# Use Parameterized LDAP Query
# Properties
Property | Value |
---|---|
Rule ID | UseParameterizedLDAPQuery |
First seen in jSparrow version | 3.19.0 |
Minimum Java version | 1.3 |
Remediation cost | 30 min |
Links |
# Description
Similar to SQL queries, the LDAP (opens new window) search filters are also vulnerable to injection attacks. This rule parameterizes all potential user supplied input that are concatenated into an LDAP search filter. For example, the invocations of DirContext::search(Name name, String filter, SearchControls cons) (opens new window) are replaced by DirContext::search(Name name, String filter, Object[] args, SearchControls cons) (opens new window) where the filter concatenation fragments are extracted into an Object array.
# Benefits
Prevents injections when using Lightweight Directory Access Protocol (LDAP).
# Code Changes
# Using a String variable as filter
Pre
String userId = "*)(uid=*))(|(uid=*";
String userPassword = "password";
DirContext ctx = getDirContext();
String filter = "(&(uid=" + userId + ")(userPassword=" + userPassword + "))";
NamingEnumeration<SearchResult> results = ctx.search(
"ou=system",
filter,
new SearchControls());
Post
String userId = "*)(uid=*))(|(uid=*";
String userPassword = "password";
DirContext ctx = getDirContext();
String filter = "(&(uid={0}" + ")(userPassword={1}" + "))";
NamingEnumeration<SearchResult> results = ctx.search(
"ou=system",
filter,
new Object[] { userId, userPassword },
new SearchControls());
# Using a String concatenation expression as filter
Pre
String userId = "*)(uid=*))(|(uid=*";
String userPassword = "password";
DirContext ctx = getDirContext();
NamingEnumeration<SearchResult> results = ctx.search(
"ou=system",
"(&(uid=" + userId + ")(userPassword=" + userPassword + "))",
new SearchControls());
Post
String userId = "*)(uid=*))(|(uid=*";
String userPassword = "password";
DirContext ctx = getDirContext();
NamingEnumeration<SearchResult> results = ctx.search(
"ou=system",
"(&(uid={0}" + ")(userPassword={1}" + "))",
new Object[] { userId, userPassword },
new SearchControls());
Automatic Application of This Rule
The automatic application of this rule is supported in the following jSparrow version:
# Tags
1
You & jSparrow