|
| 1 | +<!DOCTYPE qhelp PUBLIC |
| 2 | + "-//Semmle//qhelp//EN" |
| 3 | + "qhelp.dtd"> |
| 4 | +<qhelp> |
| 5 | +<overview> |
| 6 | +<p>If an LDAP query is built using string concatenation, and the |
| 7 | +components of the concatenation include user input, a user |
| 8 | +is likely to be able to run malicious LDAP queries.</p> |
| 9 | +</overview> |
| 10 | + |
| 11 | +<recommendation> |
| 12 | +<p>If user input must be included in an LDAP query, it should be escaped to |
| 13 | +avoid a malicious user providing special characters that change the meaning |
| 14 | +of the query. If possible build the LDAP query using framework helper methods, for example |
| 15 | +from Spring's <code>LdapQueryBuilder</code> and <code>LdapNameBuilder</code>, |
| 16 | +instead of string concatenation. Alternatively, escape user input using an appropriate |
| 17 | +LDAP encoding method, for example: <code>encodeForLDAP</code> or <code>encodeForDN</code> |
| 18 | +from OWASP ESAPI, <code>LdapEncoder.filterEncode</code> or <code>LdapEncoder.nameEncode</code> |
| 19 | +from Spring LDAP, or <code>Filter.encodeValue</code> from UnboundID library.</p> |
| 20 | +</recommendation> |
| 21 | + |
| 22 | +<example> |
| 23 | +<p>In the following examples, the code accepts an "organization name" and a "username" |
| 24 | +from the user, which it uses to query LDAP.</p> |
| 25 | + |
| 26 | +<p>The first example concatenates the unvalidated and unencoded user input directly |
| 27 | +into both the DN (Distinguished Name) and the search filter used for the LDAP query. |
| 28 | +A malicious user could provide special characters to change the meaning of these |
| 29 | +queries, and search for a completely different set of values. The LDAP query is executed |
| 30 | +using Java JNDI API. |
| 31 | +</p> |
| 32 | + |
| 33 | +<p>The second example uses the OWASP ESAPI library to encode the user values |
| 34 | +before they are included in the DN and search filters. This ensures the meaning of |
| 35 | +the query cannot be changed by a malicious user.</p> |
| 36 | + |
| 37 | +<sample src="LdapInjectionJndi.java" /> |
| 38 | + |
| 39 | +<p>The third example uses Spring <code>LdapQueryBuilder</code> to build an LDAP query. In addition to |
| 40 | +simplifying the building of complex search parameters, it also provides proper escaping of any |
| 41 | +unsafe characters in search filters. The DN is built using <code>LdapNameBuilder</code>, which also provides |
| 42 | +proper escaping.</p> |
| 43 | + |
| 44 | +<sample src="LdapInjectionSpring.java" /> |
| 45 | + |
| 46 | +<p>The fourth example uses <code>UnboundID</code> classes, <code>Filter</code> and <code>DN</code>, to construct a safe filter and |
| 47 | +base DN.</p> |
| 48 | + |
| 49 | +<sample src="LdapInjectionUnboundId.java" /> |
| 50 | + |
| 51 | +<p>The fifth example shows how to build a safe filter and DN using the Apache LDAP API.</p> |
| 52 | + |
| 53 | +<sample src="LdapInjectionApache.java" /> |
| 54 | +</example> |
| 55 | + |
| 56 | +<references> |
| 57 | +<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html">LDAP Injection Prevention Cheat Sheet</a>.</li> |
| 58 | +<li>OWASP ESAPI: <a href="https://owasp.org/www-project-enterprise-security-api/">OWASP ESAPI</a>.</li> |
| 59 | +<li>Spring LdapQueryBuilder doc: <a href="https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html">LdapQueryBuilder</a>.</li> |
| 60 | +<li>Spring LdapNameBuilder doc: <a href="https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/support/LdapNameBuilder.html">LdapNameBuilder</a>.</li> |
| 61 | +<li>UnboundID: <a href="https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/">Understanding and Defending Against LDAP Injection Attacks</a>.</li> |
| 62 | +</references> |
| 63 | +</qhelp> |
0 commit comments