Prevent LDAP injection

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST 규칙 > Prevent LDAP injection

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: php-security/ldap-injection

Language: PHP

Severity: Error

Category: Security

CWE: 90

Description

LDAP injection is a type of attack used to exploit applications that construct LDAP statements from user-supplied input. This can cause unauthorized viewing of data, privilege escalation, or other unintended behaviors.

The importance of this rule lies in its ability to prevent such attacks, safeguarding the application and its data. By not properly sanitizing user input before using it in an LDAP statement, you may be exposing your system to potential security risks.

To follow this rule and avoid LDAP injection, always sanitize and validate user input before using it in an LDAP statement. This can be achieved by using the ldap_escape function in PHP for escaping special characters in the input. Additionally, using regular expressions or other validation methods to ensure the input matches expected patterns can further enhance security.

Non-Compliant Code Examples

<?php
// Insecure: Using unsanitized user input in an LDAP search
$ldapconn = ldap_connect("ldap://example.com");
$base_dn = "ou=users,dc=example,dc=com";
$filter = "(uid=" . $_POST['username'] . ")";

if ($ldapconn) {
    ldap_bind($ldapconn, "cn=admin,dc=example,dc=com", "admin_password");
    $result = ldap_search($ldapconn, $base_dn, $filter);
    $entries = ldap_get_entries($ldapconn, $result);

    foreach ($entries as $entry) {
        echo "User: " . $entry["uid"][0];
    }
}

Compliant Code Examples

<?php
// Secure: Sanitize and validate user input before LDAP bind
$ldapconn = ldap_connect("ldap://example.com");

if ($ldapconn) {
    $username = ldap_escape($_GET['username'], '', LDAP_ESCAPE_DN);
    $ldaprdn = 'uid=' . $username . ',ou=users,dc=example,dc=com';
    $ldappass = $_GET['password'];

    // Additional validation for the username and password
    if (preg_match('/^[a-zA-Z0-9._-]+$/', $username) && !empty($ldappass)) {
        $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

        if ($ldapbind) {
            echo "LDAP bind successful.";
        } else {
            echo "LDAP bind failed.";
        }
    } else {
        echo "Invalid input.";
    }
}