LDAP injection threat detected

Description

Unsatized input going into LDAP query detected. This could lead to LDAP injection, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.

Remediations

✅ Sanitize LDAP query data

  public class Cls extends HttpServlet
{

public void handleRequest(HttpServletRequest request, HttpServletResponse response)
{
String userID = request.getParameter("userID");
String sanitizedUserID = sanitize(userID);

String filter = "(&(objectclass=person))(|(uid=" + sanitizedUserID + ")(street={0}))";
String base = "ou=users,ou=system";
Object[] filters = new Object[] {"First avenue"};
javax.naming.directory.SearchControls sc = new javax.naming.directory.SearchControls();

dirContext.search(base, filter, filters, sc);
}
}

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_ldap_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_ldap_injection

Ready to take the next step? Learn more about Bearer Cloud.