<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">

<qhelp>

<overview>

<p>

If an LDAP connection uses user-supplied data as password, anonymous bind could be caused using an empty password

to result in a successful authentication.

</p>

</overview>

<recommendation>

<p>Don't use user-supplied data as password while establishing an LDAP connection.

</p>

</recommendation>

<example>

<p>In the following examples, the code accepts a bind password via a HTTP request in variable <code>

bindPassword</code>. The code builds a LDAP query whose authentication depends on user supplied data.</p>

<sample src="examples/LdapAuthBad.go" />

<p>In the following examples, the code accepts a bind password via a HTTP request in variable <code>

bindPassword</code>. The function ensures that the password provided is not empty before binding. </p>

<sample src="examples/LdapAuthGood.go" />

</example>

<references>

<li>MITRE: <a href="https://cwe.mitre.org/data/definitions/287.html">CWE-287: Improper Authentication</a>.</li>

</references>

</qhelp>

import go

import ImproperLdapAuth

import DataFlow::PathGraph

from ImproperLdapAuthConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink

where config.hasFlowPath(source, sink)

select sink.getNode(), source, sink, "LDAP binding password depends on a $@.", source.getNode(),

"user-provided value"

import go

import DataFlow::PathGraph

import semmle.go.dataflow.barrierguardutil.RegexpCheck

abstract class LdapConn extends DataFlow::CallNode { }

abstract class LdapAuthSink extends DataFlow::Node { }

abstract class LdapSanitizer extends DataFlow::Node { }

private class GoLdapBindSink extends LdapAuthSink {

GoLdapBindSink() {

exists(Method meth, string base, string t, string m |

t = ["Conn"] and

meth.hasQualifiedName([

"github.com/go-ldap/ldap", "github.com/go-ldap/ldap/v3", "gopkg.in/ldap.v2",

"gopkg.in/ldap.v3"

], t, m) and

this = meth.getACall().getArgument(1)

|

base = ["Bind"] and m = base

)

}

class RegexpCheckAsBarrierGuard extends RegexpCheckBarrier, LdapSanitizer { }

private predicate equalityAsSanitizerGuard(DataFlow::Node g, Expr e, boolean outcome) {

exists(DataFlow::Node passwd, DataFlow::EqualityTestNode eq |

g = eq and

exists(eq.getAnOperand().getStringValue()) and

passwd = eq.getAnOperand() and

e = passwd.asExpr() and

outcome = true

)

class EqualityAsSanitizerGuard extends LdapSanitizer {

EqualityAsSanitizerGuard() {

this = DataFlow::BarrierGuard<equalityAsSanitizerGuard/3>::getABarrierNode()

}

class ImproperLdapAuthConfiguration extends TaintTracking::Configuration {

ImproperLdapAuthConfiguration() { this = "Improper LDAP Auth" }

override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }

override predicate isSink(DataFlow::Node sink) { sink instanceof LdapAuthSink }

override predicate isSanitizer(DataFlow::Node node) { node instanceof LdapSanitizer }

func bad() interface{} {

bindPassword := req.URL.Query()["password"][0]

// Connect to the LDAP server

l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", "ldap.example.com", 389))

if err != nil {

log.Fatalf("Failed to connect to LDAP server: %v", err)

}

defer l.Close()

err = l.Bind("cn=admin,dc=example,dc=com", bindPassword)

if err != nil {

log.Fatalf("LDAP bind failed: %v", err)

}

}

func good() interface{} {

bindPassword := req.URL.Query()["password"][0]

// Connect to the LDAP server

l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", "ldap.example.com", 389))

if err != nil {

log.Fatalf("Failed to connect to LDAP server: %v", err)

}

defer l.Close()

if bindPassword != "" {

l.Bind(bindDN, bindPassword)

if err != nil {

log.Fatalf("LDAP bind failed: %v", err)

}

}

}

package main

import (

"fmt"

"log"

"net/http"

"regexp"

ldap "github.com/go-ldap/ldap/v3"

)

func bad(w http.ResponseWriter, req *http.Request) (interface{}, error) {

ldapServer := "ldap.example.com"

ldapPort := 389

bindDN := "cn=admin,dc=example,dc=com"

bindPassword := req.URL.Query()["password"][0]

// Connect to the LDAP server

l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort))

if err != nil {

log.Fatalf("Failed to connect to LDAP server: %v", err)

}

defer l.Close()

// BAD: user input is not sanetized

err = l.Bind(bindDN, bindPassword)

if err != nil {

log.Fatalf("LDAP bind failed: %v", err)

}

}

func good1(w http.ResponseWriter, req *http.Request) (interface{}, error) {

ldapServer := "ldap.example.com"

ldapPort := 389

bindDN := "cn=admin,dc=example,dc=com"

bindPassword := req.URL.Query()["password"][0]

// Connect to the LDAP server

l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort))

if err != nil {

log.Fatalf("Failed to connect to LDAP server: %v", err)

}

defer l.Close()

hasEmptyInput, _ := regexp.MatchString("^\\s*$", bindPassword)

// GOOD : bindPassword is not empty

if !hasEmptyInput {

l.Bind(bindDN, bindPassword)

}

}

func good2(w http.ResponseWriter, req *http.Request) (interface{}, error) {

ldapServer := "ldap.example.com"

ldapPort := 389

bindDN := "cn=admin,dc=example,dc=com"

bindPassword := req.URL.Query()["password"][0]

// Connect to the LDAP server

l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort))

if err != nil {

log.Fatalf("Failed to connect to LDAP server: %v", err)

}

defer l.Close()

// GOOD : bindPassword is not empty

if bindPassword != "" {

l.Bind(bindDN, bindPassword)

}

}

func main() {

bad(nil, nil)

good1(nil, nil)

good2(nil, nil)

}

experimental/CWE-287/ImproperLdapAuth.ql

module github.com/go-ldap/ldap/v3

go 1.19