LDAPInjectionCheck.java example

Explorer
sonar-java-master
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;

class A {

  String[] requestedAttrsField;
  public User lookupUser(String username, String base, String[] requestedAttrs) {

    DirContext dctx = new InitialDirContext(env);
    String[] requestedAttrsLocal = new String[12];
    SearchControls sc = new SearchControls();
    sc.setReturningAttributes(requestedAttrs);  // Noncompliant [[sc=31;ec=45]] {{Make sure that "requestedAttrs" is sanitized before use in this LDAP request.}}
    sc.setSearchScope(SearchControls.SUBTREE_SCOPE);

    String filter = "(&(objectClass=user)(sAMAccountName=" + username + "))";

    NamingEnumeration results = dctx.search(base,  // Noncompliant [[sc=45;ec=49]] {{Make sure that "base" is sanitized before use in this LDAP request.}}
        // parameter concatenated directly into string
        filter,  // Noncompliant {{Make sure that "username" is sanitized before use in this LDAP request.}}
        sc);
    results = dctx.search(base+"",  // Noncompliant {{Make sure that "base" is sanitized before use in this LDAP request.}}
        // parameter concatenated directly into string
        filter,  // Noncompliant {{Make sure that "username" is sanitized before use in this LDAP request.}}
        sc);
    sc.setReturningAttributes(requestedAttrsField);  // Noncompliant {{Make sure that "requestedAttrsField" is sanitized before use in this LDAP request.}}
    sc.setReturningAttributes(new String[]{" ", username});  // Noncompliant {{Make sure that "username" is sanitized before use in this LDAP request.}}
    sc.setReturningAttributes(new String[]{" ", " Foo"});  // compliant
    sc.setReturningAttributes(requestedAttrsLocal);  // Noncompliant {{Make sure that "requestedAttrsLocal" is sanitized before use in this LDAP request.}}

    javax.naming.directory.InitialDirContext idc = org.owasp.benchmark.helpers.Utils.getInitialDirContext();
    idc.search("name", filter, new javax.naming.directory.SearchControls()); // Noncompliant {{Make sure that "username" is sanitized before use in this LDAP request.}}

    idc.search("name", getAttributes(), null); // Compliant
  }

  private static Attributes getAttributes() {
    return null;
  }
}