Modify rule S2078: Change text to the education framework format [Python][APPSEC-269] (#1393)
This commit is contained in:
pedro-oliveira-sonarsource
Christophe Zürn
parent
976fccee08
commit
042a03691e
@ -37,4 +37,5 @@
|
||||
* Python SQLite
|
||||
* PyYAML
|
||||
* SQLAlchemy
|
||||
* Amazon DynamoDB
|
||||
* Amazon DynamoDB
|
||||
* python-ldap
|
||||
@ -1,26 +1,22 @@
|
||||
==== Validation
|
||||
|
||||
|
||||
As a rule of thumb, the best approach to protect against injections is to
|
||||
systematically ensure that untrusted data cannot break out of the initially
|
||||
intended logic.
|
||||
systematically ensure that untrusted data cannot break out of the initially intended logic.
|
||||
|
||||
For LDAP injections, the cleanest way to do so is to use parameterized queries
|
||||
if it is available for your use case. An alternative is to
|
||||
validate the input before using it in an LDAP query.
|
||||
For LDAP injection, the cleanest way to do so is to use parameterized queries
|
||||
if it is available for your use case.
|
||||
|
||||
Input validation should be primordially done using native library sanitizers.
|
||||
Alternatively, it can be implemented using an allow-list approach by creating a list of
|
||||
authorized and secure strings you want the application to
|
||||
use in a query. +
|
||||
If a user input does not match an entry in this list, it should be rejected
|
||||
Another approach is to sanitize the input before using it in an LDAP query.
|
||||
Input sanitization should be primarily done using native libraries.
|
||||
|
||||
Alternatively, validation can be implemented using an allowlist approach by
|
||||
creating a list of authorized and secure strings you want the application to use in a
|
||||
query. If a user input does not match an entry in this list, it should be rejected
|
||||
because it is considered unsafe.
|
||||
|
||||
*Important note*: The application must validate on the server side. Not on
|
||||
client-side front-ends.
|
||||
*Important note*: The application must sanitize and validate on the
|
||||
server-side. Not on client-side front-ends.
|
||||
|
||||
As a last resort, the most fundamental security mechanism is the restriction of
|
||||
LDAP metacharacters.
|
||||
The most fundamental security mechanism is the restriction of LDAP
|
||||
metacharacters.
|
||||
|
||||
For **Distinguished Names** (DN), special characters that need to be escaped
|
||||
include:
|
||||
|
||||
53
rules/S2078/python/how-to-fix-it/python-ldap.adoc
Normal file
53
rules/S2078/python/how-to-fix-it/python-ldap.adoc
Normal file
@ -0,0 +1,53 @@
|
||||
=== How to fix it in python-ldap
|
||||
|
||||
The following noncompliant code is vulnerable to LDAP injection because untrusted data is
|
||||
concatenated to an LDAP query without prior sanitization or validation.
|
||||
|
||||
==== Noncompliant code example
|
||||
|
||||
[source,python,diff-id=1,diff-type=noncompliant]
|
||||
----
|
||||
from flask import request
|
||||
import ldap
|
||||
|
||||
@app.route("/user")
|
||||
def user():
|
||||
username = request.args['username']
|
||||
|
||||
search_filter = "(&(objectClass=user)(uid="+username+"))"
|
||||
|
||||
ldap_connection = ldap.initialize("ldap://localhost:389")
|
||||
user = ldap_connection.search_s("dc=example,dc=org", ldap.SCOPE_SUBTREE, search_filter) # Noncompliant
|
||||
|
||||
return user[0]
|
||||
----
|
||||
|
||||
==== Compliant solution
|
||||
|
||||
[source,python,diff-id=1,diff-type=compliant]
|
||||
----
|
||||
from flask import request
|
||||
import ldap
|
||||
|
||||
@app.route("/user")
|
||||
def user():
|
||||
username = ldap.filter.escape_filter_chars(request.args['username'])
|
||||
|
||||
search_filter = "(&(objectClass=user)(uid="+username+"))"
|
||||
|
||||
ldap_connection = ldap.initialize("ldap://localhost:389")
|
||||
user = ldap_connection.search_s("dc=example,dc=org", ldap.SCOPE_SUBTREE, search_filter)
|
||||
|
||||
return user[0]
|
||||
----
|
||||
|
||||
=== How does this work?
|
||||
|
||||
include::../../common/fix/validation.adoc[]
|
||||
|
||||
For Python, the python-ldap library functions
|
||||
https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap-filter.html[`escape_filter_chars`] and
|
||||
https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap-dn.html?highlight=escape_dn#ldap.dn.escape_dn_chars[`escape_dn_chars`] allow sanitizing these characters.
|
||||
|
||||
In the compliant solution example, the `escape_filter_chars`
|
||||
is used to sanitize the search filter concatenated input.
|
||||
3
rules/S2078/python/metadata.json
Normal file
3
rules/S2078/python/metadata.json
Normal file
@ -0,0 +1,3 @@
|
||||
{
|
||||
|
||||
}
|
||||
31
rules/S2078/python/rule.adoc
Normal file
31
rules/S2078/python/rule.adoc
Normal file
@ -0,0 +1,31 @@
|
||||
== Why is this an issue?
|
||||
|
||||
include::../rationale.adoc[]
|
||||
|
||||
include::../impact.adoc[]
|
||||
|
||||
== How to fix it?
|
||||
|
||||
include::how-to-fix-it/python-ldap.adoc[]
|
||||
|
||||
== Resources
|
||||
|
||||
include::../common/resources/standards.adoc[]
|
||||
|
||||
ifdef::env-github,rspecator-view[]
|
||||
|
||||
'''
|
||||
== Implementation Specification
|
||||
(visible only on this page)
|
||||
|
||||
include::../message.adoc[]
|
||||
|
||||
'''
|
||||
== Comments And Links
|
||||
(visible only on this page)
|
||||
|
||||
include::../comments-and-links.adoc[]
|
||||
endif::env-github,rspecator-view[]
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user