[Ruby]: Add Improper LDAP Authentication query

github / securitylab

Resources related to GitHub Security Lab

https://securitylab.github.com

MIT License

1.41k stars 245 forks source link

[Ruby]: Add Improper LDAP Authentication query #761

Closed maikypedia closed 1 year ago

maikypedia commented 1 year ago

Query PR

https://github.com/github/codeql/pull/13313

Language

Ruby

CVE(s) ID list

CVE-2012-5604

CWE

CWE-287

Report

This query covers Improper LDAP Authentication, that con occur when an application uses user-supplied data to establish a connection to a LDAP server.

I used a dataflow configuration looking for RemoteFlowSource flowing to the password used in LDAP binding.

In order to avoid false positives I used StringConstCompareBarrier and StringConstArrayInclusionCallBarrier as barriers.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

[X] Yes
[ ] No

Blog post link

No response

sylwia-budzynska commented 1 year ago

Hello @maikypedia 👋 From a quick look, I see you created one PR with a query for LDAP injection and a query for improper LDAP auth, and another PR which includes the LDAP injection query from the first PR. From curiosity: why did you create two PRs instead of one?

maikypedia commented 1 year ago

Hi @sylwia-budzynska 😊👋, at first, I only had LDAP Injection in mind to model, and I did the PR. Then I realized that I could also model Improper LDAP Auth, so I created a separate branch from the LDAP injection branch. Since they are different vulnerabilities, I thought they should be independent PRs. However, since the Improper Auth branch is a sub-branch of another, maybe it's not a good idea. Do you think it would be more convenient to close the LDAP Injection PR and leave the Improper Auth one?

sylwia-budzynska commented 1 year ago

I checked in with the Ruby team and they said they prefer to review the two queries in two PRs, so no action needs to be taken 👍

ghsecuritylab commented 1 year ago

Your submission is now in status Query review.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 1 year ago

Your submission is now in status Final decision.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 1 year ago

Your submission is now in status Pay.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

xcorail commented 1 year ago

Created Hackerone report 2177971 for bounty 515239 : [761] [Ruby]: Add Improper LDAP Authentication query

ghsecuritylab commented 1 year ago

Your submission is now in status Closed.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed