org.sonar.l10n.java.rules.squid.S2078.html Maven / Gradle / Ivy

Go to download
Applications that execute LDAP queries should neutralize any externally-provided values in those commands. Failure to do so could allow an attacker to include input that changes the query so that unintended commands are executed, or sensitive data is exposed. Unhappily LDAP doesn't provide any prepared statement interfaces like SQL to easily remove this risk. So each time a LDAP query is built dynamically this rule logs an issue.
Noncompliant Code Example

public User lookupUser(String username, String base, String [] requestedAttrs) {

  // ...
  DirContext dctx = new InitialDirContext(env);

  SearchControls sc = new SearchControls();
  sc.setReturningAttributes(requestedAttrs);  // Noncompliant
  sc.setSearchScope(SearchControls.SUBTREE_SCOPE);

  String filter = "(&(objectClass=user)(sAMAccountName=" + username + "))";

  NamingEnumeration results = dctx.search(base,  // Noncompliant
        filter,  // Noncompliant; parameter concatenated directly into string
        sc);

Compliant Solution

public User lookupUser(String username, String base, String [] requestedAttrs) {

  // ...
  DirContext dctx = new InitialDirContext(env);

  SearchControls sc = new SearchControls();
  sc.setReturningAttributes(buildAttrFilter(requestedAttrs));  // Compliant; method presumably scrubs input
  sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
  
  String useBase = "ou=People";
  if (! base.startsWith(useBase)) {
    useBase = base;
  }
  
  String filter = "(&(objectClass=user)(sAMAccountName=" + username.replaceAll("[()| ]","") + "))";

  NamingEnumeration results = dctx.search(useBase,  // Compliant; originally value used conditionally
        filter,  // Compliant; parameter NOT concatenated directly into string
        sc);

See


 MITRE CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
 OWASP Top Ten 2013 Category A1 - Injection
 Derived from FindSecBugs rule Potential LDAP Injection