Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
ID |
scala.inject.scala_inject_rule_ldapinjection |
Severity |
low |
Resource |
Inject |
Language |
Scala |
Description
Just like SQL, all inputs passed to an LDAP query need to be passed in safely. Unfortunately, LDAP doesn’t have prepared statement interfaces like SQL. Therefore, the primary defense against LDAP injection is strong input validation of any untrusted data before including it in an LDAP query.
Rationale
Just like SQL, all inputs passed to an LDAP query need to be passed in safely. Unfortunately, LDAP doesn’t have prepared statement interfaces like SQL. Therefore, the primary defense against LDAP injection is strong input validation of any untrusted data before including it in an LDAP query.
The following code illustrates a vulnerable pattern detected by this rule:
def queryVulnerableToInjection(template: LdapTemplate, jndiInjectMe: String, searchControls: SearchControls, dirContextProcessor: DirContextProcessor): Unit = {
// VULNERABLE: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
template.list(jndiInjectMe)
// VULNERABLE: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
template.list(jndiInjectMe, new DefaultNameClassPairMapper)
// VULNERABLE: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
template.list(jndiInjectMe, new CountNameClassPairCallbackHandler)
// VULNERABLE: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
template.lookup(jndiInjectMe)
val mapper = new DefaultIncrementalAttributesMapper("")
// VULNERABLE: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
template.lookup(jndiInjectMe, mapper)
// VULNERABLE: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
template.lookup(jndiInjectMe, mapper)
// VULNERABLE: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
template.search(jndiInjectMe, "dn=1", searchControls, mapper)
// VULNERABLE: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
template.search(jndiInjectMe, "dn=1", searchControls, mapper, dirContextProcessor)
// VULNERABLE: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
template.search(jndiInjectMe, "dn=1", searchControls, mapper, dirContextProcessor)
// VULNERABLE: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
template.search(jndiInjectMe, "dn=1", searchControls, mapper, dirContextProcessor)
// VULNERABLE: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
template.search(jndiInjectMe, "dn=1", mapper)
// VULNERABLE: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
template.search(jndiInjectMe, "dn=1", SearchControls.OBJECT_SCOPE, new Array[String](0), mapper)Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A03 : Injection.