|
| 1 | +<!DOCTYPE qhelp PUBLIC |
| 2 | + "-//Semmle//qhelp//EN" |
| 3 | + "qhelp.dtd"> |
| 4 | +<qhelp> |
| 5 | +<overview> |
| 6 | +<p>If an LDAP query is built using string concatenation, and the |
| 7 | +components of the concatenation include user input, a user |
| 8 | +is likely to be able to run malicious LDAP queries.</p> |
| 9 | +</overview> |
| 10 | + |
| 11 | +<recommendation> |
| 12 | +<p>If user input must be included in an LDAP query, it should be escaped to |
| 13 | +avoid a malicious user providing special characters that change the meaning |
| 14 | +of the query. If possible build the LDAP query (or search filter / DN) using your |
| 15 | +framework helper methods to avoid string concatenation, or escape user input |
| 16 | +using the right LDAP encoding method, for example encodeForLDAP from OWASP ESAPI, |
| 17 | +LdapEncoder from Spring LDAP or Filter.encodeValue from UnboundID library.</p> |
| 18 | +</recommendation> |
| 19 | + |
| 20 | +<example> |
| 21 | +<p>In the following examples, the code accepts an "organization name" and a "username" |
| 22 | +from the user, which it uses to query LDAP.</p> |
| 23 | + |
| 24 | +<p>The first example concatenates the unvalidated and unencoded user input directly |
| 25 | +into both the DN (Distinguished Name) and the search filter used for the LDAP query. |
| 26 | +A malicious user could provide special characters to change the meaning of these |
| 27 | +queries, and search for a completely different set of values. The LDAP query is executed |
| 28 | +using Java JNDI API. |
| 29 | +</p> |
| 30 | + |
| 31 | +<p>The second example uses the OWASP ESAPI library to encode the user values |
| 32 | +before they are included in the DN and search filters. This ensures the meaning of |
| 33 | +the query cannot be changed by a malicious user.</p> |
| 34 | + |
| 35 | +<sample src="LdapInjectionJndi.java" /> |
| 36 | + |
| 37 | +<p>The third example uses Spring LdapQueryBuilder to build LDAP query. In addition to |
| 38 | +simplifying building of complex search parameters, it also provides proper escaping of any |
| 39 | +unsafe characters in search filters. DN is built using LdapNameBuilder, which also provides |
| 40 | +proper escaping.</p> |
| 41 | + |
| 42 | +<sample src="LdapInjectionSpring.java" /> |
| 43 | + |
| 44 | +<p>The fourth example uses UnboundID Filter and DN classes to construct safe filter and |
| 45 | +base DN.</p> |
| 46 | + |
| 47 | +<sample src="LdapInjectionUnboundId.java" /> |
| 48 | + |
| 49 | +<p>The fifth example shows how to build safe filter and DN using Apache LDAP API.</p> |
| 50 | + |
| 51 | +<sample src="LdapInjectionApache.java" /> |
| 52 | +</example> |
| 53 | + |
| 54 | +<references> |
| 55 | +<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html">LDAP Injection Prevention Cheat Sheet</a>.</li> |
| 56 | +<li>OWASP: <a href="https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java">Preventing LDAP Injection in Java</a>.</li> |
| 57 | +<li>OWASP ESAPI: <a href="https://owasp.org/www-project-enterprise-security-api/">OWASP ESAPI</a>.</li> |
| 58 | +<li>Spring LdapQueryBuilder doc: <a href="https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html">LdapQueryBuilder</a>.</li> |
| 59 | +<li>Spring LdapNameBuilder doc: <a href="https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/support/LdapNameBuilder.html">LdapNameBuilder</a>.</li> |
| 60 | +<li>UnboundID: <a href="https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/">Understanding and Defending Against LDAP Injection Attacks</a>.</li> |
| 61 | +</references> |
| 62 | +</qhelp> |
0 commit comments