kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.

Run Locally

Run in CI

Defintion

rules:
  - id: anonymous-ldap-bind
    metadata:
      cwe:
        - "CWE-287: Improper Authentication"
      owasp:
        - A02:2017 - Broken Authentication
        - A07:2021 - Identification and Authentication Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS
      category: security
      technology:
        - kotlin
      references:
        - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication
    message: Detected anonymous LDAP bind. This permits anonymous users to execute
      LDAP statements. Consider enforcing authentication for LDAP. See
      https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more
      information.
    severity: WARNING
    pattern: |
      $ENV.put($CTX.SECURITY_AUTHENTICATION, "none")
      ...
      $DCTX = InitialDirContext($ENV, ...)
    languages:
      - kt

Examples

anonymous-ldap-bind.kt

public class Cls {

    public fun ldapBind(env: Environment): Void {
        // ruleid:anonymous-ldap-bind
        env.put(Context.SECURITY_AUTHENTICATION, "none")
        val ctx: DirContext = InitialDirContext(env)
    }

    public fun ldapBindSafe(env: Environment): Void {
        env.put(Context.SECURITY_AUTHENTICATION, "simple")
        var ctx = InitialDirContext(env)
    }
}