org.sonar.l10n.java.rules.squid.S2078.html Maven / Gradle / Ivy
Applications that execute LDAP queries should neutralize any externally-provided values in those commands. Failure to do so could allow an attacker to include input that changes the query so that unintended commands are executed, or sensitive data is exposed. Unhappily LDAP doesn't provide any prepared statement interfaces like SQL to easily remove this risk. So each time a LDAP query is built dynamically this rule logs an issue.
Noncompliant Code Example
public User lookupUser(String username, String base, String [] requestedAttrs) {
// ...
DirContext dctx = new InitialDirContext(env);
SearchControls sc = new SearchControls();
sc.setReturningAttributes(requestedAttrs); // Noncompliant
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
String filter = "(&(objectClass=user)(sAMAccountName=" + username + "))";
NamingEnumeration results = dctx.search(base, // Noncompliant
filter, // Noncompliant; parameter concatenated directly into string
sc);
Compliant Solution
public User lookupUser(String username, String base, String [] requestedAttrs) {
// ...
DirContext dctx = new InitialDirContext(env);
SearchControls sc = new SearchControls();
sc.setReturningAttributes(buildAttrFilter(requestedAttrs)); // Compliant; method presumably scrubs input
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
String useBase = "ou=People";
if (! base.startsWith(useBase)) {
useBase = base;
}
String filter = "(&(objectClass=user)(sAMAccountName=" + username.replaceAll("[()| ]","") + "))";
NamingEnumeration results = dctx.search(useBase, // Compliant; originally value used conditionally
filter, // Compliant; parameter NOT concatenated directly into string
sc);
See
- MITRE CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
- OWASP Top Ten 2013 Category A1 - Injection
- Derived from FindSecBugs rule Potential LDAP Injection
© 2015 - 2025 Weber Informatics LLC | Privacy Policy