python: port concepts and implementations

Author: yoff

python/ql/lib/semmle/python/Concepts.qll

@@ -443,6 +443,41 @@ module RegexExecution {
   }
 }
 
+/**
+ * A data-flow node that executes an LDAP query.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `LDAPQuery::Range` instead.
+ */
+class LdapExecution extends DataFlow::Node {
+  LdapExecution::Range range;
+
+  LdapExecution() { this = range }
+
+  /** Gets the argument containing the filter string. */
+  DataFlow::Node getFilter() { result = range.getFilter() }
+
+  /** Gets the argument containing the base DN. */
+  DataFlow::Node getBaseDn() { result = range.getBaseDn() }
+}
+
+/** Provides classes for modeling new LDAP query execution-related APIs. */
+module LdapExecution {
+  /**
+   * A data-flow node that executes an LDAP query.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `LDAPQuery` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument containing the filter string. */
+    abstract DataFlow::Node getFilter();
+
+    /** Gets the argument containing the base DN. */
+    abstract DataFlow::Node getBaseDn();
+  }
+}
+
 /**
  * A data-flow node that escapes meta-characters, which could be used to prevent
  * injection attacks.
@@ -500,8 +535,20 @@ module Escaping {
   /** Gets the escape-kind for escaping a string so it can safely be included in HTML. */
   string getHtmlKind() { result = "html" }
 
-  /** Gets the escape-kind for escaping a string so it can safely be included in HTML. */
+  /** Gets the escape-kind for escaping a string so it can safely be included in a regular expression. */
   string getRegexKind() { result = "regex" }
+
+  /**
+   * Gets the escape-kind for escaping a string so it can safely be used as a
+   * distinguished name (DN) in an LDAP search.
+   */
+  string getLdapDnKind() { result = "ldap_dn" }
+
+  /**
+   * Gets the escape-kind for escaping a string so it can safely be used as a
+   * filter in an LDAP search.
+   */
+  string getLdapFilterKind() { result = "ldap_filter" }
   // TODO: If adding an XML kind, update the modeling of the `MarkupSafe` PyPI package.
   //
   // Technically it claims to escape for both HTML and XML, but for now we don't have
@@ -526,6 +573,21 @@ class RegexEscaping extends Escaping {
   RegexEscaping() { range.getKind() = Escaping::getRegexKind() }
 }
 
+/**
+ * An escape of a string so it can be safely used as a distinguished name (DN)
+ * in an LDAP search.
+ */
+class LdapDnEscaping extends Escaping {
+  LdapDnEscaping() { range.getKind() = Escaping::getLdapDnKind() }
+}
+
+/**
+ * An escape of a string so it can be safely used as a filter in an LDAP search.
+ */
+class LdapFilterEscaping extends Escaping {
+  LdapFilterEscaping() { range.getKind() = Escaping::getLdapFilterKind() }
+}
+
 /** Provides classes for modeling HTTP-related APIs. */
 module HTTP {
   import semmle.python.web.HttpConstants

