• Home
• org.sonarsource.python
• python-checks
• 2.13.0.7236
• source code
• S4433.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.py.rules.python.S4433.html Maven / Gradle / Ivy

An LDAP client authenticates to an LDAP server with a "bind request" which provides, among other, a simple authentication method.
Simple authentication in LDAP can be used with three different mechanisms:

  
 Anonymous Authentication Mechanism by performing a bind request with a username and password value of zero length. 
  
 Unauthenticated Authentication Mechanism by performing a bind request with a password value of zero length. 
  
 Name/Password Authentication Mechanism by performing a bind request with a password value of non-zero length. 

Anonymous binds and unauthenticated binds allow access to information in the LDAP directory without providing a password, their use is therefore
strongly discouraged. 
Noncompliant Code Example
import ldap

def init_ldap():
   connect = ldap.initialize('ldap://example:1389')

   connect.simple_bind('cn=root') # Noncompliant
   connect.simple_bind_s('cn=root') # Noncompliant
   connect.bind_s('cn=root', None) # Noncompliant
   connect.bind('cn=root', None) # Noncompliant

Compliant Solution
import ldap
import os

def init_ldap():
   connect = ldap.initialize('ldap://example:1389')

   connect.simple_bind('cn=root', os.environ.get('LDAP_PASSWORD')) # Compliant
   connect.simple_bind_s('cn=root', os.environ.get('LDAP_PASSWORD')) # Compliant
   connect.bind_s('cn=root', os.environ.get('LDAP_PASSWORD')) # Compliant
   connect.bind('cn=root', os.environ.get('LDAP_PASSWORD')) # Compliant

See

  
 OWASP Top 10 2017 Category A2 - Broken Authentication 
  
 CWE-521 - Weak Password Requirements 
  
 ldapwiki.com- Simple Authentication