Add tests

jorgectf · jorgectf · commit 4ffa45f19df8 · 2021-12-12T03:08:01.000+01:00
diff --git a/Code_Injection.py b/Code_Injection.py
@@ -0,0 +1,44 @@
+from flask import Flask, request
+
+app = Flask(__name__)
+
+
+@app.route("/flow1")
+def flow1():
+    code = request.args["code"]
+    eval(code)
+
+
+@app.route("/flow2")
+def flow2():
+    email = request.args["email"]
+    eval("./send_email {email}".format(email=email))
+
+
+def flow3_extra(text):
+    return text.split("\n")
+
+@app.route("/flow3")
+def flow3():
+    text = request.args["text"]
+    eval(flow3_extra(text))
+
+
+@app.route("/flow4")
+def flow4():
+    text = request.args["text"]
+    tixt = text
+    toxt = flow3_extra(tixt)
+    tuxt = toxt
+    eval(tuxt)
+
+
+@app.route("/flow1_good")
+def flow1_good():
+    code = request.args["code"]
+    if code == "print('Hello, Wo... CodeQL!')":
+        eval(code)
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/LDAP3_Injection_bad.py b/LDAP3_Injection_bad.py
@@ -0,0 +1,41 @@
+from flask import request, Flask
+import ldap3
+
+app = Flask(__name__)
+
+
+@app.route("/normal")
+def normal():
+    """
+    A RemoteFlowSource is used directly as DN and search filter
+    """
+
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
+
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
+
+
+@app.route("/direct")
+def direct():
+    """
+    A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search
+    """
+
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
+
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True).search(
+        dn, search_filter)
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/LDAP3_Injection_good.py b/LDAP3_Injection_good.py
@@ -0,0 +1,49 @@
+from flask import request, Flask
+import ldap3
+from ldap3.utils.dn import escape_rdn
+from ldap3.utils.conv import escape_filter_chars
+
+app = Flask(__name__)
+
+
+@app.route("/normal")
+def normal():
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter
+    """
+
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
+
+    safe_dc = escape_rdn(unsafe_dc)
+    safe_filter = escape_filter_chars(unsafe_filter)
+
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
+
+
+@app.route("/direct")
+def direct():
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search
+    """
+
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
+
+    safe_dc = escape_rdn(unsafe_dc)
+    safe_filter = escape_filter_chars(unsafe_filter)
+
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True).search(
+        dn, search_filter)
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/LDAP_Injection_bad.py b/LDAP_Injection_bad.py
@@ -0,0 +1,59 @@
+from flask import request, Flask
+import ldap
+
+app = Flask(__name__)
+
+
+@app.route("/normal")
+def normal():
+    """
+    A RemoteFlowSource is used directly as DN and search filter
+    """
+
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
+
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
+    user = ldap_connection.search_s(
+        dn, ldap.SCOPE_SUBTREE, search_filter)
+
+
+@app.route("/direct")
+def direct():
+    """
+    A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search_s
+    """
+
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
+
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    user = ldap.initialize("ldap://127.0.0.1").search_s(
+        dn, ldap.SCOPE_SUBTREE, search_filter)
+
+
+@app.route("/normal_argbyname")
+def normal_argbyname():
+    """
+    A RemoteFlowSource is used directly as DN and search filter, while the search filter is specified as
+    an argument by name
+    """
+
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
+
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
+    user = ldap_connection.search_s(
+        dn, ldap.SCOPE_SUBTREE, filterstr=search_filter)
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/LDAP_Injection_good.py b/LDAP_Injection_good.py
@@ -0,0 +1,70 @@
+from flask import request, Flask
+import ldap
+import ldap.filter
+import ldap.dn
+
+app = Flask(__name__)
+
+
+@app.route("/normal")
+def normal():
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter
+    """
+
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
+
+    safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
+    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
+
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
+    user = ldap_connection.search_s(
+        dn, ldap.SCOPE_SUBTREE, search_filter)
+
+
+@app.route("/direct")
+def direct():
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search_s
+    """
+
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
+
+    safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
+    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
+
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    user = ldap.initialize("ldap://127.0.0.1").search_s(
+        dn, ldap.SCOPE_SUBTREE, search_filter, ["testAttr1", "testAttr2"])
+
+
+@app.route("/normal_argbyname")
+def normal_argbyname():
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter, while the search filter is specified as
+    an argument by name
+    """
+
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
+
+    safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
+    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
+
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
+    user = ldap_connection.search_s(
+        dn, ldap.SCOPE_SUBTREE, filterstr=search_filter)
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/README.md b/README.md
@@ -1 +1,3 @@
-# PracticalCodeQLIntroduction-repo
+# PracticalCodeQLIntroduction repo
+
+This repository is meant to be used to run the queries in LGTM shown in [this](https://jorgectf.gitlab.io/blog/post/practical-codeql-introduction/) blog post.
diff --git a/Regex_Injection_bad.py b/Regex_Injection_bad.py
@@ -0,0 +1,40 @@
+from flask import request, Flask
+import re
+
+app = Flask(__name__)
+
+
+@app.route("/direct")
+def direct():
+    """
+    A RemoteFlowSource is used directly as re.search's pattern
+    """
+
+    unsafe_pattern = request.args["pattern"]
+    re.search(unsafe_pattern, "")
+
+
+@app.route("/compile")
+def compile():
+    """
+    A RemoteFlowSource is used directly as re.compile's pattern
+    which also executes .search() 
+    """
+
+    unsafe_pattern = request.args["pattern"]
+    compiled_pattern = re.compile(unsafe_pattern)
+    compiled_pattern.search("")
+
+
+@app.route("/compile_direct")
+def compile_direct():
+    """
+    A RemoteFlowSource is used directly as re.compile's pattern
+    which also executes .search() in the same line
+    """
+
+    unsafe_pattern = request.args["pattern"]
+    re.compile(unsafe_pattern).search("")
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/Regex_Injection_good.py b/Regex_Injection_good.py
@@ -0,0 +1,17 @@
+from flask import request, Flask
+import re
+
+
+@app.route("/direct")
+def direct():
+    unsafe_pattern = request.args['pattern']
+    safe_pattern = re.escape(unsafe_pattern)
+    re.search(safe_pattern, "")
+
+
+@app.route("/compile")
+def compile():
+    unsafe_pattern = request.args['pattern']
+    safe_pattern = re.escape(unsafe_pattern)
+    compiled_pattern = re.compile(safe_pattern)
+    compiled_pattern.search("")
diff --git a/XXE_general.py b/XXE_general.py
diff --git a/XXE_sax.py b/XXE_sax.py
