Skip to content

Merge branch 'github:main' into Practical-CodeQL-Introduction #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Merge branch 'github:main' into Practical-CodeQL-Introduction #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3177bfb
Add query, tests, `.qlref` and `.expected`
jorgectf Dec 12, 2021
b8f5515
Add string flow demo
jorgectf Dec 13, 2021
2d6a53e
Format
jorgectf Dec 13, 2021
ad34761
Merge branch 'github:main' into Practical-CodeQL-Introduction
jorgectf Mar 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions python/ql/src/experimental/Security/Practical-CodeQL-Introduction/query.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
import python

select "Hello Wo... CodeQL!"
5 changes: 5 additions & 0 deletions .../test/experimental/query-tests/Security/Practical-CodeQL-Introduction/Basic_approaches.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
def basic():
text = "this is a demo"
eval(text)
tixt = "second demo"
eval(tixt)
45 changes: 45 additions & 0 deletions ...ql/test/experimental/query-tests/Security/Practical-CodeQL-Introduction/Code_Injection.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
from flask import Flask, request

app = Flask(__name__)


@app.route("/flow1")
def flow1():
code = request.args["code"]
eval(code)


@app.route("/flow2")
def flow2():
email = request.args["email"]
eval("./send_email {email}".format(email=email))


def flow3_extra(text):
return text.split("\n")


@app.route("/flow3")
def flow3():
text = request.args["text"]
eval(flow3_extra(text))


@app.route("/flow4")
def flow4():
text = request.args["text"]
tixt = text
toxt = flow3_extra(tixt)
tuxt = toxt
eval(tuxt)


@app.route("/flow1_good")
def flow1_good():
code = request.args["code"]
if code == "print('Hello, Wo... CodeQL!')":
eval(code)


# if __name__ == "__main__":
# app.run(debug=True)
41 changes: 41 additions & 0 deletions ...st/experimental/query-tests/Security/Practical-CodeQL-Introduction/LDAP3_Injection_bad.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
from flask import request, Flask
import ldap3

app = Flask(__name__)


@app.route("/normal")
def normal():
"""
A RemoteFlowSource is used directly as DN and search filter
"""

unsafe_dc = request.args['dc']
unsafe_filter = request.args['username']

dn = "dc={}".format(unsafe_dc)
search_filter = "(user={})".format(unsafe_filter)

srv = ldap3.Server('ldap://127.0.0.1')
conn = ldap3.Connection(srv, user=dn, auto_bind=True)
conn.search(dn, search_filter)


@app.route("/direct")
def direct():
"""
A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search
"""

unsafe_dc = request.args['dc']
unsafe_filter = request.args['username']

dn = "dc={}".format(unsafe_dc)
search_filter = "(user={})".format(unsafe_filter)

srv = ldap3.Server('ldap://127.0.0.1')
conn = ldap3.Connection(srv, user=dn, auto_bind=True).search(
dn, search_filter)

# if __name__ == "__main__":
# app.run(debug=True)
49 changes: 49 additions & 0 deletions ...t/experimental/query-tests/Security/Practical-CodeQL-Introduction/LDAP3_Injection_good.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
from flask import request, Flask
import ldap3
from ldap3.utils.dn import escape_rdn
from ldap3.utils.conv import escape_filter_chars

app = Flask(__name__)


@app.route("/normal")
def normal():
"""
A RemoteFlowSource is sanitized and used as DN and search filter
"""

unsafe_dc = request.args['dc']
unsafe_filter = request.args['username']

safe_dc = escape_rdn(unsafe_dc)
safe_filter = escape_filter_chars(unsafe_filter)

dn = "dc={}".format(safe_dc)
search_filter = "(user={})".format(safe_filter)

srv = ldap3.Server('ldap://127.0.0.1')
conn = ldap3.Connection(srv, user=dn, auto_bind=True)
conn.search(dn, search_filter)


@app.route("/direct")
def direct():
"""
A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search
"""

unsafe_dc = request.args['dc']
unsafe_filter = request.args['username']

safe_dc = escape_rdn(unsafe_dc)
safe_filter = escape_filter_chars(unsafe_filter)

dn = "dc={}".format(safe_dc)
search_filter = "(user={})".format(safe_filter)

srv = ldap3.Server('ldap://127.0.0.1')
conn = ldap3.Connection(srv, user=dn, auto_bind=True).search(
dn, search_filter)

# if __name__ == "__main__":
# app.run(debug=True)
59 changes: 59 additions & 0 deletions ...est/experimental/query-tests/Security/Practical-CodeQL-Introduction/LDAP_Injection_bad.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
from flask import request, Flask
import ldap

app = Flask(__name__)


@app.route("/normal")
def normal():
"""
A RemoteFlowSource is used directly as DN and search filter
"""

unsafe_dc = request.args['dc']
unsafe_filter = request.args['username']

dn = "dc={}".format(unsafe_dc)
search_filter = "(user={})".format(unsafe_filter)

ldap_connection = ldap.initialize("ldap://127.0.0.1")
user = ldap_connection.search_s(
dn, ldap.SCOPE_SUBTREE, search_filter)


