# Use Parameterized LDAP Query

# Properties

Property Value
Rule ID UseParameterizedLDAPQuery
First seen in jSparrow version 3.19.0
Minimum Java version 1.3
Remediation cost 30 min
Links S2078

# Description

Similar to SQL queries, the LDAP search filters are also vulnerable to injection attacks. This rule parameterizes all potential user supplied input that are concatenated into an LDAP search filter. For example, the invocations of DirContext::search(Name name, String filter, SearchControls cons) are replaced by DirContext::search(Name name, String filter, Object[] args, SearchControls cons) where the filter concatenation fragments are extracted into an Object array.

# Benefits

Prevents injections when using Lightweight Directory Access Protocol (LDAP).

# Code Changes

# Using a String variable as filter

Pre

String userId = "*)(uid=*))(|(uid=*";
String userPassword = "password";
DirContext ctx = getDirContext();
String filter = "(&(uid=" + userId + ")(userPassword=" + userPassword + "))";
NamingEnumeration<SearchResult> results = ctx.search(
		"ou=system", 
		filter, 
		new SearchControls());

Post

String userId = "*)(uid=*))(|(uid=*";
String userPassword = "password";
DirContext ctx = getDirContext();
String filter = "(&(uid={0}" + ")(userPassword={1}" + "))";
NamingEnumeration<SearchResult> results = ctx.search(
		"ou=system", 
		filter, 
		new Object[] { userId, userPassword }, 
		new SearchControls());

# Using a String concatenation expression as filter

Pre

String userId = "*)(uid=*))(|(uid=*";
String userPassword = "password";
DirContext ctx = getDirContext();
NamingEnumeration<SearchResult> results = ctx.search(
		"ou=system", 
		"(&(uid=" + userId + ")(userPassword=" + userPassword + "))", 
		new SearchControls());

Post

String userId = "*)(uid=*))(|(uid=*";
String userPassword = "password";
DirContext ctx = getDirContext();
NamingEnumeration<SearchResult> results = ctx.search(
		"ou=system", 
		"(&(uid={0}" + ")(userPassword={1}" + "))", 
		new Object[] { userId, userPassword }, 
		new SearchControls());

Automatic Application of This Rule

The automatic application of this rule is supported in the following jSparrow version:

# Tags

1
default
You & jSparrow
default

Hey there! May I help you? 😊