-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathPamAuthBypass.ql
More file actions
74 lines (60 loc) · 2.23 KB
/
PamAuthBypass.ql
File metadata and controls
74 lines (60 loc) · 2.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
/**
* @name PAM authorization bypass due to incorrect usage
* @description Not using `pam.AcctMgmt` after `pam.Authenticate` to check the validity of a login can lead to authorization bypass.
* @kind problem
* @problem.severity warning
* @id go/pam-auth-bypass
* @tags maintainability
* correctness
* experimental
* external/cwe/cwe-561
* external/cwe/cwe-285
* @precision very-high
*/
import go
predicate isInTestFile(Expr r) {
r.getFile().getAbsolutePath().matches("%test%") and
not r.getFile().getAbsolutePath().matches("%/ql/test/%")
}
class PamAuthenticate extends Method {
PamAuthenticate() {
this.hasQualifiedName("github.com/msteinert/pam", "Transaction", "Authenticate")
}
}
class PamAcctMgmt extends Method {
PamAcctMgmt() { this.hasQualifiedName("github.com/msteinert/pam", "Transaction", "AcctMgmt") }
}
class PamStartFunc extends Function {
PamStartFunc() { this.hasQualifiedName("github.com/msteinert/pam", ["StartFunc", "Start"]) }
}
// PAM auth bypass (Start to AcctMgmt)
module PamStartToAcctMgmtConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(PamStartFunc p | p.getACall().getResult(0) = source)
}
predicate isSink(DataFlow::Node sink) {
exists(PamAcctMgmt p | p.getACall().getReceiver() = sink)
}
predicate observeDiffInformedIncrementalMode() {
none() // used as secondary flow
}
}
module PamStartToAcctMgmtFlow = TaintTracking::Global<PamStartToAcctMgmtConfig>;
// PAM auth bypass (Start to Authenticate)
module PamStartToAuthenticateConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(PamStartFunc p | p.getACall().getResult(0) = source)
}
predicate isSink(DataFlow::Node sink) {
exists(PamAuthenticate p | p.getACall().getReceiver() = sink)
}
predicate observeDiffInformedIncrementalMode() {
none() // uses secondary flow
}
}
module PamStartToAuthenticateFlow = TaintTracking::Global<PamStartToAuthenticateConfig>;
from DataFlow::Node source, DataFlow::Node sink
where
not isInTestFile(source.asExpr()) and
(PamStartToAuthenticateFlow::flow(source, sink) and not PamStartToAcctMgmtFlow::flow(source, _))
select source, "This Pam transaction may not be secure."