java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning

Community Favorite
profile photo of returntocorpreturntocorp
Author
50,751
Download Count*
LGPL Commons Clause
License

An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: ldap-entry-poisoning
    metadata:
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      cwe:
        - "CWE-90: Improper Neutralization of Special Elements used in an LDAP
          Query ('LDAP Injection')"
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ENTRY_POISONING
      asvs:
        section: "V5: Validation, Sanitization and Encoding Verification Requirements"
        control_id: 5.3.7 Injection
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
        version: "4"
      references:
        - https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf
        - https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
      category: security
      technology:
        - java
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: An object-returning LDAP search will allow attackers to control the
      LDAP response. This could lead to Remote Code Execution.
    severity: WARNING
    pattern-either:
      - pattern: |
          new SearchControls($S, $CL, $TL, $AT, true, $DEREF)
      - pattern: |
          SearchControls $VAR = new SearchControls();
          ...
          $VAR.setReturningObjFlag(true);
    languages:
      - java

Examples

ldap-entry-poisoning.java

public class Cls {

    public void ldapSearchEntryPoison(Environment env) {
        DirContext ctx = new InitialDirContext();

        // ruleid:ldap-entry-poisoning
        ctx.search(query, filter, new SearchControls(scope, countLimit, timeLimit, attributes,
            true, //Enable object deserialization if bound in directory
            deref));
    }

    public void ldapSearchEntryPoisonViaSetter(Environment env) {
        DirContext ctx = new InitialDirContext();
        // ruleid:ldap-entry-poisoning
        SearchControls ctrls = new SearchControls();
        ctrls.setReturningObjFlag(true);
    }

    public void ldapSearchSafe(Environment env) {
        DirContext ctx = new InitialDirContext();
        ctx.search(query, filter,
            new SearchControls(scope, countLimit, timeLimit, attributes,
            false, //Disable
            deref));
    }
}