Avoid LDAP injections

Metadata

ID: java-security/ldap-injection

Language: Java

Severity: Error

Category: Security

Description

Avoid building LDAP queries manually. LDAP requests relying on variables coming from potentially malicious actors can lead to LDAP injections and potentially compromise the system.

Non-Compliant Code Examples

class Test {
    public void test1() {
        String f = "(&(objectclass=person)(uid=" + bar + "))";
        javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results = ctx.search(base, f, sc);
    }

    public void test2() {
        String filter = "ou=users,ou=" + bar;
        javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results = ctx.search(base, filter, sc);
    }

    public void test3() {
        String filter = foo + "ou=users,ou=" + bar;
        javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results = ctx.search(base, filter, sc);
    }
}