Sensei Logo Sensei Hub

Recipe - Data: Injection: Parameterize LDAP Filters: DirContext#search

Description:
Could lead to LDAP Injection
Level:
error
Language:
  • java
Tags:
  • security
  • LDAP
  • injection
  • OWASP Top 10
Documentation

Untrusted input should be sanitized before it is used in an LDAP query.

Failing to sanitize untrusted input may result in the execution of prohibited LDAP queries or modification of the LDAP tree. To sanitize the untrusted input, use parameterized queries, similar to the case for SQL queries. Java's javax.naming.directory.DirContext supports this using an overload of its search method.

Before
NamingEnumeration<SearchResult> result = context.search(userdn,
    "(objectClass=" + untrusted + ")", controls);
After
NamingEnumeration<SearchResult> result = context.search(userdn,
    "(objectClass={0})", new Object[]{untrusted}, controls);
References
Recipe
id: scw:java:LDAP-injection
version: 10
metadata:
  name: 'Data: Injection: Parameterize LDAP Filters: DirContext#search'
  shortDescription: Could lead to LDAP Injection
  level: error
  language: java
  newCodeOnly: false
  scwCategory: injection:ldap
  enabled: true
  descriptionFile: descriptions/Data_Injection_Parameterize_LDAP_Filter.html
  tags: security;LDAP;injection;OWASP Top 10
search:
  methodcall:
    args:
      2:
        type: java.lang.String
        value:
          containsUntrustedInput: true
    name: search
    declaration:
      type: javax.naming.directory.DirContext
availableFixes:
- name: parameterize
  actions:
  - parameterize:
      placeholderFormat: '{{{{ index }}}}'
      extractUntrustedInput:
        array:
          type: java.lang.Object[]
          atArgumentPosition: 3