rspec/rules/S2078/java/how-to-fix-it/java-se.adoc

=== How to fix it in Java SE

The following non-compliant code is vulnerable to LDAP injections because untrusted data is
concatenated to an LDAP query without prior sanitization or validation.

[cols="a"]
|===
h| Non-compliant code example
|
[source,java]
----
public boolean authenticate(HttpServletRequest req, DirContext ctx) throws NamingException {

  String user = req.getParameter("user");
  String pass = req.getParameter("pass");

  String filter = "(&(uid=" + user + ")(userPassword=" + pass + "))";

  NamingEnumeration<SearchResult> results = ctx.search("ou=system", filter, new SearchControls()); // Noncompliant
  return results.hasMore();
}
----
h| Compliant solution
|
[source,java]
----
public boolean authenticate(HttpServletRequest req, DirContext ctx) throws NamingException {
  String user = req.getParameter("user");
  String pass = req.getParameter("pass");

  String filter = "(&(uid={0})(userPassword={1}))";

  NamingEnumeration<SearchResult> results = ctx.search("ou=system", filter, new String[]{user, pass}, new SearchControls());
  return results.hasMore();
}
----
|===

=== How does this work?

include::../../common/fix/validation.adoc[]

For Java, OWASP's functions
https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/org/owasp/esapi/Encoder.html#encodeForDN-java.lang.String-[`encodeForDN`]
and
https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/org/owasp/esapi/Encoder.html#encodeForLDAP-java.lang.String-[`encodeForLDAP`]
allow sanitizing these characters automatically.


In the compliant solution example, the `search` function allows to safely parameterize the query.
Modify S2078(multiple languages): Update to the education framework (APPSEC-115) (#1209) 2022-09-09 10:16:57 +02:00			`=== How to fix it in Java SE`

			`The following non-compliant code is vulnerable to LDAP injections because untrusted data is`
			`concatenated to an LDAP query without prior sanitization or validation.`

			`[cols="a"]`
			`\|===`
			`h\| Non-compliant code example`
			`\|`
			`[source,java]`
			`----`
			`public boolean authenticate(HttpServletRequest req, DirContext ctx) throws NamingException {`

			`String user = req.getParameter("user");`
			`String pass = req.getParameter("pass");`

			`String filter = "(&(uid=" + user + ")(userPassword=" + pass + "))";`

			`NamingEnumeration<SearchResult> results = ctx.search("ou=system", filter, new SearchControls()); // Noncompliant`
			`return results.hasMore();`
			`}`
			`----`
			`h\| Compliant solution`
			`\|`
			`[source,java]`
			`----`
			`public boolean authenticate(HttpServletRequest req, DirContext ctx) throws NamingException {`
			`String user = req.getParameter("user");`
			`String pass = req.getParameter("pass");`

			`String filter = "(&(uid={0})(userPassword={1}))";`

			`NamingEnumeration<SearchResult> results = ctx.search("ou=system", filter, new String[]{user, pass}, new SearchControls());`
			`return results.hasMore();`
			`}`
			`----`
			`\|===`

			`=== How does this work?`

			`include::../../common/fix/validation.adoc[]`

			`For Java, OWASP's functions`
			https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/org/owasp/esapi/Encoder.html#encodeForDN-java.lang.String-[`encodeForDN`]
			`and`
			https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/org/owasp/esapi/Encoder.html#encodeForLDAP-java.lang.String-[`encodeForLDAP`]
			`allow sanitizing these characters automatically.`


			In the compliant solution example, the `search` function allows to safely parameterize the query.