🎉 initiate project *astro_rewrite*

2023-07-19 21:31:30 +02:00 · 2023-07-19 21:31:30 +02:00 · 2ba37bfbe3
commit 2ba37bfbe3
parent ffd4d5e86c
8658 changed files with 2268794 additions and 2538 deletions
--- a/node_modules/shiki/samples/codeql.sample
+++ b/node_modules/shiki/samples/codeql.sample
@ -0,0 +1,104 @@
+// a query
+
+/**
+ * @name LDAP query built from user-controlled sources
+ * @description Building an LDAP query from user-controlled sources is vulnerable to insertion of
+ *              malicious LDAP code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @id py/ldap-injection
+ * @tags experimental	
+ *       security	
+ *       external/cwe/cwe-090
+ */
+
+import python
+import experimental.semmle.python.security.injection.LDAP
+import DataFlow::PathGraph
+
+from LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ LDAP query parameter comes from $@.", sink.getNode(),
+  "This", source.getNode(), "a user-provided value"
+
+// a concept
+
+module LDAPEscape {
+  abstract class Range extends DataFlow::Node {
+    abstract DataFlow::Node getAnInput();
+  }
+}
+
+class LDAPEscape extends DataFlow::Node {
+  LDAPEscape::Range range;
+
+  LDAPEscape() { this = range }
+
+  DataFlow::Node getAnInput() { result = range.getAnInput() }
+}
+
+// a library modeling
+
+private module LDAP2 {
+  private class LDAP2QueryMethods extends string {
+    LDAP2QueryMethods() {
+      this in ["search", "search_s", "search_st", "search_ext", "search_ext_s"]
+    }
+  }
+
+  private class LDAP2Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
+    DataFlow::Node ldapQuery;
+
+    LDAP2Query() {
+      exists(DataFlow::AttrRead searchMethod |
+        this.getFunction() = searchMethod and
+        API::moduleImport("ldap").getMember("initialize").getACall() =
+          searchMethod.getObject().getALocalSource() and
+        searchMethod.getAttributeName() instanceof LDAP2QueryMethods and
+        (
+          ldapQuery = this.getArg(0)
+          or
+          (
+            ldapQuery = this.getArg(2) or
+            ldapQuery = this.getArgByName("filterstr")
+          )
+        )
+      )
+    }
+
+    override DataFlow::Node getQuery() { result = ldapQuery }
+  }
+
+  private class LDAP2EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+    LDAP2EscapeDNCall() {
+      this = API::moduleImport("ldap").getMember("dn").getMember("escape_dn_chars").getACall()
+    }
+
+    override DataFlow::Node getAnInput() { result = this.getArg(0) }
+  }
+
+  private class LDAP2EscapeFilterCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+    LDAP2EscapeFilterCall() {
+      this =
+        API::moduleImport("ldap").getMember("filter").getMember("escape_filter_chars").getACall()
+    }
+
+    override DataFlow::Node getAnInput() { result = this.getArg(0) }
+  }
+}
+
+// a taint flow config
+
+class LDAPInjectionFlowConfig extends TaintTracking::Configuration {
+  LDAPInjectionFlowConfig() { this = "LDAPInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = any(LDAPQuery ldapQuery).getQuery() }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer = any(LDAPEscape ldapEsc).getAnInput()
+  }
+}
+
+// From https://github.com/github/codeql/pull/5443/files