github · RasmusWL · May 26, 2021 · Mar 18, 2021 · Mar 18, 2021 · Mar 18, 2021
@@ -0,0 +1,50 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>If an LDAP query or DN is built using string concatenation or string formatting, and the
+components of the concatenation include user input without any proper sanitization, a user 
+is likely to be able to run malicious LDAP queries.</p>
+</overview>
+
+<recommendation>
+<p>If user input must be included in an LDAP query or DN, it should be escaped to
+avoid a malicious user providing special characters that change the meaning
+of the query. In Python2, user input should be escaped with <code>ldap.dn.escape_dn_chars</code> 
+or <code>ldap.filter.escape_filter_chars</code>, while in Python3, user input should be escaped with 
+<code>ldap3.utils.dn.escape_rdn</code> or <code>ldap3.utils.conv.escape_filter_chars</code>
+depending on the component tainted by the user. A good practice is to escape filter characters 
+that could change the meaning of the query (https://tools.ietf.org/search/rfc4515#section-3).</p>
+</recommendation>
+
+<example>
+<p>In the following examples, the code accepts both <code>username</code> and <code>dc</code> from the user, 
+which it then uses to build a LDAP query and DN.</p>
+
+<p>The first and the second example uses the unsanitized user input directly
+in the search filter and DN for the LDAP query.
+A malicious user could provide special characters to change the meaning of these
+components, and search for a completely different set of values.</p>
+
+<sample src="examples/example_bad1.js" />
+<sample src="examples/example_bad2.js" />
+
+<p>In the third and four example, the input provided by the user is sanitized before it is included in the search filter or DN. 
+This ensures the meaning of the query cannot be changed by a malicious user.</p>
+
+<sample src="examples/example_good1.js" />
+<sample src="examples/example_good2.js" />
+</example>
+
+<references>
+<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html">LDAP Injection Prevention Cheat Sheet</a>.</li>
+<li>OWASP: <a href="https://owasp.org/www-community/attacks/LDAP_Injection">LDAP Injection</a>.</li>
+<li>SonarSource: <a href="https://rules.sonarsource.com/python/RSPEC-2078">RSPEC-2078</a>.</li>
+<li>Python2: <a href="https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html">LDAP Documentation</a>.</li>
+<li>Python3: <a href="https://ldap3.readthedocs.io/en/latest/">LDAP Documentation</a>.</li>
+<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/LDAP_injection">LDAP injection</a>.</li>
+<li>BlackHat: <a href="https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf">LDAP Injection and Blind LDAP Injection</a>.</li>
+<li>LDAP: <a href="https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/">Understanding and Defending Against LDAP Injection Attacks</a>.</li>
+</references>
+</qhelp>
@@ -0,0 +1,20 @@
+/**
+ * @name Python LDAP Injection
+ * @description Python LDAP Injection through search filter
+ * @kind path-problem
+ * @problem.severity error
+ * @id python/ldap-injection
+ * @tags experimental	
+ *       security	
+ *       external/cwe/cwe-090
+ */
+
+// Determine precision above
+import python
+import experimental.semmle.python.security.injection.LDAP
+import DataFlow::PathGraph
+
+from LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ LDAP query parameter comes from $@.", sink.getNode(),
+  "This", source.getNode(), "a user-provided value"
@@ -0,0 +1,12 @@
+from flask import request, Flask
+import ldap
+
+
+@app.route("/normal")
+def normal():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter)
@@ -0,0 +1,12 @@
+from flask import request, Flask
+import ldap3
+
+
+@app.route("/normal")
+def normal():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
+    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
+    conn.search(unsafe_dn, unsafe_filter)
@@ -0,0 +1,17 @@
+from flask import request, Flask
+import ldap
+import ldap.filter
+import ldap.dn
+
+
+@app.route("/normal")
+def normal():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        safe_dn, ldap.SCOPE_SUBTREE, safe_filter)
@@ -0,0 +1,17 @@
+from flask import request, Flask
+import ldap3
+from ldap3.utils.dn import escape_rdn
+from ldap3.utils.conv import escape_filter_chars
+
+
+@app.route("/normal")
+def normal():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    safe_dn = escape_rdn(unsafe_dn)
+    safe_filter = escape_filter_chars(unsafe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
