gitlab.find_sec_bugs.LDAP_INJECTION-1

unknown
Download Count*
MIT
License

Just like SQL, all inputs passed to an LDAP query need to be passed in safely. Unfortunately, LDAP doesn't have prepared statement interfaces like SQL. Therefore, the primary defense against LDAP injection is strong input validation of any untrusted data before including it in an LDAP query.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: find_sec_bugs.LDAP_INJECTION-1
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-inside: |
              $FUNC(..., $VAR, ...) {
                ...
              }
          - pattern: $VAR
      - patterns:
          - pattern-inside: |
              $FUNC(..., $X, ...) {
                ...
                $VAR = ... + $X;
                ...
              }
          - pattern: $VAR
    pattern-sinks:
      - pattern: javax.naming.ldap.LdapName(...)
      - pattern: (javax.naming.directory.Context $C).lookup(...)
      - pattern: (javax.naming.Context $C).lookup(...)
      - patterns:
          - pattern-inside: (java.util.Properties $P).put($KEY, $VAL)
          - pattern-not-inside: |
              $FUNC(..., $VAL, ...) {
                ...
              }
          - pattern: $VAL
      - patterns:
          - pattern-inside: (com.unboundid.ldap.sdk.LDAPConnection $C).search($QUERY, ...)
          - pattern: $QUERY
      - patterns:
          - pattern-either:
              - pattern: $CTX.lookup(...)
              - patterns:
                  - pattern-inside: $CTX.search($QUERY, ...)
                  - pattern: $QUERY
              - patterns:
                  - pattern-inside: $CTX.search($NAME, $FILTER, ...)
                  - pattern: $FILTER
          - metavariable-pattern:
              metavariable: $CTX
              pattern-either:
                - pattern: (javax.naming.directory.DirContext $C)
                - pattern: (javax.naming.directory.InitialDirContext $IDC)
                - pattern: (javax.naming.ldap.LdapContext $LC)
                - pattern: (javax.naming.event.EventDirContext $EDC)
                - pattern: (com.sun.jndi.ldap.LdapCtx $LC)
      - patterns:
          - pattern-either:
              - patterns:
                  - pattern-inside: $CTX.list($QUERY, ...)
                  - pattern: $QUERY
              - patterns:
                  - pattern-inside: $CTX.lookup($QUERY, ...)
                  - pattern: $QUERY
              - patterns:
                  - pattern-inside: $CTX.search($QUERY, ...)
                  - pattern: $QUERY
              - patterns:
                  - pattern-inside: $CTX.search($NAME, $FILTER, ...)
                  - pattern: $FILTER
          - metavariable-pattern:
              metavariable: $CTX
              pattern-either:
                - pattern: (org.springframework.ldap.core.LdapTemplate $LT)
                - pattern: (org.springframework.ldap.core.LdapOperations $LO)
    message: >
      Just like SQL, all inputs passed to an LDAP query need to be passed in
      safely. Unfortunately,

      LDAP doesn't have prepared statement interfaces like SQL. Therefore, the primary defense

      against LDAP injection is strong input validation of any untrusted data before including it in

      an LDAP query.
    languages:
      - java
    severity: WARNING
    metadata:
      category: security
      cwe: "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query
        ('LDAP Injection')"
      technology:
        - java
      primary_identifier: find_sec_bugs.LDAP_INJECTION-1
      secondary_identifiers:
        - name: Find Security Bugs-LDAP_INJECTION
          type: find_sec_bugs_type
          value: LDAP_INJECTION
      license: MIT