Recipe Name:
Data: Injection: Parameterize LDAP Filters: DirContext#search
Description:
Could lead to LDAP Injection
Level:
error
Language:
- java
Tags:
- security
- LDAP
- injection
- OWASP Top 10
Documentation
Untrusted input should be sanitized before it is used in an LDAP query.
Failing to sanitize untrusted input may result in the execution of prohibited LDAP queries or modification of the LDAP tree. To sanitize the untrusted input, use parameterized queries, similar to the case for SQL queries. Java's javax.naming.directory.DirContext supports this using an overload of its search method.
NamingEnumeration<SearchResult> result = context.search(userdn,
"(objectClass=" + untrusted + ")", controls);
After
NamingEnumeration<SearchResult> result = context.search(userdn,
"(objectClass={0})", new Object[]{untrusted}, controls);
References
Recipe
id: scw:java:LDAP-injection
version: 10
metadata:
name: 'Data: Injection: Parameterize LDAP Filters: DirContext#search'
shortDescription: Could lead to LDAP Injection
level: error
language: java
newCodeOnly: false
scwCategory: injection:ldap
enabled: true
descriptionFile: descriptions/Data_Injection_Parameterize_LDAP_Filter.html
tags: security;LDAP;injection;OWASP Top 10
search:
methodcall:
args:
2:
type: java.lang.String
value:
containsUntrustedInput: true
name: search
declaration:
type: javax.naming.directory.DirContext
availableFixes:
- name: parameterize
actions:
- parameterize:
placeholderFormat: '{{{{ index }}}}'
extractUntrustedInput:
array:
type: java.lang.Object[]
atArgumentPosition: 3