+    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True)
+    conn.search(safe_dn, safe_filter)
@@ -13,3 +13,31 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
+
+module LDAPQuery {
+  abstract class Range extends DataFlow::Node {
+    abstract DataFlow::Node getLDAPNode();
+  }
+}
+
+class LDAPQuery extends DataFlow::Node {
+  LDAPQuery::Range range;
+
+  LDAPQuery() { this = range }
+
+  DataFlow::Node getLDAPNode() { result = range.getLDAPNode() }
+}
+
+module LDAPEscape {
+  abstract class Range extends DataFlow::Node {
+    abstract DataFlow::Node getEscapeNode();
+  }
+}
+
+class LDAPEscape extends DataFlow::Node {
+  LDAPEscape::Range range;
+
+  LDAPEscape() { this = range }
+
+  DataFlow::Node getEscapeNode() { result = range.getEscapeNode() }
+}
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -9,3 +9,100 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
+
+private module LDAP {
+  private module LDAP2 {
+    private class LDAP2QueryMethods extends string {
+      LDAP2QueryMethods() {
+        this in ["search", "search_s", "search_st", "search_ext", "search_ext_s"]
+      }
+    }
+
+    private class LDAP2Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
+      DataFlow::Node ldapNode;
+
+      LDAP2Query() {
+        exists(DataFlow::AttrRead searchMethod |
+          this.getFunction() = searchMethod and
+          API::moduleImport("ldap").getMember("initialize").getACall() =
+            searchMethod.getObject().getALocalSource() and
+          searchMethod.getAttributeName() instanceof LDAP2QueryMethods and
+          (
+            ldapNode = this.getArg(0)
+            or
+            (
+              ldapNode = this.getArg(2) or
+              ldapNode = this.getArgByName("filterstr")
+            )
+          )
+        )
+      }
+
+      override DataFlow::Node getLDAPNode() { result = ldapNode }
+    }
+
+    private class LDAP2EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      LDAP2EscapeDNCall() {
+        this = API::moduleImport("ldap").getMember("dn").getMember("escape_dn_chars").getACall()
+      }
+
+      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
+    }
+
+    private class LDAP2EscapeFilterCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      LDAP2EscapeFilterCall() {
+        this =
+          API::moduleImport("ldap").getMember("filter").getMember("escape_filter_chars").getACall()
+      }
+
+      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
+    }
+  }
+
+  private module LDAP3 {
+    private class LDAP3Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
+      DataFlow::Node ldapNode;
+
+      LDAP3Query() {
+        exists(DataFlow::AttrRead searchMethod |
+          this.getFunction() = searchMethod and
+          API::moduleImport("ldap3").getMember("Connection").getACall() =
+            searchMethod.getObject().getALocalSource() and
+          searchMethod.getAttributeName() = "search" and
+          (
+            ldapNode = this.getArg(0) or
+            ldapNode = this.getArg(1)
+          )
+        )
+      }
+
+      override DataFlow::Node getLDAPNode() { result = ldapNode }
+    }
+
+    private class LDAP3EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      LDAP3EscapeDNCall() {
+        this =
+          API::moduleImport("ldap3")
+              .getMember("utils")
+              .getMember("dn")
+              .getMember("escape_rdn")
+              .getACall()
+      }
+
+      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
+    }
+
+    private class LDAP3EscapeFilterCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      LDAP3EscapeFilterCall() {
+        this =
+          API::moduleImport("ldap3")
+              .getMember("utils")
+              .getMember("conv")
+              .getMember("escape_filter_chars")
+              .getACall()
+      }
+
+      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
+    }
+  }
+}
@@ -0,0 +1,24 @@
+/**
+ * Provides a taint-tracking configuration for detecting LDAP injection vulnerabilities
+ */
+
+import python
+import experimental.semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * A taint-tracking configuration for detecting regular expression injections.
+ */
+class LDAPInjectionFlowConfig extends TaintTracking::Configuration {
+  LDAPInjectionFlowConfig() { this = "LDAPInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = any(LDAPQuery ldapQuery).getLDAPNode() }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer = any(LDAPEscape ldapEsc).getEscapeNode()
+  }
+}