rspec/rules/S2078/csharp/how-to-fix-it/dotnet.adoc

=== How to fix it in .NET

The following non-compliant code is vulnerable to LDAP injections because untrusted data is
concatenated in an LDAP query without prior validation.

[cols="a"]
|===
h| Non-compliant code example
|
[source,csharp]
----
public class ExampleController : Controller
{
    public IActionResult Authenticate(string user, string pass)
    {
        DirectoryEntry directory  = new DirectoryEntry("LDAP://ou=system");
        DirectorySearcher search  = new DirectorySearcher(directory);

        search.Filter = "(&(uid=" + user + ")(userPassword=" + pass + "))"; // Noncompliant

        return Json(search.FindOne() != null);
    }
}
----
h| Compliant solution
|
[source,csharp]
----
public class ExampleController : Controller
{
    public IActionResult Authenticate(string user, string pass)
    {
        // restrict the username and password to letters only
        if (!Regex.IsMatch(user, "^[a-zA-Z]+$") \|\| !Regex.IsMatch(pass, "^[a-zA-Z]+$"))
        {
            return BadRequest();
        }

        DirectoryEntry directory  = new DirectoryEntry("LDAP://ou=system");
        DirectorySearcher search  = new DirectorySearcher(directory);

        search.Filter = "(&(uid=" + user + ")(userPassword=" + pass + "))";

        return Json(search.FindOne() != null);
    }
}
----
|===

=== How does this work?

include::../../common/fix/validation.adoc[]

In the compliant solution example, a validation mechanism is applied to untrusted input to ensure
it is strictly composed of alphabetic characters.
Modify S2078(multiple languages): Update to the education framework (APPSEC-115) (#1209) 2022-09-09 10:16:57 +02:00			`=== How to fix it in .NET`

			`The following non-compliant code is vulnerable to LDAP injections because untrusted data is`
			`concatenated in an LDAP query without prior validation.`

			`[cols="a"]`
			`\|===`
			`h\| Non-compliant code example`
			`\|`
			`[source,csharp]`
			`----`
			`public class ExampleController : Controller`
			`{`
			`public IActionResult Authenticate(string user, string pass)`
			`{`
			`DirectoryEntry directory = new DirectoryEntry("LDAP://ou=system");`
			`DirectorySearcher search = new DirectorySearcher(directory);`

			`search.Filter = "(&(uid=" + user + ")(userPassword=" + pass + "))"; // Noncompliant`

			`return Json(search.FindOne() != null);`
			`}`
			`}`
			`----`
			`h\| Compliant solution`
			`\|`
			`[source,csharp]`
			`----`
			`public class ExampleController : Controller`
			`{`
			`public IActionResult Authenticate(string user, string pass)`
			`{`
			`// restrict the username and password to letters only`
			`if (!Regex.IsMatch(user, "^[a-zA-Z]+$") \\|\\| !Regex.IsMatch(pass, "^[a-zA-Z]+$"))`
			`{`
			`return BadRequest();`
			`}`

			`DirectoryEntry directory = new DirectoryEntry("LDAP://ou=system");`
			`DirectorySearcher search = new DirectorySearcher(directory);`

			`search.Filter = "(&(uid=" + user + ")(userPassword=" + pass + "))";`

			`return Json(search.FindOne() != null);`
			`}`
			`}`
			`----`
			`\|===`

			`=== How does this work?`

			`include::../../common/fix/validation.adoc[]`

			`In the compliant solution example, a validation mechanism is applied to untrusted input to ensure`
			`it is strictly composed of alphabetic characters.`