Add `""` and `nil` as sources

2023-08-22 18:10:33 +02:00 · 2023-08-22 18:10:33 +02:00 · 664c1eba72
--- a/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthCustomizations.qll
@ -27,6 +27,22 @@ module ImproperLdapAuth {
   */
  private class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }

+  /**
+   * A source of empty input, considered as a flow source.
+   */
+  private class EmptySourceAsSource extends Source, EmptySource { }
+
+  class EmptySource extends DataFlow::Node {
+    /** Gets a string that describes the type of this remote flow source. */
+    EmptySource() {
+      (
+        this.getConstantValue().isStringlikeValue("")
+        or
+        this.(DataFlow::ExprNode).getConstantValue().isNil()
+      )
+    }
+  }
+
  /**
   * An LDAP query execution considered as a flow sink.
   */
@ -44,5 +60,6 @@ module ImproperLdapAuth {
   * sanitizer-guard.
   */
  private class StringConstArrayInclusionCallAsSanitizer extends Sanitizer,
-    StringConstArrayInclusionCallBarrier { }
+    StringConstArrayInclusionCallBarrier
+  { }
 }
--- a/ruby/ql/src/experimental/ldap-improper-auth/ImproperLdapAuth.ql
+++ b/ruby/ql/src/experimental/ldap-improper-auth/ImproperLdapAuth.ql
@ -17,4 +17,4 @@ import DataFlow::PathGraph
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This LDAP authencation depends on a $@.", source.getNode(),
-  "user-provided value"
+  "user-provided value or the password is empty"
--- a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected
+++ b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected
@ -5,6 +5,10 @@ edges
 | ImproperLdapAuth.rb:24:5:24:8 | pass | ImproperLdapAuth.rb:31:24:31:27 | pass |
 | ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:24:12:24:24 | ...[...] |
 | ImproperLdapAuth.rb:24:12:24:24 | ...[...] | ImproperLdapAuth.rb:24:5:24:8 | pass |
+| ImproperLdapAuth.rb:37:5:37:8 | pass | ImproperLdapAuth.rb:47:23:47:26 | pass |
+| ImproperLdapAuth.rb:37:12:37:14 | nil | ImproperLdapAuth.rb:37:5:37:8 | pass |
+| ImproperLdapAuth.rb:55:5:55:8 | pass | ImproperLdapAuth.rb:62:24:62:27 | pass |
+| ImproperLdapAuth.rb:55:12:55:13 | "" | ImproperLdapAuth.rb:55:5:55:8 | pass |
 nodes
 | ImproperLdapAuth.rb:5:5:5:8 | pass | semmle.label | pass |
 | ImproperLdapAuth.rb:5:12:5:17 | call to params | semmle.label | call to params |
@ -14,7 +18,17 @@ nodes
 | ImproperLdapAuth.rb:24:12:24:17 | call to params | semmle.label | call to params |
 | ImproperLdapAuth.rb:24:12:24:24 | ...[...] | semmle.label | ...[...] |
 | ImproperLdapAuth.rb:31:24:31:27 | pass | semmle.label | pass |
+| ImproperLdapAuth.rb:37:5:37:8 | pass | semmle.label | pass |
+| ImproperLdapAuth.rb:37:12:37:14 | nil | semmle.label | nil |
+| ImproperLdapAuth.rb:47:23:47:26 | pass | semmle.label | pass |
+| ImproperLdapAuth.rb:55:5:55:8 | pass | semmle.label | pass |
+| ImproperLdapAuth.rb:55:12:55:13 | "" | semmle.label | "" |
+| ImproperLdapAuth.rb:62:24:62:27 | pass | semmle.label | pass |
 subpaths
 #select
 | ImproperLdapAuth.rb:15:23:15:26 | pass | ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:15:23:15:26 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:5:12:5:17 | call to params | user-provided value |
 | ImproperLdapAuth.rb:31:24:31:27 | pass | ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:31:24:31:27 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:24:12:24:17 | call to params | user-provided value |
+| ImproperLdapAuth.rb:47:23:47:26 | pass | ImproperLdapAuth.rb:37:12:37:14 | nil | ImproperLdapAuth.rb:47:23:47:26 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:37:12:37:14 | nil | user-provided value |
+| ImproperLdapAuth.rb:47:23:47:26 | pass | ImproperLdapAuth.rb:47:23:47:26 | pass | ImproperLdapAuth.rb:47:23:47:26 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:47:23:47:26 | pass | user-provided value |
+| ImproperLdapAuth.rb:62:24:62:27 | pass | ImproperLdapAuth.rb:55:12:55:13 | "" | ImproperLdapAuth.rb:62:24:62:27 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:55:12:55:13 | "" | user-provided value |
+| ImproperLdapAuth.rb:62:24:62:27 | pass | ImproperLdapAuth.rb:62:24:62:27 | pass | ImproperLdapAuth.rb:62:24:62:27 | pass | This LDAP authencation depends on a $@. | ImproperLdapAuth.rb:62:24:62:27 | pass | user-provided value |
--- a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb
+++ b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb
@ -31,6 +31,38 @@ class FooController < ActionController::Base
    ldap.auth "admin", pass
    ldap.bind
  end
+
+  def some_request_handler
+    # An empty password is used 
+    pass = nil
+
+    # BAD: empty password
+    ldap = Net::LDAP.new(
+        host: 'ldap.example.com',
+        port: 636,
+        encryption: :simple_tls,
+        auth: {
+            method: :simple,
+            username: 'uid=admin,dc=example,dc=com',
+            password: pass
+        }
+    )
+    ldap.bind
+  end
+
+  def some_request_handler
+    # An empty password is used 
+    pass = ""
+
+    # BAD: empty password
+    ldap = Net::LDAP.new
+    ldap.host = your_server_ip_address
+    ldap.encryption(:method => :simple_tls)
+    ldap.port = 639
+    ldap.auth "admin", pass
+    ldap.bind
+  end
+
 end

 class BarController < ApplicationController