python/ql/lib/semmle/python/frameworks/Ldap.qll

@@ -0,0 +1,80 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `python-ldap` PyPI package (imported as `ldap`).
+ * See https://www.python-ldap.org/en/python-ldap-3.3.0/index.html
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for the `python-ldap` PyPI package (imported as `ldap`).
+ *
+ * See https://www.python-ldap.org/en/python-ldap-3.3.0/index.html
+ */
+private module Ldap {
+  /**
+   * The name of an `ldap` method used to execute a query.
+   *
+   * See https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#functions
+   */
+  private string ldapQueryMethodName() {
+    result in ["search", "search_s", "search_st", "search_ext", "search_ext_s"]
+  }
+
+  /** The execution of an `ldap` query. */
+  private class LdapQueryExecution extends DataFlow::CallCfgNode, LdapExecution::Range {
+    LdapQueryExecution() {
+      this =
+        API::moduleImport("ldap")
+            .getMember("initialize")
+            .getReturn()
+            .getMember(ldapQueryMethodName())
+            .getACall()
+    }
+
+    override DataFlow::Node getFilter() {
+      result in [this.getArg(2), this.getArgByName("filterstr")]
+    }
+
+    override DataFlow::Node getBaseDn() { result in [this.getArg(0), this.getArgByName("base")] }
+  }
+
+  /**
+   * A class to find calls to `ldap.dn.escape_dn_chars`.
+   *
+   * See https://github.com/python-ldap/python-ldap/blob/7ce471e238cdd9a4dd8d17baccd1c9e05e6f894a/Lib/ldap/dn.py#L17
+   */
+  private class LdapEscapeDnCall extends DataFlow::CallCfgNode, Escaping::Range {
+    LdapEscapeDnCall() {
+      this = API::moduleImport("ldap").getMember("dn").getMember("escape_dn_chars").getACall()
+    }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("s")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getKind() { result = Escaping::getLdapDnKind() }
+  }
+
+  /**
+   * A class to find calls to `ldap.filter.escape_filter_chars`.
+   *
+   * See https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap-filter.html#ldap.filter.escape_filter_chars
+   */
+  private class LdapEscapeFilterCall extends DataFlow::CallCfgNode, Escaping::Range {
+    LdapEscapeFilterCall() {
+      this =
+        API::moduleImport("ldap").getMember("filter").getMember("escape_filter_chars").getACall()
+    }
+
+    override DataFlow::Node getAnInput() {
+      result in [this.getArg(0), this.getArgByName("assertion_value")]
+    }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getKind() { result = Escaping::getLdapFilterKind() }
+  }
+}

python/ql/lib/semmle/python/frameworks/Ldap3.qll

@@ -0,0 +1,80 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `ldap3` PyPI package
+ * See https://pypi.org/project/ldap3/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for the `ldap3` PyPI package
+ *
+ * See https://pypi.org/project/ldap3/
+ */
+private module Ldap3 {
+  /** The execution of an `ldap` query. */
+  private class LdapQueryExecution extends DataFlow::CallCfgNode, LdapExecution::Range {
+    LdapQueryExecution() {
+      this =
+        API::moduleImport("ldap3")
+            .getMember("Connection")
+            .getReturn()
+            .getMember("search")
+            .getACall()
+    }
+
+    override DataFlow::Node getFilter() {
+      result in [this.getArg(1), this.getArgByName("search_filter")]
+    }
+
+    override DataFlow::Node getBaseDn() {
+      result in [this.getArg(0), this.getArgByName("search_base")]
+    }
+  }
+
+  /**
+   * A class to find calls to `ldap3.utils.dn.escape_rdn`.
+   *
+   * See https://github.com/cannatag/ldap3/blob/4d33166f0869b929f59c6e6825a1b9505eb99967/ldap3/utils/dn.py#L390
+   */
+  private class LdapEscapeDnCall extends DataFlow::CallCfgNode, Escaping::Range {
+    LdapEscapeDnCall() {
+      this =
+        API::moduleImport("ldap3")
+            .getMember("utils")
+            .getMember("dn")
+            .getMember("escape_rdn")
+            .getACall()
+    }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("rdn")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getKind() { result = Escaping::getLdapDnKind() }
+  }
+
+  /**
+   * A class to find calls to `ldap3.utils.conv.escape_filter_chars`.
+   *
+   * See https://github.com/cannatag/ldap3/blob/4d33166f0869b929f59c6e6825a1b9505eb99967/ldap3/utils/conv.py#L91
+   */
+  private class LdapEscapeFilterCall extends DataFlow::CallCfgNode, Escaping::Range {
+    LdapEscapeFilterCall() {
+      this =
+        API::moduleImport("ldap3")
+            .getMember("utils")
+            .getMember("conv")
+            .getMember("escape_filter_chars")
+            .getACall()
+    }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("text")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getKind() { result = Escaping::getLdapFilterKind() }
+  }
+}