}
40+
predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }
5041
}
5142

5243
module BasicAuthFlow = DataFlow::Make<BasicAuthConfig>;
@@ -57,16 +48,12 @@ module BasicAuthFlow = DataFlow::Make<BasicAuthConfig>;
5748
private module RequiresSslConfig implements DataFlow::ConfigSig {
5849
predicate isSource(DataFlow::Node src) {
5950
exists(MethodAccess ma |
60-
isSslEnv(ma) and ma.getQualifier() = src.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
51+
isSslEnv(ma) and
52+
ma.getQualifier() = src.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
6153
)
6254
}
6355

64-
predicate isSink(DataFlow::Node sink) {
65-
exists(ConstructorCall cc |
66-
cc.getConstructedType().getAnAncestor() instanceof TypeDirContext and
67-
sink.asExpr() = cc.getArgument(0)
68-
)
69-
}
56+
predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }
7057
}
7158

7259
module RequiresSslFlow = DataFlow::Make<RequiresSslConfig>;

0 commit comments

Comments
 (0)