gitlab.security_code_scan.SCS0026-1.SCS0031-1

unknown
Download Count*
License

The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

Run Locally

Run in CI

Defintion

rules:
  - id: security_code_scan.SCS0026-1.SCS0031-1
    patterns:
      - pattern-either:
          - patterns:
              - pattern: (DirectorySearcher $SOURCE).Filter = ...
              - pattern-not: (DirectorySearcher $SOURCE).Filter = "..."
          - patterns:
              - pattern: (DirectorySearcher $SOURCE).Path = ...
              - pattern-not: (DirectorySearcher $SOURCE).Path = "..."
    message: |
      The software constructs all or part of an LDAP query using
      externally-influenced input from an upstream component, but it does not
      neutralize or incorrectly neutralizes special elements that could modify
      the intended LDAP query when it is sent to a downstream component.
    languages:
      - csharp
    severity: WARNING
    metadata:
      category: security
      cwe: "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query
        (‘LDAP Injection’)"
      license: MIT