This rule helps to prevent security vulnerabilities that may arise when user-supplied data is used in the construction of an LDAP (Lightweight Directory Access Protocol) query without proper sanitization or validation. LDAP Injection is an attack technique used to exploit applications that construct LDAP statements without proper input or output sanitizing. This can lead to the execution of arbitrary LDAP queries, potentially revealing sensitive information stored in the LDAP structure.
In the provided non-compliant code, the issue arises from the use of the user-provided param in the LDAP filter without sanitizing or validating it (String filter = "(&(objectclass=person))(|(uid=" + param + ")(street={0}))";). This could allow an attacker to inject malicious LDAP queries.
To avoid LDAP injections, user inputs should never be directly used in the formation of an LDAP query. Instead, they should be properly sanitized or validated before use. This can be achieved using prepared statements, parameterized queries, or input validation techniques.
For instance, the non-compliant code can be modified to use parameterized filters. Instead of concatenating the user input directly into the filter string, placeholders can be used (such as (uid={0})). The user input can then be supplied as a separate parameter which will be automatically escaped by the LDAP library, mitigating the risk of LDAP injection. You can also apply a whitelist validation on the user inputs to further ensure the security of the application.
Non-Compliant Code Examples
/**
* OWASP Benchmark v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/packageorg.owasp.benchmark.testcode;importjava.io.IOException;importjavax.servlet.ServletException;importjavax.servlet.annotation.WebServlet;importjavax.servlet.http.HttpServlet;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;@WebServlet(value="/ldapi-00/BenchmarkTest00012")publicclassBenchmarkTest00012extendsHttpServlet{privatestaticfinallongserialVersionUID=1L;@OverridepublicvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{doPost(request,response);}@OverridepublicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{// some code
response.setContentType("text/html;charset=UTF-8");Stringparam="";java.util.Enumeration<String>headers=request.getHeaders("BenchmarkTest00012");if(headers!=null&&headers.hasMoreElements()){param=headers.nextElement();// just grab first element
}// URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters().
param=java.net.URLDecoder.decode(param,"UTF-8");org.owasp.benchmark.helpers.LDAPManagerads=neworg.owasp.benchmark.helpers.LDAPManager();try{response.setContentType("text/html;charset=UTF-8");Stringbase="ou=users,ou=system";javax.naming.directory.SearchControlssc=newjavax.naming.directory.SearchControls();sc.setSearchScope(javax.naming.directory.SearchControls.SUBTREE_SCOPE);Stringfilter="(&(objectclass=person))(|(uid="+param+")(street={0}))";Object[]filters=newObject[]{"The streetz 4 Ms bar"};javax.naming.directory.DirContextctx=ads.getDirContext();javax.naming.directory.InitialDirContextidc=(javax.naming.directory.InitialDirContext)ctx;booleanfound=false;javax.naming.NamingEnumeration<javax.naming.directory.SearchResult>results=idc.search(base,filter,filters,sc);while(results.hasMore()){javax.naming.directory.SearchResultsr=(javax.naming.directory.SearchResult)results.next();javax.naming.directory.Attributesattrs=sr.getAttributes();javax.naming.directory.Attributeattr=attrs.get("uid");javax.naming.directory.Attributeattr2=attrs.get("street");if(attr!=null){response.getWriter().println("LDAP query results:<br>"+"Record found with name "+attr.get()+"<br>"+"Address: "+attr2.get()+"<br>");// System.out.println("record found " + attr.get());
found=true;}}if(!found){response.getWriter().println("LDAP query results: nothing found for query: "+org.owasp.esapi.ESAPI.encoder().encodeForHTML(filter));}}catch(javax.naming.NamingExceptione){thrownewServletException(e);}finally{try{ads.closeDirContext();}catch(Exceptione){thrownewServletException(e);}}}}
Seamless integrations. Try Datadog Code Analysis
Datadog Code Analysis
Try this rule and analyze your code with Datadog Code Analysis
How to use this rule
1
2
rulesets:- java-security # Rules to enforce Java security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Analysis scans to your CI pipelines
