Update Sink

python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql

@@ -16,11 +16,10 @@ import DataFlow::PathGraph
 
 from
   LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  LDAPQuery castedSink
+  LDAPInjectionSink castedSink
 where
   config.hasFlowPath(source, sink) and
-  castedSink = sink.getNode() //and
+  castedSink.getLDAPNode() = sink.getNode() //and
 // if exists(castedSink.getAttrs()) then
-select sink.getNode(), source, sink, "$@ LDAP query executes $@ as a $@ probably leaking $@.",
-  sink.getNode(), "This", source.getNode(), "a user-provided value", castedSink.getLDAPNode(),
-  castedSink.getLDAPPart(), castedSink.getAttrs(), "this attribute(s)"
+select sink.getNode(), source, sink, "$@ LDAP query executes $@ as a $@.", castedSink, "This",
+  source.getNode(), "a user-provided value", castedSink.getLDAPNode(), castedSink.getLDAPPart() //, castedSink.getAttrs(), "probably leaking this attribute(s)"

python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll

@@ -95,10 +95,10 @@ private module LDAP {
           (
             ldapNode = this.getArg(0) and
             ldapPart = "DN"
-            or
-            ldapNode = this.getArg(1) and
-            ldapPart = "search_filter"
           )
+          or
+          ldapNode = this.getArg(1) and
+          ldapPart = "search_filter"
         )
       }
 

python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll

@@ -8,6 +8,26 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 
+class LDAPInjectionSink extends DataFlow::Node {
+  // DataFlow::Node attrs;
+  DataFlow::Node ldapNode;
+  string ldapPart;
+
+  LDAPInjectionSink() {
+    exists(LDAPQuery ldapQuery |
+      this = ldapQuery and
+      ldapNode = ldapQuery.getLDAPNode() and
+      ldapPart = ldapQuery.getLDAPPart() // and
+      // if exists(ldapQuery.getAttrs()) then attrs = ldapQuery.getAttrs()
+    )
+  }
+
+  DataFlow::Node getLDAPNode() { result = ldapNode }
+
+  string getLDAPPart() { result = ldapPart }
+  // DataFlow::Node getAttrs() { result = attrs }
+}
+
 /**
  * A taint-tracking configuration for detecting regular expression injections.
  */
@@ -16,9 +36,11 @@ class LDAPInjectionFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink = any(LDAPQuery lQ).getLDAPNode() }
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(LDAPInjectionSink ldapInjSink).getLDAPNode()
+  }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer = any(LDAPEscape lE).getEscapeNode()
+    sanitizer = any(LDAPEscape ldapEsc).getEscapeNode()
   }
 }