# Use Parameterized LDAP Query

Properties
Description
Benefits
Code Changes
- Using a String variable as filter
- Using a String concatenation expression as filter
Tags

# Properties

Property	Value
Rule ID	UseParameterizedLDAPQuery
First seen in jSparrow version	3.19.0
Minimum Java version	1.3
Remediation cost	30 min
Links	S2078

# Description

Similar to SQL queries, the LDAP (opens new window) search filters are also vulnerable to injection attacks. This rule parameterizes all potential user supplied input that are concatenated into an LDAP search filter. For example, the invocations of DirContext::search(Name name, String filter, SearchControls cons) (opens new window) are replaced by DirContext::search(Name name, String filter, Object[] args, SearchControls cons) (opens new window) where the filter concatenation fragments are extracted into an Object array.

# Benefits

Prevents injections when using Lightweight Directory Access Protocol (LDAP).

# Code Changes

# Using a String variable as filter

Pre

String userId = "*)(uid=*))(|(uid=*";
String userPassword = "password";
DirContext ctx = getDirContext();
String filter = "(&(uid=" + userId + ")(userPassword=" + userPassword + "))";
NamingEnumeration<SearchResult> results = ctx.search(
		"ou=system", 
		filter, 
		new SearchControls());

Post

String userId = "*)(uid=*))(|(uid=*";
String userPassword = "password";
DirContext ctx = getDirContext();
String filter = "(&(uid={0}" + ")(userPassword={1}" + "))";
NamingEnumeration<SearchResult> results = ctx.search(
		"ou=system", 
		filter, 
		new Object[] { userId, userPassword }, 
		new SearchControls());

# Using a String concatenation expression as filter