@app.route("/direct")
def direct():
"""
A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search_s
"""

unsafe_dc = request.args['dc']
unsafe_filter = request.args['username']

dn = "dc={}".format(unsafe_dc)
search_filter = "(user={})".format(unsafe_filter)

user = ldap.initialize("ldap://127.0.0.1").search_s(
dn, ldap.SCOPE_SUBTREE, search_filter)


@app.route("/normal_argbyname")
def normal_argbyname():
"""
A RemoteFlowSource is used directly as DN and search filter, while the search filter is specified as
an argument by name
"""

unsafe_dc = request.args['dc']
unsafe_filter = request.args['username']

dn = "dc={}".format(unsafe_dc)
search_filter = "(user={})".format(unsafe_filter)

ldap_connection = ldap.initialize("ldap://127.0.0.1")
user = ldap_connection.search_s(
dn, ldap.SCOPE_SUBTREE, filterstr=search_filter)


# if __name__ == "__main__":
# app.run(debug=True)
70 changes: 70 additions & 0 deletions ...st/experimental/query-tests/Security/Practical-CodeQL-Introduction/LDAP_Injection_good.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
from flask import request, Flask
import ldap
import ldap.filter
import ldap.dn

app = Flask(__name__)


@app.route("/normal")
def normal():
"""
A RemoteFlowSource is sanitized and used as DN and search filter
"""

unsafe_dc = request.args['dc']
unsafe_filter = request.args['username']

safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)

dn = "dc={}".format(safe_dc)
search_filter = "(user={})".format(safe_filter)

ldap_connection = ldap.initialize("ldap://127.0.0.1")
user = ldap_connection.search_s(
dn, ldap.SCOPE_SUBTREE, search_filter)


@app.route("/direct")
def direct():
"""
A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search_s
"""

unsafe_dc = request.args['dc']
unsafe_filter = request.args['username']

safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)

dn = "dc={}".format(safe_dc)
search_filter = "(user={})".format(safe_filter)

user = ldap.initialize("ldap://127.0.0.1").search_s(
dn, ldap.SCOPE_SUBTREE, search_filter, ["testAttr1", "testAttr2"])


@app.route("/normal_argbyname")
def normal_argbyname():
"""
A RemoteFlowSource is sanitized and used as DN and search filter, while the search filter is specified as
an argument by name
"""

unsafe_dc = request.args['dc']
unsafe_filter = request.args['username']

safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)

dn = "dc={}".format(safe_dc)
search_filter = "(user={})".format(safe_filter)

ldap_connection = ldap.initialize("ldap://127.0.0.1")
user = ldap_connection.search_s(
dn, ldap.SCOPE_SUBTREE, filterstr=search_filter)


# if __name__ == "__main__":
# app.run(debug=True)
Empty file added ...query-tests/Security/Practical-CodeQL-Introduction/Practical-CodeQL-Introduction.expected
View file
Open in desktop
Empty file.
1 change: 1 addition & 0 deletions ...al/query-tests/Security/Practical-CodeQL-Introduction/Practical-CodeQL-Introduction.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
experimental/Security/Practical-CodeQL-Introduction/query.ql
40 changes: 40 additions & 0 deletions ...st/experimental/query-tests/Security/Practical-CodeQL-Introduction/Regex_Injection_bad.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
from flask import request, Flask
import re

app = Flask(__name__)


@app.route("/direct")
def direct():
"""
A RemoteFlowSource is used directly as re.search's pattern
"""

unsafe_pattern = request.args["pattern"]
re.search(unsafe_pattern, "")


@app.route("/compile")
def compile():
"""
A RemoteFlowSource is used directly as re.compile's pattern
which also executes .search()
"""

unsafe_pattern = request.args["pattern"]
compiled_pattern = re.compile(unsafe_pattern)
compiled_pattern.search("")


@app.route("/compile_direct")
def compile_direct():
"""
A RemoteFlowSource is used directly as re.compile's pattern
which also executes .search() in the same line
"""

unsafe_pattern = request.args["pattern"]
re.compile(unsafe_pattern).search("")

# if __name__ == "__main__":
# app.run(debug=True)
17 changes: 17 additions & 0 deletions ...t/experimental/query-tests/Security/Practical-CodeQL-Introduction/Regex_Injection_good.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
from flask import request, Flask
import re


@app.route("/direct")
def direct():
unsafe_pattern = request.args['pattern']
safe_pattern = re.escape(unsafe_pattern)
re.search(safe_pattern, "")


@app.route("/compile")
def compile():
unsafe_pattern = request.args['pattern']
safe_pattern = re.escape(unsafe_pattern)
compiled_pattern = re.compile(safe_pattern)
compiled_pattern.search("")
Loading